Merging Practice Manager and Xero logins

From yesterday, Xero Practice Manager began redirecting users to merge their XPM (Green) and Xero (Blue) logins. This is a welcomed change with one less login to manage, and prelude to the introduction of enforced two-factor authentication.

As your passwords for Xero & Practice Manager are required to facilitate the merging of these logins, Worktopia clients should refer to these client instructions.

Enabling Two-factor Authentication (2FA)

While notifications from Xero suggest two-factor authentication would not be compulsory until March 1st, we’ve found that once you’ve merged accounts, the login process will insist 2FA be setup immediately. Refer to Xero’s instructions to Set up two-factor Authentication.

What if staff don’t have a mobile device for 2FA?

This is a common scenario for many of our client staff, particularly offshore team members. In this case staff should install Windows Authenticator on their enrolled work PC. Refer to Windows Auth for Xero (bottom) within our client instructions for more detail.

How is Xero 2FA different from Worktopia Cloud Security?

Both Xero 2FA and Worktopia Cloud Security (ie. Single Sign-On) serve to protect your client data. Xero has enforced 2FA for all their users as a means to combat phishing and unauthorised access. Xero’s 2FA is essentially an additional means of ensuring you are you – and not someone who has obtained your password.

Worktopia Cloud Security is similar in purpose, however our additional security policies also assist firms to control when and where data is accessed. For example, staff may be authorised to access Xero only from within approved offices or enrolled work devices. Our Single Sign-On and Multi-factor Authentication processes will continue to function alongside Xero’s 2FA to enforce your firm’s security policies.

Can shared logins still be used?

Many of our clients use a group or shared Xero login to make access delegation to client Xero files easier to manage. The downside to this of course is a lack of transparency in Xero’s audit logs on client files. For example, if using a shared ‘bookkeeping’ login amongst several staff, Xero’s audit logs will not tell you which staff member specifically made the changes.

While the introduction of Two-factor Authentication makes shared accounts a little more complicated, we’ve found in further testing this is for now still viable. Keep in mind however that the Authentication App can only be installed on a single device, and staff will need to obtain this code at least every 30 days from whoever controls the Authentication App.

If a staff member has accidentally merged their personal XPM login with a shared Xero login, you can email Xero Support to request this be reversed.

The case for SAML support by Xero

This is a fitting opportunity to discuss SAML, and why as a modern cloud security provider for accounting firms, we’re eager to see Xero adopt this technology into their authentication.¬†Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context (in our case, your Microsoft Office 365 login). This single sign-on (SSO) login standard has significant advantages over using a username and password.

We currently use a password injection method to facilitate Single Sign-On for Xero, and staff are unaware of their Xero specific password so access policies can not be avoided. With SAML, we could be gone with these passwords altogether, making this more secure and better manageable by our Cloud Security.

One of the most common workflow issues we encounter without SAML support, occurs when staff receive an invite to a client Xero file. The invite acceptance process will request staff enter their Xero password, which we’re unable to ‘inject’ at this point and the staff is unaware. For this reason we currently advise staff to forward any Xero invites to our team for action on their behalf.

With SAML support however, this entire workflow could be completed by staff with ease while more secure in the process.

Please help by voting on the SAML Authentication feature request on Xero’s Community Forums.