What is the most important step to secure my Xero account?

Enabling multi-factor authentication (MFA) for every user is the highest-impact step. It ensures that a stolen or guessed password alone cannot grant access to your accounting data.

Are read-only connections safer for third-party tools?

Yes. A read-only OAuth connection lets a tool see your data without the ability to change, delete or add anything. For backup and reporting tools, read-only access is significantly safer than sharing your login credentials.

How often should I review who has access to my accounting system?

At least quarterly, and immediately whenever someone leaves or an integration is no longer used. Removing stale accounts and unused connections closes off common avenues for unauthorised access.

Securing your Xero account: MFA, OAuth and access hygiene

Your accounting platform holds bank details, payment history and the financial heart of your business. That makes the login to it one of the most valuable credentials you own. Securing it well is high-impact, low-cost work — here is how to do it properly.

Key takeaways

Enforce multi-factor authentication on every account with access.
Give each person their own login with only the access they need.
Prefer read-only OAuth connections for third-party tools over shared passwords.
Review access regularly and remove people promptly when they leave.

Why the account is a target

Access to your accounting platform is access to your money and your records. An attacker who gets in can alter payment details, exfiltrate data for payment-redirection fraud, or delete records outright. Because the prize is so high, these accounts are actively targeted — which is exactly why securing them pays off.

Turn on MFA — everywhere

Multi-factor authentication is the single most effective control you can apply. With MFA, a stolen or guessed password is not enough on its own. Enforce it for every user, without exception, and prefer an authenticator app over SMS where possible. This is also a core Essential Eight strategy.

Practise least privilege

Not everyone needs full access. Give each person:

Their own named login — never a shared account.
Only the role and permissions their job requires.
Administrative rights only where genuinely necessary.

Named, scoped accounts also give you an audit trail of who did what.

Connect tools the safe way

Modern integrations should connect through OAuth, which grants scoped, revocable access without sharing your password — and, importantly, can be limited to read-only. A read-only connection can see your data but cannot change it. When you add a backup or reporting tool, a read-only OAuth link is far safer than handing over credentials. It is precisely how CINDA connects to Xero: read-only, so it can copy your data but never alter your books.

Keep access tidy over time

Security drifts. Review who has access every quarter, remove departed staff and unused integrations immediately, and check which third-party apps are connected. An abandoned login or a forgotten integration is an open door. Combine good hygiene with an independent backup and you are protected against both intrusion and loss.

Why the account is a target

Turn on MFA — everywhere

Practise least privilege

Connect tools the safe way

Keep access tidy over time

Frequently asked questions

What is the most important step to secure my Xero account?

Are read-only connections safer for third-party tools?

How often should I review who has access to my accounting system?

Business email compromise: the threat quietly draining Australian SMBs

Does Xero back up your data? Why protection is your responsibility

The Essential Eight, explained for Australian small businesses