Your Security page is where you manage how you sign in and how your account is protected. Open it by clicking your name in the top-right corner and choosing Security.
The Authentication Providers card shows which sign-in providers are linked to your account — Google, Apple, Microsoft, Xero and BGL. Linked providers appear as badges; for any that aren't linked yet you'll see a Continue with … button to connect them. Linking a provider means you can use it to sign in to the same Nagaris account, which is a handy fallback if email codes ever give you trouble.
The Two-Factor Authentication card shows an Enabled or Disabled badge, and when enabled, how many backup codes you have remaining.
Enable Two-Factor Authentication starts setup: scan the QR code on Set Up Authenticator App with your authenticator app (e.g. Google Authenticator, Authy, 1Password) — or copy the secret shown below it — then click I've scanned the code, enter the 6-digit code on Verify Authenticator and click Verify & Enable. Nagaris then shows Two-Factor Authentication Enabled with your backup codes; use Copy or Download to save them before clicking Done.
Regenerate Backup Codes asks for a current authenticator code, then invalidates all existing backup codes and issues a new set. Do this if you've used most of your codes or aren't sure where the old ones are.
Disable asks for a current authenticator code to confirm, then removes the requirement. You'll see Two-factor authentication has been disabled.
The SMS Verification card works the same way for text-message codes. When enabled, it shows which number codes are sent to (partially masked).
Enable SMS Verification opens Set Up SMS Verification — enter your mobile number, click Send Code, then confirm the 6-digit code on Verify Your Mobile with Verify & Enable. If SMS is your first MFA method you'll also be shown backup codes to save.
Disable first texts a code to your registered number (Text me a code), then confirms with Disable SMS.
The Passkeys card lists every passkey on your account with its name, when it was added and when it was last used. Passkeys give you fast, passwordless sign-in using your device's biometrics or a security key.
Add Passkey opens Name Your Passkey (e.g. MacBook Touch ID) — click Continue and approve your device's prompt.
The menu next to each passkey offers Rename and Delete. Deleting shows a confirmation — You won't be able to use it to sign in any more.
Register a passkey on each device you regularly use; a passkey on your office iMac can't unlock your laptop.
Because accounting data is sensitive, Nagaris locks your session after 15 minutes of inactivity (your firm's configuration may vary). You'll see Your Session Is Locked with your name and email, and can unlock without a full sign-in:
Unlock With Passkey — if you have a passkey registered on this device.
Unlock With Code — enter a 6-digit code from your authenticator app.
If you have neither on this browser, the screen says No unlock method is available for this browser. Please sign out and sign back in to continue. The lock screen also counts down to an automatic sign-out — after 30 minutes of total inactivity Nagaris signs you out entirely and you'll need to sign in again. This behaviour helps meet the security requirements that apply to software handling Australian tax data.
Backup codes are single-use. When the Two-Factor Authentication card shows you're running low, regenerate a fresh set.
If you lose access to all of your MFA methods and backup codes, contact support to have MFA reset on your account.