You should use 2-step authentication wherever possible
You really, really should use 2-step authentication. No security is 100%, committed robbers will still find a way in, but if someone else is an easier target… The way we use computers these days, the devastation of losing access to our computers or online accounts can be like having a house fire. There’s a very real possibility of long-term damage to every part of our lives. Fixing it is not easy, or cheap, and you can’t even outright pay someone else to fix it for you, although undoubtably you’ll need to pay for someones help. It’s easy to hope that the world would believe you when you tell them your accounts have been hacked and that they would quickly restore your access and all would be well. However all too often someone trying to get into your accounts will use that very same line in an attempt at social engineering their way in. If you’re lucky, they won’t delete your accounts when they’re done playing. It’s enough to make you think about having it all backed up (which of course you should). Cue the new annoying feature security nerds have developed to inconvenience us all: 2-step authentication (sometimes this is also 2 factor authentication – they are subtly different things)
2-Step authentication requires you to know your username and have also memorised your password (pretty standard so far), then you must supply a second “One Time Password”. Sometimes this is a number from an SMS message and other times it’s a time-based password generated on a smart phone app. Google Authenticator is one such app you can install to generate these codes. You can use 2-step authentication with lots of places: Gmail, Twitter, LastPass, Apple, Facebook, Dropbox, PayPal, Microsoft, LinkedIn… the list goes on and is growing all the time.
Last year Xero joined the 2-step authentication club and I think it’s pretty clear why they have plenty of interest in making sure their security offering is top-notch. You’ll have to opt in for the 2-step authentication, but despite needing to keep your phone on you when you want to log in, it’s completely worth it. Who are you kidding? You’ve always got your phone on you anyway. Xero even made this neat video so everyone could get an idea of how 2-step authentication works and how to set it up. I’d like to add a few extra details for you though.
Activating 2-step authentication for Xero
First, before you activate 2-step authentication for Xero if you’re using their mobile app make sure you have a pin code set up to access the app.
If you don’t already have a pin on the app try to add one through the app settings. I had to uninstall and re-install the app so I could access the pick-a-pin setup page. The pin is restricted to 4 digits and the mobile application doesn’t support 2-step authentication yet. If you’ve got it set up on the same device as your Google Authenticator app, then that is a moot point anyway.
If you already enabled 2-step authentication without a pin, when you try to log in on your mobile app you get the toast message:”2-step authentication not supported on mobile. Disable to log in then re-enable”. You will need to go to a browser, login to your Xero account and disable the 2-step authentication so that you can login on your phone and set up the pin. Once you get logged in on your app you might not be able to set up a pin – Try uninstalling and re-installing the app, then re-enable the 2-step authentication per the video instructions from Xero. Once you have the pin you can re-enable 2-step authentication.
A word on security questions
It’s not just you that knows who your best friend at primary school was, or who your first boyfriend/girlfriend was. It’s pretty easy to look up your mum on the old electoral roll and see where you lived when you were 5 too… In this day you don’t know when your bestie from 1992 might post something online about some nostalgic memory, but I’m willing to bet you won’t remember that it was the answer to your security questions for emergency access to your finances and you also won’t go and update them everywhere else you have used them either. This means you’re the slowest antelope, you’re the lowest hanging fruit, an easy target. Just like life, nothing in security is 100%. Make up 3 unrelated extra (backup) passwords for the answers to your security questions. Print them out and lock them up in your safe, or fire-box, or if you don’t have them, encrypt them on a flash drive which you never plug into your computer except in case of emergency.
Saving money with 2-step authentication
If you’re not convinced about the value of 2-step authentication then consider this: MailChimp want you to opt in SO BADLY that they’re giving you a 10% discount for enabling it. That’s right – If you want to get a discount on managing your online newsletters all you need to do is enable 2-step authentication with MailChimp.