Multi-Factor Authentication for Pinch & Xero Merchants

By the 29th of February 2024, all merchants who are connected to Pinch via Xero will be required to use Multi-Factor Authentication (MFA).

This follows on from the new global security standards set for Xero app partners.

What value does MFA bring to customers of my app?

MFA is an effective way of protecting your data and your customers data from cyberattacks and unauthorized access to your account. MFA is a cybersecurity mechanism that requires a user to verify their identity by providing more than just a single username and password, hence multi-factor requiring an ‘additional factor’. Additional factors include authenticator applications, text or email messages with a code, or tokens. 

For example, if your customer’s username and password are compromised in a phishing or malware attack, having MFA enabled significantly reduces the risk of unauthorised access to their account. The attacker will only have access to one factor of authentication — the user’s login and password. MFA means they don’t have access to that second factor of authentication relevant to that user, such as physical access to a mobile device with a verification app installed.

This better protects your customers from fraud and damage to their business — and helps secure everyone, from the customer to app partners, to Xero itself.

Why is Pinch implementing MFA for all merchants utilising Xero and Pinch? 

In 2020 Xero announced that it would be making MFA changes globally to help reduce cyberattacks, phishing, and increase security on the Xero platform. Xero has now made this mandatory for all app store integrators (that’s us) who have customers connected to Xero accounts. 

We agree with Xero that we want to make sure Pinch and Xero are the most trusted small business platforms and MFA is an important tool to protect your customers' information. 

What will be the process for MFA for merchants utilising Xero and Pinch? 

From 2nd February 2024, all new users connecting to Pinch and Xero will be required to implement MFA. 

From 2nd February 2024, all current users of Pinch and Xero will be prompted to implement MFA. It is strongly recommended you activate MFA as soon as you are presented with the warning and add new users who can also activate their account and MFA. 

From the 1st of March 2024, it will be mandatory for all Pinch accounts connected to Xero to have MFA activated and you will no longer be able to your Pinch account without it. 


When will I be required to activate MFA for my Xero and Pinch account? 

All merchants connected to Xero and Pinch will be required to activate MFA by the end of February 2024. 

Warning messages will be displayed each time you log in to encourage you to adopt MFA as soon as possible before the deadline. 

Will I still be able to access my Pinch account, connected to Xero, after the end of February? 

Not without setting up MFA. 

From the 1st of March 2024, all accounts which are connected to Xero within Pinch will be required to set up MFA before proceeding to Pinch. Without MFA, you will not be able to access your Pinch account. 

What if I don’t want to activate MFA? 

This is a requirement set by Xero’s API and if you do not wish to set up MFA for the Pinch connection, your access will be restricted and potentially removed. 

What if the account details are shared amongst multiple employees? 

We suggest inviting new users instead of sharing your login credentials.

Each login will be connected to one MFA authentication.

What type of MFA will Pinch use? 

Pinch will require a 6 digit code to be entered when you log into your account. This will be linked to an authenticator app on your phone. 

We recommend any authenticator application you may currently have. Here are a few of our favourites: 

What is an authenticator app?

An authenticator or authentication app generates security codes for logging in to sites that require a high level of security. These apps can be used to retrieve security codes and don’t need to have an internet connection. A mobile phone app is a typical example of an authentication app, but other forms exist, including applications for desktops and browser extensions. After installing and configuring the app to work with your account, you’ll be able to receive push notifications and security codes.

I use MYOB or Quickbooks, will I also be required to have MFA? 

At this stage, it is not mandatory for MFA to be activated for Pinch connections within MYOB or Quickbooks but we do strongly recommend you consider implementing it to have the best security in place.

If you have any questions, please contact us at