Xero finally brings in two-factor authentication

Online accounting company Xero said it will enable two-factor authentication (2FA) this week, around two years after its customers began demanding the security feature to protect their accounts from unauthorised access.

Xero head of security Paul Macpherson said the feature would help customers ensure their accounts are not compromised by phishing scams and malware.

"Protecting our customers’ information and business data is our number one priority," Macpherson said in a statement.

“That’s why we’ve enhanced Xero to include another layer of control that will make it significantly more difficult for anyone other than the Xero account holder to access their information."

Xero will use RFC 6238 time-based one-time passwords (TOTP) for the 2FA feature, with customers required to install the Google Authenticator app on their smartphones.

Larger organisations with multiple users can enable 2FA on a per-user basis.

Xero has been slow to respond to "gobsmacked" customers demanding the additional security measure since 2013. Last year, Xero product manager Andrew Tokeley told iTnews 2FA was not a priority to implement for the company compared to other highly requested features.

However, after a phishing campaign in October this year that saw some accounts compromised and passwords reset, Xero Australia managing director Chris Ridd said 2FA would be introduced along with further user security education initiatives.

The company has 600,000 subscribers in more than 180 countries.