All insights
Cyber & Essential Eight

The Xero login problem nobody talks about.

Xero lets you control what your staff can see. It does nothing about where or when they log in. Here's the credential exposure most firms never tackle, and how we close it so passwords can be used but never seen.

Nathan James
Founder, Worktopia
8 July 20267 min read
Credentials your team can use, but never see

Xero gets a lot right. Granular user permissions, client file access controls, mandatory multi-factor authentication. If you run an accounting firm, you can control what your staff can see inside Xero with reasonable precision.

What you can't control is where and when they log in. That's the loose end most firms never tackle, and it's a bigger exposure than it first appears.

The problem with staff-owned credentials

Here's how it usually plays out. A new staff member joins your firm. You send them a Xero invite. They accept it and set a password, either one they've chosen themselves or one generated by the firm's password manager.

Either way, that password belongs to them. They can see it. They can copy it. They can type it into any browser, on any device, anywhere in the world. The MFA code sits on their personal phone, which goes home with them every night.

So while you've carefully locked down which client files each person can access, the credentials that unlock those files live entirely outside your control. Your clients' financial data is one copied password away from being opened on an unmanaged home laptop, a shared family computer, or a device you'll never see or secure.

Nobody's suggesting your staff are malicious. Most aren't. But credentials that staff can see are credentials that can be phished, reused, written down, or quietly kept after someone leaves.

The risk isn't the person. It's the model. A credential your staff can see is a credential that can leave the building.

We asked Xero to fix this. For seven years.

The clean fix has always been obvious: single sign-on. Let firms connect Xero and Xero Practice Manager to their existing identity provider with SAML, so staff sign in with their work Microsoft account. Think “Sign in with Microsoft”, for your practice.

With SSO there's no separate Xero password to manage, copy or steal. Access is governed by your Microsoft 365 environment, which means conditional access policies, device compliance rules, and instant offboarding when someone leaves. One switch, everything revoked.

We first raised this with Xero through their community channels in October 2017, and kept advocating through to 2024. We weren't alone. The active product idea sits at almost 700 votes today, and that doesn't count earlier threads that have since been deleted. Firms, MSPs and security professionals keep adding their voices. The security case has only strengthened: under the ACSC's Essential Eight, moving beyond Maturity Level One requires phishing-resistant MFA (passkeys, security keys or similar, not push notifications or authenticator codes) and central logging of authentication events. Xero has started a limited passkey rollout, but its standard MFA options don't meet the phishing-resistant bar, and firms have no way to pull Xero sign-in logs into their central logging.

2017
When we first asked Xero for SSO
~700
Votes on the open product request
2025
Xero begins an SSO pilot with a few partners

To Xero's credit, there's finally movement. In October 2025, Xero confirmed its product team is developing SSO with a small, limited group of partners. That's genuinely welcome news, and we hope it ships. If you'd like to see it sooner, add your vote to the thread. Xero prioritises ideas by votes, and every firm that speaks up helps.

But there are no timelines, no confirmed scope, and no guarantee it will cover practice logins to Xero and XPM the way firms actually need. After eight years of advocacy, “we can't give any definite timelines yet” isn't something you can build your firm's security posture on. By 2024 we'd reached that conclusion: our clients couldn't wait indefinitely for a vendor roadmap to catch up with their risk. We decided to build the outcome ourselves.

Our fix: credentials your team can use but never see

We solved it with Keeper, deployed and centrally managed by us as your MSP, using a feature called password masking. Here's how it works in practice.

Staff log in fast
Keeper fills the Xero credentials automatically on managed work devices. Signing in is quicker than typing a password, with nothing for staff to remember (yes, even after that post-lunch session timeout).
They never see the password
With masking on, the credential can't be viewed, copied or exported from the vault. Staff can use it. They can't take it.
MFA lives in the vault too
The one-time codes are generated inside Keeper, not on a personal phone. The second factor stays inside the environment we control, alongside the credential itself.
Tied to managed devices
We control which devices Keeper runs on. On a home PC or a phone at the airport, there's simply no way in: no password, no code, and the vault won't open on a device we don't manage.
Onboarding and offboarding become non-events
New starters are ready in Xero on day one at the click of a button. When someone leaves, there's no password in their head to chase. Revoke their vault access and it's done.

None of this works in isolation. Password masking has to be backed by supporting policies, like stopping browsers from saving the Xero password in their own built-in managers, which would quietly undo the whole model. That's part of the security strategy we design and enforce around it.

Passwords staff can see, side by side with the vault

Passwords staff can see
Credentials in a managed vault
Can be copied, reused or written down
Used automatically, never viewed or exported
MFA code sits on a personal phone
One-time codes generated inside the vault
Works from any device, anywhere
Opens only on devices we manage
Offboarding means chasing passwords
Revoke vault access and it's done
Falls short of Essential Eight logging
Supports phishing-resistant MFA and logging

It's not just staff logins

The same model protects the most powerful credential in your practice: the primary subscription-holder login. That account controls billing, user management and, ultimately, every client file in the subscription. In most firms it belongs to a partner or practice manager, protected by nothing more than a password they chose and an MFA code on their personal phone. In practice it's rarely one person's secret: it's the login used to set up new client subscriptions, so the password often ends up shared between a partner or two and whoever looks after admin, which only widens the exposure.

Put it in the vault, mask it, and restrict it to managed devices, and your highest-value account gets the strongest protection in the firm instead of the weakest.

Your highest-value account should be the best protected in the firm, not the weakest.

What this means for your firm

Your clients trust you with the most sensitive financial information they have. Regulators increasingly expect you to demonstrate control over who accesses that data, from where, and on what devices. The Notifiable Data Breaches scheme doesn't care whether a breach came from a clever attacker or a password reused on a home PC.

Granular permissions inside Xero were never the whole answer. Controlling the credential itself, and the environment it's used in, closes the gap.

If your staff can see their Xero passwords, your firm has an exposure that no amount of in-app permission tuning will fix. It's solvable, we've done it for firms like yours, and it doesn't slow your team down. In most cases, it speeds them up.

The short version
Xero controls what staff can see, but not where or when they log in.
Passwords staff can see can be copied, reused or kept after they leave.
Password masking in a managed vault lets staff use credentials without ever seeing them.
MFA moves off personal phones and into the environment you control.
The same protection covers your highest-value subscription-holder login.
Security run as the whole job
See how Worktopia does cyber defence for accounting firms.
Explore →
Nathan James
Founder, Worktopia
Nathan founded Worktopia after a decade looking after IT and security inside Australian accounting firms. He has been advocating for proper practice-login security since 2017, and building it for clients since well before the vendors caught up.
Kip, the Worktopia mascot, holding a coffee

Want to know where your firm stands?

If your team know their Xero passwords, that's worth a look. Book a credential security review and we'll show you exactly where the gaps are, and how to close them.