Enter your idea

Why has Xero merged the seperate topic of 'WebAuthn - passwordless, 1 step, 2FA' into this idea?

This idea is not the same, And Microsoft dev article does not even metion WebAuthn even thought its been a standard for 8 years.

For best authenticaion practises just go copy how Google does it!
Mainly choice of 2FA/MFA
- Passkey / WebAuthn < Xero does not support
- Hardware FIDO2 keys < Xero does not support
- OATH RFC6238 TOTP < Only one device supported
- In app prompt via push < Xero does not support
- SMS TOTP < Xero does not support
- Email TOTP < Xero does not support
- Backup OTP Codes < Xero does not support

Google supports any and all of these, any mix it the users (or Workspace admin perference).
Google allows multiple of the same type can be used, i.e. two OATH apps or multiple hardware FIDO2 keys. All very easily audited, each method can be separately removed and is tracked when it was used.

Whereas Xero currently only supports a single OATH device/app. :'(

Microsoft's short number match is very insecure, nobody else in the industry uses this method!

If you want Microsoft's short number match to be supported, it would be better for Xero to intergrate single-signon OAUTH with Microsoft, Google, and other auth providers.

In 2022 this was "Important". By the end of 2024 this will rate as 'Critical' for my company. Let's hope this gets some traction soon.

One of Xero's shortcomings is that I need to login so many times each day, much more than the competition. I like Xero, but this is one (of my two) irritations.

Passkeys are really convenient, and safer than passwords. Xero could take a big jump ahead if they would adopt this tech as an option.

When you send out an authentication code to verify a user's identity, please can you add an extra step (like most others do) to say you are going to send an authentication message so the user has time to find their mobile phone and open the Xero Verify app.

Everytime I get this verification request it takes me longer to pass the test as I have to wait and ask it to resend the verification "Yes it's me" option.

Really should of had WebAuthn support years ago.
We use YubiKeys' for WebAuthn authentication with all other online services, even internal sites.

Apple also uses WebAuthn for Passkey which was announced Jun 6th 2022 at WWDC 2022.

Information links
https://www.yubico.com/authentication-standards/webauthn/
https://support.apple.com/en-au/102195#About-the-security-of-passkeys

Developer Info
https://developers.yubico.com/WebAuthn/
https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication/supporting_passkeys/

SSO is recognised as a critical aspect of modern business security.

Our business uses Jumpcloud as it's secure IdP provider. Xero should support Jumpcloud as the authentication provider for Xero user logins. Jumpcloud supports generic SAML connections and supports MFA using their dedicated mobile device push app, or also OTP if necessary. A dedicated Jumpcloud integration could perhaps enforce/require MFA if this is an issue for third party IdP providers.

Xero should be leading the way on this. Particularly now that Australian legislation has reduced the time a particular browser or device can remain "authorised" to login to an account before the 2FA prompt comes in.

Give us the option to ditch passwords.

Webauthn is also significantly more secure than the current TOTP model being used, as the server doesn't have any shared keys.

It's also more convenient than TOTP as no codes need be entered to verify the device.

WebAuthn has backing from Microsoft, Google and Apple to get rid of passwords. Their platform support one step two factor, passwordless authentication (your device and your biometrics). Passkeys cannot be reused, phished, forgotten or stolen.