Xero lets you control what your staff can see. It does nothing about where or when they log in. Here's the credential exposure most firms never tackle, and how we close it so passwords can be used but never seen.
Xero gets a lot right. Granular user permissions, client file access controls, mandatory multi-factor authentication. If you run an accounting firm, you can control what your staff can see inside Xero with reasonable precision.
What you can't control is where and when they log in. That's the loose end most firms never tackle, and it's a bigger exposure than it first appears.
Here's how it usually plays out. A new staff member joins your firm. You send them a Xero invite. They accept it and set a password, either one they've chosen themselves or one generated by the firm's password manager.
Either way, that password belongs to them. They can see it. They can copy it. They can type it into any browser, on any device, anywhere in the world. The MFA code sits on their personal phone, which goes home with them every night.
So while you've carefully locked down which client files each person can access, the credentials that unlock those files live entirely outside your control. Your clients' financial data is one copied password away from being opened on an unmanaged home laptop, a shared family computer, or a device you'll never see or secure.
Nobody's suggesting your staff are malicious. Most aren't. But credentials that staff can see are credentials that can be phished, reused, written down, or quietly kept after someone leaves.
The clean fix has always been obvious: single sign-on. Let firms connect Xero and Xero Practice Manager to their existing identity provider with SAML, so staff sign in with their work Microsoft account. Think “Sign in with Microsoft”, for your practice.
With SSO there's no separate Xero password to manage, copy or steal. Access is governed by your Microsoft 365 environment, which means conditional access policies, device compliance rules, and instant offboarding when someone leaves. One switch, everything revoked.
We first raised this with Xero through their community channels in October 2017, and kept advocating through to 2024. We weren't alone. The active product idea sits at almost 700 votes today, and that doesn't count earlier threads that have since been deleted. Firms, MSPs and security professionals keep adding their voices. The security case has only strengthened: under the ACSC's Essential Eight, moving beyond Maturity Level One requires phishing-resistant MFA (passkeys, security keys or similar, not push notifications or authenticator codes) and central logging of authentication events. Xero has started a limited passkey rollout, but its standard MFA options don't meet the phishing-resistant bar, and firms have no way to pull Xero sign-in logs into their central logging.
To Xero's credit, there's finally movement. In October 2025, Xero confirmed its product team is developing SSO with a small, limited group of partners. That's genuinely welcome news, and we hope it ships. If you'd like to see it sooner, add your vote to the thread. Xero prioritises ideas by votes, and every firm that speaks up helps.
But there are no timelines, no confirmed scope, and no guarantee it will cover practice logins to Xero and XPM the way firms actually need. After eight years of advocacy, “we can't give any definite timelines yet” isn't something you can build your firm's security posture on. By 2024 we'd reached that conclusion: our clients couldn't wait indefinitely for a vendor roadmap to catch up with their risk. We decided to build the outcome ourselves.
We solved it with Keeper, deployed and centrally managed by us as your MSP, using a feature called password masking. Here's how it works in practice.
None of this works in isolation. Password masking has to be backed by supporting policies, like stopping browsers from saving the Xero password in their own built-in managers, which would quietly undo the whole model. That's part of the security strategy we design and enforce around it.
The same model protects the most powerful credential in your practice: the primary subscription-holder login. That account controls billing, user management and, ultimately, every client file in the subscription. In most firms it belongs to a partner or practice manager, protected by nothing more than a password they chose and an MFA code on their personal phone. In practice it's rarely one person's secret: it's the login used to set up new client subscriptions, so the password often ends up shared between a partner or two and whoever looks after admin, which only widens the exposure.
Put it in the vault, mask it, and restrict it to managed devices, and your highest-value account gets the strongest protection in the firm instead of the weakest.
Your clients trust you with the most sensitive financial information they have. Regulators increasingly expect you to demonstrate control over who accesses that data, from where, and on what devices. The Notifiable Data Breaches scheme doesn't care whether a breach came from a clever attacker or a password reused on a home PC.
Granular permissions inside Xero were never the whole answer. Controlling the credential itself, and the environment it's used in, closes the gap.
If your staff can see their Xero passwords, your firm has an exposure that no amount of in-app permission tuning will fix. It's solvable, we've done it for firms like yours, and it doesn't slow your team down. In most cases, it speeds them up.