Skip to content
← Share and support customer ideas for Xero

Settings and activity

'Reports realign periods oldest to newest' has been merged into this idea

2 results found

  1. Login - Don't Log Me Out/Extend Log Out Time (more than 60 minutes)

    1,060 votes

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    403 comments  ·  For small businesses » Settings & user roles  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    Not in pipeline  ·  AdminKelly Munro (Community Manager, Xero) responded

    Hi everyone, we appreciate the interest surrounding this idea, however we want to be open that we're unable to extend our log-out time past 60 minutes. Xero hold a lot of sensitive information including bank data and we're required to be as secure as online banking.
    Any session information running on a web browser can potentially be stolen. If the session does not time out. You then have an infinitely long vulnerability window to session hijacking. Our best option is to keep a tight expiration window on the session cookie, and regenerate them frequently. Even setting a long timeout doesn't help with this - too long a timeout will greatly increase the risk of invasion or potentially jeopardise your personal data and the safety and integrity of the Xero application itself. This is why we maintain control of this.
    If we detect there's been no activity on a page (e.g…

    An error occurred while saving the comment
    EMC I.T. Solutions commented  · 

    I'm in IT Security, and this isn't the approach you take (We know better than you) unless you want to alienate your user base and cause general discontent.

    Allow the organization to adjust this between any defined windows of say, 1-240 minutes. This is an risk management decision at an organizational level. Set the default to 60 minutes but allow each ORG to define their own idle timeout policy.

    OR, "lock" the session but don't log it out. I'm sure you're all capable of figuring that out.

    Xero's refusal to listen to your customer's is jarring on this, and the SSO enablement both. For an otherwise great product, it's really frustrating.

    An error occurred while saving the comment
    EMC I.T. Solutions commented  · 

    ++ this

    EMC I.T. Solutions supported this idea  · 

  2. Login - Enable Windows Azure Active Directory Single Sign On

    526 votes

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close

    We’ll send you updates on this idea

    179 comments  ·  For small businesses » Settings & user roles  ·  Admin →
    How important is this to you?

    We're glad you're here

    Please sign in to leave feedback
    Signed in as (Sign out)
    Close
    Close
    submitted  ·  AdminKelly Munro (Community Manager, Xero) responded

    Hi community, we appreciate many businesses have adopted single sign on with providers like Google, Microsoft Azure/Entra, and Okta to easily streamline logins to many applications and manage operational risk. Our team are staying close to votes and feedback of the idea here, and though we can't commit to development at this time, we will be sure to let you know of any progress toward enabling single sign on

    An error occurred while saving the comment
    EMC I.T. Solutions commented  · 

    This is very long overdue and for an otherwise great product, this is a glaring weakness/deficiency. Most tech companies implemented SSO with major IDP solutions 4-5 years ago, if not longer.

    EMC I.T. Solutions supported this idea  ·