Securing your account

Otto handles your clients’ Xero data, so the portal has several ways to keep your account secure. This guide covers what’s available and how to enable it.

Two-factor authentication (2FA)

Two-factor authentication adds an extra layer of security by requiring two different types of verification when you sign in. Even if someone discovers your password, they won’t be able to get in without the second factor.

Two-factor authentication setup page showing options for authenticator app and Passkey, with a green security recommendation banner at the top

Setting up an authenticator app

An authenticator app generates unique codes that change every 30 seconds. It’s one of the most secure ways to protect your account.

1. From the user menu, select “Two-factor authentication”
2. Click “Enable authenticator app”
3. Open your authenticator app (such as Google Authenticator or Authy)
4. Scan the QR code displayed on your screen
5. Enter the six-digit code shown in your authenticator app
6. Click “Activate” to complete the setup

Authenticator app setup screen displaying a QR code for scanning and an input field for verification code entry

Caution

Save your recovery codes when they appear. They’ll help you regain access to your account if you lose your phone or can’t open your authenticator app.

Using Passkeys

Passkeys are a modern, password-free way to secure your account using your device’s built-in security features, such as fingerprint scanning or facial recognition.

To set up a Passkey:

1. From the user menu, select “Two-factor authentication”
2. Click “Add a Passkey”
3. Give your key a memorable name (e.g. “Work MacBook” or “iPhone 15”)
4. Choose whether to enable “Sign in with key only”. This lets you use just the Passkey to sign in, without also entering your email address and password
5. Follow your device’s prompts to register the security key
6. Click “Activate” to complete the setup

Passkey setup form with a text field to name your key and a checkbox option for key-only sign in

Tip

Set up Passkeys on more than one device so you always have a backup way to access your account.

Recovery options

Recovery codes

Recovery codes are generated automatically when you set up two-factor authentication. These one-time-use codes help you regain access if you lose your authenticator app or Passkey.

Tip

• Store recovery codes in a secure location, separate from your main device - Never share your recovery codes with anyone - Consider printing them and storing them in a safe place

Managing your security settings

You can review and update your security settings at any time:

1. Click your profile icon in the top-right corner
2. Select “Two-factor authentication”
3. From here you can:
   • Add additional security methods
   • Remove existing methods
   • Generate new recovery codes
   • View when each security method was last used

Expanded user menu showing security options including Practice settings, Your settings, email and password changes, and Two-factor authentication

Need help?

If you’re stuck setting up security or can’t access your account, drop us a line at support@withotto.app and we’ll be happy to help.

Caution

Never share your passwords, recovery codes, or temporary authentication codes with anyone, including With Otto support staff. We will never ask for these details.