Stronger authentication for accounts connected to Xero

Accelo's partnership with Xero allows a fast and secure bi-directional sync of invoice and payment data between these systems, plus the sync of customer details, products, service items, and more. With such comprehensive access to your Xero accounting data, we're being asked by Xero to ensure that users logging into Accelo have passed a 2-step authentication process - on par with the 2-step login requirements that Xero themselves enforce.

Fortunately, Accelo already offers 2-step (or 2-factor) authentication as an optional security feature. However, to comply with Xero's stricter requirements for operation within Australia, we will need to enforce 2-step authentication for our users too.

This only applies to users within an Accelo account which is connected to an Australian-based Xero account. It applies from Oct 1, 2020.

How does it work?

There's a guide on our help site to walk you through configuring 2-factor authentication on your user account if you want to get it set-up before the deadline.

In short, you'll need to install the Google Authenticator app on your smartphone, link it to your Accelo user account, and with it, you will receive a 6 digit code which you provide when logging in to Accelo.

Does it apply every time I login?

Yes, right now it does. But in the coming days, we'll be adding a "Remember this device for 30 days" option which will make this login process much less disruptive. After successfully authenticating with the 6 digit code, you will have 30 days where the second authentication step is bypassed. After that time, you'll be prompted to provide a 6 digit code again, and then have another 30 days without requiring the second authentication step, and so on.

What if we're using Single Sign-On?

If you use Google, Microsoft, or another SSO login method, then this will bypass the 2-factor authentication step. These sign-in services typically come with their own 2-step authentication, so triggering Accelo's 2-step on top is not required.

What if some users don't enable it - can I do it for them?

This is necessary for every active user in your Accelo account. Even if they don't typically have access to any accounting related data - because with a simple change of user permissions, they could be given access to modify customers, invoices, and payments in Accelo which can sync immediately to Xero.

You can't set this up for other users; each user needs to set it up individually, as it requires a personal mobile device to complete the set-up.

If on October 1, a user has not enabled 2FA on their account, when logging into Accelo they will be directed to the 2FA set-up screen. Accelo will not let them use any other parts of the product until 2FA is enabled on their account. 

Background

In 2018, the Australian Tax Office (ATO) updated the online security requirements for customers of software providers that connect with the ATO. It was made compulsory for anyone with access to an Australian organisation on Xero to have 2SA enabled on their login. The same is true for customers using other cloud-based platforms.

Because products like Accelo have wide-ranging access to the data in your Xero account, the ATO have recently expanded these security requirements to apply to partners on Xero's App Marketplace.

Unfortunately, if we don't comply then we're putting your ongoing connection between Xero and Accelo at risk.

---

If you have any concerns or require further information on managing 2-factor authentication for your users, please contact [email protected] and we'll be happy to help!