Rant about XERO

Why make it mandatory???

Didn't find your answer?

I've happily accessed the clients Xero account for 3 years. Now they've introduced "mandatory multi factor authentication". Why??

I've been forced to jump through hoops trying to follow their strange  instructions to install it. Why cannot it be made voluntary ??

I understand it is to protect from hacking but other software companies manage without it - why can't Xero ??

End of rant 

 

Replies (27)

Please login or register to join the discussion.

avatar
By Hugh Simpson
10th Jul 2021 11:52

I can't help but think that as Australian Tax Office requirements started rolling out the need for authentication (years ago, now), other countries and their tax authorities may follow suit, with Xero working on this for the times ahead.
It is pretty seamless to set up and run, however, and gives added security so I am not too sure what the issue is.

Thanks (0)
avatar
By thomas34
10th Jul 2021 12:38

Not just you Bernard. For some reason the life-saving Xero App won't install on my mobile phone. I'm getting to the stage of asking the client to download what reports I need and emailing them to me. I understand that even some users are tearing their hair out because they have a set number of micro seconds to input a code or restarting the whole process.

Thanks (1)
Replying to thomas34:
avatar
By bernard michael
10th Jul 2021 13:52

thomas34 wrote:

Not just you Bernard. For some reason the life-saving Xero App won't install on my mobile phone. I'm getting to the stage of asking the client to download what reports I need and emailing them to me. I understand that even some users are tearing their hair out because they have a set number of micro seconds to input a code or restarting the whole process.


Exactly my soulution
Thanks (0)
Replying to thomas34:
boxfile
By spilly
10th Jul 2021 22:25

It me over 2 days to sort this out as the codes didn’t arrive within the set time. Ended up doing it at 7am on the 3rd day. Absolute pain.
Still got to set up our book-keeping staff for each client on this ridiculous system - been putting it off until the last minute tbh.

Thanks (1)
avatar
By Matrix
10th Jul 2021 14:28

I assume you are accessing through your own login? If not then add yourself as a user. Then you set it up to send a code to your phone. It’s workable.

Thanks (0)
A Putey FACA
By Arthur Putey
10th Jul 2021 14:58

Its not that big a deal given you only have to re-auth every 30 days. If you generally use a PC just install the desktop app.
https://central.xero.com/s/article/Set-up-multi-factor-authentication#Se...
Or security questions, making sure that you invent facetious answers.

Thanks (1)
Stepurhan
By stepurhan
11th Jul 2021 22:41

You understand it protects from hacking, but you prefer being more open to hacking?

There are multiple ways of doing it. You can opt to only do it every 30 days (insecure as that is).

Perhaps Xero is not the software for you, if making some effort to protect your clients' online data is too much for you.

Thanks (1)
Replying to stepurhan:
avatar
By Paul Crowley
11th Jul 2021 23:28

Do not really think it is difficult to make these things an opt in. People will opt in to worthy benefits. And that opt in can be at a convenient time, not the do it now abitrary timing of the organisation that is being paid to supply a service,
If the risk was so high why has it taken so long to get updared.
It does suggest that, to date, the software was unsafe rubbish and they have just realised how bad it is. So bad that all users must operate differently from TODAY,
whenever today was,
Glad I do not use it
But looks like helping the two clients that do will take up more onf my employees time as a result of the change

Read anything about Microsoft 11 yet?
90% of hardware just not good enough in their opinion
Such bad publicity that they removed the hardware check completely.
Intel 8, nothing older, despite that all the way back to 6 all comply.

Thanks (0)
Replying to Paul Crowley:
Stepurhan
By stepurhan
12th Jul 2021 08:58

It has been opt in for quite some time. I have had two-factor authentication set up from day one of using Xero. Two-factor authentication is widely considered best security practice. The software has not been "unsafe rubbish" in the past. Users have previously been allowed the option of operating in an unsafe manner in the past.

It would not surprise me if the change was because some users that didn't use two-factor authentication turned round and blamed Xero when they got hacked. Far easier to say Xero is "unsafe rubbish" than to take responsibility for operating in a less secure manner.

This has not come as a sudden surprise. They have been highlighting this change coming for months. "Today" will only come as a surprise to those who have not been paying attention.

I have no idea of what relevance you think Microsoft 11 has in this conversation. A very simple security improvement and hardware issues with an operating system are two very different things.

Thanks (0)
Replying to stepurhan:
boxfile
By spilly
15th Jul 2021 00:04

It might have been opt- in for a while but we had no idea this was even an option. Xero only alerted us to this issue in the last fortnight. We only have a few clients using it so are not agents; maybe that is why we have been ‘out of the loop’ until recently.

Thanks (0)
Replying to spilly:
avatar
By bernard michael
15th Jul 2021 09:11

spilly wrote:

It might have been opt- in for a while but we had no idea this was even an option. Xero only alerted us to this issue in the last fortnight. We only have a few clients using it so are not agents; maybe that is why we have been ‘out of the loop’ until recently.

Have you managed to install MFA without any problems??

Thanks (0)
avatar
By paulwakefield1
12th Jul 2021 08:10

I'm not a great supporter of Xero (I don't like it although I feel that I cannot be using it to its full potential because many think it is very good) but....

There are plenty of authenticator apps out there if you can't use the Xero one.

You only have to renew every 30 days.

They have been warning for some time that it was coming in

Just because they didn't have it until now does not mean it was unsafe rubbish before. Risks change.

Thanks (0)
By ireallyshouldknowthisbut
12th Jul 2021 09:55

Its mildly irritating, but is one of the better ones in that you just press a "yes its me" button, rather than a "you get a text on one screen and have to enter it on another, whilst remembering the 19 digit number" arrangement.

I have mine to my phone, but it would also be set to a laptop/desktop if you are not a smart phone user.

Thanks (0)
Image is of a pin up style woman in a red dress with some of her skirt caught in the filing cabinet. She looks surprised.
By Monsoon
12th Jul 2021 10:48

I reacted like this. Once you've set it up, you only have to do it once every month. It's just the way everything online is going.

Thanks (0)
A Putey FACA
By Arthur Putey
12th Jul 2021 14:18

This illustrates why cloud platofrms aren't ideal for "professional" use. I spend the day flitting between Xero, Sage, HMRC and other platforms and it is a pain to find I have been logged out of any of them just because I've been doing something else for a while. HMRC remains the exception in not requiring MFA (for agent accounts) and you'd think that would need to be more secure than Xero!

And many users just save their passwords to their browser, so with a 30 day grace period between authentications Xero remains as secure or insecure as it was before MFA.

Thanks (1)
Replying to Arthur Putey:
Stepurhan
By stepurhan
12th Jul 2021 19:47

Arthur Putey wrote:

And many users just save their passwords to their browser, so with a 30 day grace period between authentications Xero remains as secure or insecure as it was before MFA.

It remains as secure or insecure as it was on the same device.

If you login to a different device within the 30 days, you have to authenticate again. So someone that manages to get your password still cannot login somewhere else with it.

I find it frustrating to be logged out of websites, but I can understand why it is a good idea from a data security point of view. Is it really "professional" to be casual about the security of client data?

Thanks (1)
By Michael Beaver
13th Jul 2021 15:10

We've been (mildly) inconvenienced by this. We have a 'system' log in so that our staff can all work on Xero via the same log in with the same user access. We can change passwords as and when staff leave so it's never been an issue.

After the 2FA has been implemented, without setting up staff accounts I have to clear their access on my phone each time it gets requested. Quite annoying, especially if I manage to go on holiday one day.

So we are setting up individual staff accounts so each staff member can verify themselves in.

The big problem is is that even though you get appointed as adviser, you can't add your own staff to your clients' accounts unless you have 'Manage users' access, which you don't get by default. So we've had to go back to all our clients and ask them to update their user settings to grant me that access so I can add and remove my own staff where necessary. Surprisingly we've got about 90% done on the first request.

We'll also need to ensure that we get this level of access whenever we onboard a new client.

Xero of course could have provided functionality where the adviser can add and remove their own staff within the My Xero section of the site, but they didn't think that through.

Not end of the world stuff, but it would have been nice to have some warning.

Thanks (0)
Replying to michaelbeaver:
Stepurhan
By stepurhan
13th Jul 2021 15:48

michaelbeaver wrote:

So we are setting up individual staff accounts so each staff member can verify themselves in.

Which is what you should have been doing from the start. Everyone using the same login is a recipe for disaster.

"Changing the passwords when someonee leaves" is a ridiculously flawed system. It is easily overlooked at a busy time, leaving ex-staffers with dangerous levels of access. It disrupts everyone when they need to learn a new password. Not to mention potentially making your firm look incompetent when a staff member who has not got a new password can't login to deal with a client query on the phone.

But, more importantly, how do you tell who did what? If a member of your staff messed up a client's records, but everyone denies making the error, what did you do? Retrain everybody on the software? (potentially wasting the time of everyone that didn't make the error) Cross your fingers and hope it doesn't happen again? Do you not see the problem with giving the greenest junior the same level of access as your most experienced managers?

This question has been a real eye-opener on how careless accountants are with cloud data.

Quote:

Not end of the world stuff, but it would have been nice to have some warning.


Do you mean like the announcement they made 4 months ago? The one that, in the comments at least, made it clear that multiple authentication options are available?

https://www.xero.com/blog/2021/03/introducing-xero-verify/

Thanks (0)
Replying to stepurhan:
avatar
By Hugo Fair
13th Jul 2021 17:08

"This question has been a real eye-opener on how careless accountants are with cloud data."

So it's another win for cloud computing then (as opposed to for its users)?

Thanks (1)
Replying to Hugo Fair:
Stepurhan
By stepurhan
14th Jul 2021 10:04

Hugo Fair wrote:

So it's another win for cloud computing then (as opposed to for its users)?


It's more a case of if you want to use cloud computing, then you have to appreciate your data is more at risk because it can be accessed from any internet connected device, not just the single computer with the data on of a desktop system. Is it not logical to take extra precautions to address that increased risk?

A lot of the answers here have been ignoring that increased risk, because taking extra precautions is too much hassle. My view is that if addressing that increased risk is too much hassle for you, then you would be better off sticking to systems that don't have that increased risk.

My work computer is kept in either a locked office or my home, and is in a bag that is always directly attached to me when moving between the two. However, it is still passworded, because there is confidential client data on it. That password should not be necessary, because access to the computer is restricted. Should I do away with the password?

Thanks (0)
Replying to stepurhan:
avatar
By Hugo Fair
14th Jul 2021 12:13

Strange as it may seem, we're in complete agreement (on the logic and the need for risk management) ... but not, I suspect, on a conclusion regarding the Cloud.

The problem yet again is those pesky marketeers & salespeople who positioned it as the obvious solution for anyone who found technology too tough/complicated to look after ... when in reality it merely puts a lot of the perceived complications out of reach (and increases long-term risk to the user), whilst imposing a whole bunch of new complexities/admin which the target market are ill-equipped to cope with.

I've had plenty of painless use out of Cloud apps, but also a disproportionately high number of disasters that couldn't have occurred on local physical systems (Google Drive deciding to change the creation date of 250,000+ files for instance).

My view is that Cloud is for things you don't really care about (win some, lose some philosophy). But if it's important (to you or your clients) then you need to remain in control.

Thanks (2)
Replying to Hugo Fair:
Stepurhan
By stepurhan
14th Jul 2021 16:27

Regarding the Cloud being sold as a solution to all ills, I quite agree. The adverts that sell it as a magic wand really bug me. The software itself does not magically become better just because it is in the cloud.

I do see one big advantage though. The ability for clients and agents to look at the same data at the same time. With a desktop system I need the client to send a backup, or I need to visit their premises. To update their system, I need to send back a backup, or do them on the client premises. For the backup exchange to work, I have to ensure no other changes happen in-between.

Not a solve-all magic wand, but I see the ability to view and update client records in real-time a big advantage of operating through the cloud.

Thanks (0)
Replying to stepurhan:
avatar
By Hugo Fair
14th Jul 2021 17:27

Again, I agree with everything you say - but quibble a little with the conclusion.

"The ability for clients and agents to look at the same data at the same time" (or even to update that data from their respective locations) is a central benefit to any grown-up multi-user system ... and untying those users from the need to connect with the central processes/databases via physical networks was a major boon.

The key phrase there was 'grown-up', which is a euphemism for architecturally and commercially established (and probably expensive) ... such that 'internet-enabled' access is possible, but not primarily within a browser. Retaining some software on the clients' PCs can provide much stronger and more finely-tuned security along with improved performance for larger data volumes and complex rule-driven processes.

In essence that is good old-fashioned client/server architecture (including all the proven benefits of disaster recovery, process rollback, support for multiple data types, etc as part of the standard architecture) ... but using the internet (not the cloud) to broaden controlled access.

So we (or rather I) are back to the question of purpose.
If 'simple' is more important than 'complete', or 'one-size' rather than 'tailored', or 'inexpensive' rather than 'value for money' ... then Cloud ticks many boxes. But (and it's a personal judgement) if you don't want to keep chopping and changing with each new product (which needs a quick return and so has omitted many core features), then there's strangely fewer grey hairs amongst users of non-cloud software!

Thanks (2)
Replying to Hugo Fair:
Stepurhan
By stepurhan
16th Jul 2021 08:42

As you say, we come to different conclusions. I doubt either of us is going to persuade the other to their point of view. Since these are points of view, as opposed to a dispute over facts, that is fine.

But, despite that, it has been a pleasure having a civilised debate on the subject. I look forward to future discussions on these forums. Thank you.

Thanks (0)
Replying to michaelbeaver:
A Putey FACA
By Arthur Putey
13th Jul 2021 17:11

Well why don't you just share the security question answers too?

Thanks (0)
Glenn Martin
By Glenn Martin
14th Jul 2021 12:21

If I was to put a list together of " 20 things that get on my nerves on a daily basis" this would not make the list.

I have far bigger fish to fry.

However I do wish that one day I will be in a position that this is my biggest worry.

Thanks (0)