IRS Mandates Multi-Factor Authentication
IRS Mandates Multi-Factor Authentication
Requirements for Tax Preparers
August 6, 2024 - The Internal Revenue Service and the Security Summit partners remind tax professionals that using multi-factor authentication is now a federal requirement in protecting their businesses and their clients from cyber theft.
All tax professionals are now required under the Federal Trade Commission’s safeguards rule to use multi-factor authentication, or MFA, to protect clients’ sensitive information. The June 2023 change mandates MFA to strengthen account security by requiring more than just a username and password to confirm an identity when accessing any system, application or device.
The extra layers of different authentication factors include something only a user knows, like a username and password; something they have, like a token or random number sequence sent to their cell phone; or something unique, like biometric information. These provide extra assurance that a tax pro’s client, not an impostor, is gaining access.
Need Help Complying with IRS Requirements?
Contact MTAP's Cybersecurity Experts
More Info on RCC Here
Common Multi-Factor
Authentication (MFA) Examples
The general public makes wide use of MFA these days, so tax pro clients shouldn’t be surprised by the extra scrutiny asked of them.
For example, many smartphone users are accustomed to fingerprint or facial recognition that authenticates their identity before unlocking their device. Certain smartphone applications can also rely on that biometric factor along with a PIN or password for app-level MFA.
Many online banks, financial applications and payroll services use MFA to verify account holders’ identities before granting access or allowing high-risk transactions, such as money transfers.
In addition, taxpayers connecting to the IRS will be asked to set up MFA to create an IRS Online Account. After that, to sign in, they will first log in with an email address and password, then receive a one-time passcode by text or call to one’s chosen device and finally enter the passcode into the account to complete sign-in. A bad actor cannot access one’s account without also having their passcode.
MFA Required by Law
Under the new FTC MFA rules, there’s a requirement to use at least two of the following factors for anyone accessing customer information:
1. something a user knows like a username or numbers texted to a cell phone; or
2. a physical part of them like a fingerprint or facial scan.
In addition, MFA should be used to secure client information on a tax pro’s computer or network, but it should also be used to access client information stored within their tax preparation software. MFA is required by law for all companies – not just tax professionals. The size of the company does not matter.
Opting out of using MFA in tax prep software is a violation of the FTC safeguards rules.
Best Implementation Practices:
Tax pros should implement MFA across all their services and data access points.
In addition, they should regularly evaluate current MFA methods, standards and new technologies to stay protected against the latest threats, and they should offer a variety of authentication factors to suit the needs of different users.
Finally, tax pros should always enable MFA within tax software products and cloud storage services containing sensitive client data, and they should never share usernames.
Additional Resources
If a tax pro or their firm are the victim of data theft, they should:
- Report the incident to their local IRS Stakeholder Liaison. Speed is critical. IRS stakeholder liaisons will ensure all the appropriate IRS offices are alerted. If reported quickly, the IRS can take steps to block fraudulent returns in the clients' names and assist tax pros through the process.
- Visit the Federation of Tax Administrators to find state contact information. Tax professionals can share information with the appropriate state tax agency by visiting the special “Report a Data Breach.”
- Review Publication 5293, Data Security Resource Guide for Tax Professionals, which provides an overview and resources about how to avoid data theft.
- Tax professionals can also get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data, and the IRS' Identity theft information page for tax pros.
- Read Small Business Information Security: The Fundamentals, by the National Institute of Standards and Technology.
Tax professionals should also stay connected to the IRS through subscriptions to e-News for tax professionals and its social media sites.