MFA | Remove requirement to use
Get rid of this stupid MFA on EVERY sign in.
It used to be monthly which was bad enough, now it is a constant pain having to use an authentication device just to get access to Xero. MFA is a complete waste of user time. My bank doesn't use it and I trust them not to lose my money, so why does accounting software need it?
If the ATO insists on it with their stupid STP, then link it to STP and nothing else.
-
Jordan Tanner commented
Xero MFA is unbelievably aggressive. More so than any other software platform I use, by a very long way.
At least offer users the ability to relax or extend the timeout period.
-
Darcy Holts commented
I am not married to this accounting software. I liked it, but with MFA, it's cumbersome, annoying and frustrating. Link it to my phone number, send me a text like every other banking institute. I am not sure why an accounting software with read only capabilities to my bank account would need a higher form of security than my bank! This has to be changed. Otherwise you're losing this customer. Yes, it's that much of a PITA.
-
Darren Thomas commented
I am still baffled by the cumbersome nature and pointless use of MFA with authentication app too. What next XeroID app. The cost of Xero to the everyday user keeps going up while inbuilt security goes down.
-
Peter Kunzli commented
Xero are frauds in this matter. I use a lot of different accounting software as a professional bookkeeper and BAS agent. Other software either does not use this MFA rubbish, or limits it to either 30 days validity or only when you actually use the ATO reporting function.
It is a complete pain having to put in another code every time. The password is sufficient, or if the password isn't sufficient then why have a password in the first place?
yet another failing of this rather shoddy software.
You get what you pay for unfortunately, except Xero isn't even that cheap any more. -
Chris Cataldo commented
This is extremely annoying and it's not normal to be asked for MFA every single hour.
I logged a support ticket and was advised:
"The multi factor authentication to not have Xero open without a password for more than one hour is a requirement from the ATO. We're unable to extend our log-out time past 60 minutes, as we do hold a lot of sensitive information including bank data and we're required to be as secure as online banking."
The information provided was not accurate as the ATO do not stipulate this. Below is the ATO link Xero provided me which states ""Remember me functionality must be limited to less than 24 hours."
https://softwaredevelopers.ato.gov.au/RequirementsforDSPs
Xero should hide the Remember me button as it clearly has no function whatsoever.
-
David Sellar commented
Xero allows biometric login on my phone, why not on my laptop and desktop? I use facial recognition to login to my computer, so I'm sure it would be an easy hook up.
-
Daniel Reynolds commented
In reality, a recognised device such as the browser\pc could be used as a secondary factor which would then meet the ATO obligations.
-
Darren Thomas commented
Absolute waste of time. With all the other security options available between ATO/Xero/user this is ruining the user experience.
It needs to be changed or I will be disconnecting ATO. -
Peter Kunzli commented
Further to this, MYOB doesn't require MFA EVERY time you log in (So Xero are lying when saying it is an ATO requirement). Nor do MYOB have a silly check box "trust this device".
Plus MYOB allow you to properly reconcile EVERY account.
Therefore MYOB remain as the best accounting software available.
Xero really need to do better.
And my bank doesn't require MFA every day I log in, not when doing regular transactions. Plus accounting software isn't a bank. I bet Xero get virtually no attempts to gain access to people's accounting. -
Brendan Helsham commented
Whilst OP clearly doesn't understand the necessity for MFA in today's world (and I bet your bank does use it when making a payment to a new payee for example), the daily requirement with Xero is a pain in the ****. There should be the ability to 'trust' a device for longer than 24 hours and also associate it with the user's WAN IP address (assuming it is a static IP in a business).