Edition: All
User-level: Assistant Administrator, System Administrator
This requirement is only for users who connect to Xero, through Xero Connect (Accounting) or Xero Payroll.
Mandatory Multi‑Factor Authentication (MFA) for Xero Access
To enhance the security of your data and meet new Xero compliance requirements, Multi‑Factor Authentication (MFA) will become mandatory for access to the Xero Accounting and Xero Payroll pages from 13 April 2026.
Enabling MFA helps protect your organisation’s financial data and ensures we can maintain uninterrupted access to the Xero API.
Who is affected
This change applies only to users who:
Access the Xero Accounting or Xero Payroll pages
Log in using an email address/username and password, and
Have an email-based login set as their Primary login method
Not affected?
If your Primary login method is Single Sign-On (SSO), you will not be required to enable MFA.
What will happen from 13 April 2026
From 13 April 2026:
Users who do not have MFA enabled will be blocked from accessing the Xero Accounting and Xero Payroll pages
A message will appear explaining that MFA must be enabled to continue
Access will be restored immediately once MFA setup is completed
Important: Each user must enable MFA for their own account.
Administrators cannot enable MFA on behalf of other users.
What affected users need to do
Before 13 April 2026, affected users should:
Open their Synergy Profile
Enable Two‑Factor Authentication
Log out, then log back in
Enter the one‑time security code sent to their registered email address
Continue using the Xero Accounting and Payroll pages as normal
Note: MFA codes are sent to the email address listed first on your Synergy Profile.
For detailed steps, view our set up article here.
Synergy Profiles with Multiple Email Addresses Linked
If your Synergy Profile has more than one email address or login method linked (Email and/or SSO/Social Login), how MFA works depends on which option is set as Primary.
Multiple Email Addresses Only
(Primary email is NOT the first one listed)MFA is required
The MFA code is sent to the first email address listed in your Profile
This happens regardless of which email address you use to log in
Email + SSO/Social Login
(SSO/Social Login is Primary)
MFA is not required
Your account is authenticated automatically
This applies no matter which login method you use
Email + SSO/Social Login
(Email login is Primary)MFA is required
The MFA code is sent to the first email address listed in your Profile
This applies even if you log in using SSO or Social Login
Key Things to Remember
Primary login method matters
MFA codes always go to the first email address listed
This may not be the email you expect if multiple addresses are linked
Final Notes to Avoid Login & MFA Issues
To ensure your account works as expected, please review the following:
Your Synergy Profile email address must match the email address on your staff record (regardless of how you log in).
If these don’t match, your Synergy Profile may become unlinked from your staff account.Remove any obsolete, duplicated, or unnecessary email addresses linked to your profile.
If you use SSO, make sure it is set as your Primary login method.
MFA codes are sent to the first email address listed.
If this isn’t the email you want to receive MFA codes, remove it and re‑add it as an additional email address if needed.
Taking a few minutes to review these settings can help prevent access issues and unexpected MFA behaviour.