Jump to content
ATX Community

Multi-factor authentication: Key protection to tax professionals’ security arsenal now required


Elrod

Recommended Posts

IR-2024-201, Aug. 6, 2024

WASHINGTON — The Internal Revenue Service and the Security Summit partners remind tax professionals that using multi-factor authentication is now more than an important protection for their businesses and their clients – it’s now a federal requirement.

https://www.irs.gov/newsroom/multi-factor-authentication-key-protection-to-tax-professionals-security-arsenal-now-required

  • Like 4
Link to comment
Share on other sites

2 hours ago, Abby Normal said:

Surely they can't mean to access our own software on our own computers, but they don't make that clear.

That is exactly what they mean  -  IR 2024 - 201

Edited by jklcpa
corrected IR from "21" to "201"
  • Like 1
Link to comment
Share on other sites

Elrod's link in the original post does go directly to IRS'  IR 2024-201, and for those that don't like links or won't search for yourselves, here is the text:

Quote

Multi-factor authentication: Key protection to tax professionals’ security arsenal now required

Week 5 of Protect Your Clients; Protect Yourself series focuses on strengthening account security

IR-2024-201, Aug. 6, 2024

WASHINGTON — The Internal Revenue Service and the Security Summit partners remind tax professionals that using multi-factor authentication is now more than an important protection for their businesses and their clients – it’s now a federal requirement.

All tax professionals are now required under the Federal Trade Commission’s safeguards rule to use multi-factor authentication, or MFA, to protect clients’ sensitive information. The June 2023 change mandates MFA to strengthen account security by requiring more than just a username and password to confirm an identity when accessing any system, application or device.

“Multi-factor authentication is now more than just a good idea for tax professionals; it’s a requirement,” said IRS Commissioner Danny Werfel. “This is an effective way to increase security and protect tax professionals and their clients from a data breach. Multi-factor authentication is a little like a deadbolt on a door; it’s additional security supplementing the doorknob lock. This is an important step to protect not just tax professionals and their firms, but also the sensitive taxpayer information from their clients.”

This is the fifth week of an eight-part Protect Your Clients; Protect Yourself summer series, part of an annual education effort by the Security Summit, a group that includes tax professionals, industry partners, state tax agencies and the IRS. The public-private partnership has worked since 2015 to protect the tax system against tax-related identity theft and fraud.

Security is a key focus of the Nationwide Tax Forum, being held this summer in five cities throughout the U.S. In addition to the series of eight news releases, the tax professional security component is featured at the three-day continuing education events. The forums continue the weeks of August 12 in Baltimore, August 19 in Dallas and September 9 in San Diego. The IRS reminds tax pros that registration deadlines are quickly approaching for the Baltimore and Dallas forums, as San Diego has already sold out.

In upcoming weeks, the news release series and the IRS Tax Forums will provide timely tips to help protect sensitive taxpayer data that tax professionals hold while also protecting their own businesses from identity thieves.

A key part of tax pro security now revolves around MFA. The extra layers of different authentication factors include something only a user knows, like a username and password; something they have, like a token or random number sequence sent to their cell phone; or something unique, like biometric information. These provide extra assurance that a tax pro’s client, not an impostor, is gaining access.

The Summit partners noted that implementing MFA is one of the most cost-effective ways to increase security and reduce a tax pro’s fraud and data breach risks. Once in place, MFA helps protect against phishing, social engineering and other types of technology attacks that exploit weak or stolen passwords.

Common MFA examples

The general public makes wide use of MFA these days, so tax pro clients shouldn’t be surprised by the extra scrutiny asked of them.

For example, many smartphone users are accustomed to fingerprint or facial recognition that authenticates their identity before unlocking their device. Certain smartphone applications can also rely on that biometric factor along with a PIN or password for app-level MFA.

Many online banks, financial applications and payroll services use MFA to verify account holders’ identities before granting access or allowing high-risk transactions, such as money transfers.

In addition, taxpayers connecting to the IRS will be asked to set up MFA to create an IRS Online Account. After that, to sign in, they will first log in with an email address and password, then receive a one-time passcode by text or call to one’s chosen device and finally enter the passcode into the account to complete sign-in. A bad actor cannot access one’s account without also having their passcode.

MFA required by law

Under the new FTC MFA rules, there’s a requirement to use at least two of the following factors for anyone accessing customer information: something a user knows like a username; something sent to them like numbers texted to a cell phone; or a physical part of them like a fingerprint or facial scan.

In addition, MFA should be used to secure client information on a tax pro’s computer or network, but it should also be used to access client information stored within their tax preparation software. MFA is required by law for all companies – not just tax professionals. The size of the company does not matter. Opting out of using MFA in tax prep software is a violation of the FTC safeguards rules.

Best implementation practices

Tax pros should implement MFA across all their services and data access points.

In addition, they should regularly evaluate current MFA methods, standards and new technologies to stay protected against the latest threats, and they should offer a variety of authentication factors to suit the needs of different users.

Finally, tax pros should always enable MFA within tax software products and cloud storage services containing sensitive client data, and they should never share usernames.

Additional resources

If a tax pro or their firm are the victim of data theft, they should:

Report the incident to their local IRS Stakeholder Liaison. Speed is critical. IRS stakeholder liaisons will ensure all the appropriate IRS offices are alerted. If reported quickly, the IRS can take steps to block fraudulent returns in the clients' names and assist tax pros through the process.

Visit the Federation of Tax Administrators to find state contact information. Tax professionals can share information with the appropriate state tax agency by visiting the special Report a Data Breach.

Review Publication 5293, Data Security Resource Guide for Tax Professionals PDF, which provides an overview and resources about how to avoid data theft.

Tax professionals can also get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data PDF, and the IRS' Identity theft information page for tax pros.

Read Small Business Information Security: The Fundamentals PDF, by the National Institute of Standards and Technology.

Tax professionals should also stay connected to the IRS through subscriptions to e-News for tax professionals and its social media sites.

 

 

 

  • Like 2
Link to comment
Share on other sites

23 minutes ago, Abby Normal said:

How are we going to use MFA to access PDFs of client data on our drives? Totally unrealistic.

I assume that you would turn MFA for logging into your Win 10 or Win 11 System.

With Drake I can password encrypt the PDFs of tax return copies.

Link to comment
Share on other sites

I was just now reading about this through Tax Talk News and am scratching my head on how to manage.  So as a sole practitioner I have to use 2FA to access a pdf file on my computer?  I have to text to myself or call myself or email myself every time I want to look at a client file? 

My computer is password protected as is the ATX software but I don't have each client pw protected as I am the only user.  If so, how do I confirm to myself that I am me, the authorized user?

I realize that I will have to do something more now with Verifyle but my clients are not going to like it.  At least I know it is an option so will have to read up on how to implement for myself and for each client. 

Retirement is REALLY looking better all the time! I'm getting too tired of soooo many hoops....

  • Like 6
Link to comment
Share on other sites

4 hours ago, Lee B said:

I assume that you would turn MFA for logging into your Win 10 or Win 11 System.

With Drake I can password encrypt the PDFs of tax return copies.

I used to password protect my PDFs but it was a PITA to open them, and I mostly did that just to email them. Even if Windows had password protected folders, there's still no way to add MFA to that process, unless Windows creates it.

  • Like 2
Link to comment
Share on other sites

19 hours ago, Abby Normal said:

I sure hope I can use an authenticator on my phone and not rely on getting a text.

Using an authenticator is so simple - hope Drake implements that as an option. I've got 3 on my phone and they all work perfectly and easily. I do always wonder what happens if I lose my phone.

  • Like 1
Link to comment
Share on other sites

I also have an authenticator on my phone which I was required by the bank to have for my position as church treasurer.  I turns out that OH|ID was added to the list.  I don't recall that it was an option to select when I set that up (I tend to forget too much these days) so it must be possible to keep adding those that offer or require this.  Yes?

I, too, wonder about losing or even changing my phone.  It's a Pixel 4a so kind of old but I love the smaller size.  There are very few available now that I can comfortably hold in my hand but I know I need a newer phone soon!

  • Like 2
Link to comment
Share on other sites

52 minutes ago, Margaret CPA in OH said:

 so it must be possible to keep adding those that offer or require this.  Yes?

 

Yes you can have multiple programs / websites that use the same authenticator. I have 2 of them that use Okta. I'll ask my wife about replacing the phone, she just bought a new one and had to work through all that. She's literally taking a work test at the moment and would reach through the phone and choke me if I called.

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

My phone is usually in my purse in the bedroom. It's time consuming to retrieve it and fire it up when my software asks me to type in a code they sent to my cell. What is an authenticator? Is it an app for my phone? I guess I'll have to glue my phone to my hip.

  • Like 1
Link to comment
Share on other sites

I hear  you!  I HATE having to have my phone at my fingertips all the time.  I try to remember that I'm adding steps.  Yes, my authenticator is a phone app but I don't have to use it often so am prepared to have the phone available.  My choice was to use my fingerprint which is how I protect my phone.  It can get annoying but I now automatically pick it up with my left hand and my fingertip goes right to the spot.

I still have a landline for my business and will keep it until I retire.  I leave my cell on vibrate and the sound off about 90% of the time.  It annoys some folks trying to reach me because they have to leave a message. And I don't answer unidentified calls on either phone.  Since I don't have every contact ever in my cell, lots of calls are unidentified and not all callers leave a message.  Also my cell isolates identified spam calls very effectively.

  • Like 3
Link to comment
Share on other sites

It's good to hear that someone else has had a good experience with authenticators.

I tried using Google's authenticator to sign in into my gmail account.

It was a very frustrating experience, sometimes waiting as long as 10 minutes for the authenticator to respond.

Currently, I rely on PINs texted to my phone or emailed to me.

Link to comment
Share on other sites

46 minutes ago, Lion EA said:

My phone is usually in my purse in the bedroom. It's time consuming to retrieve it and fire it up when my software asks me to type in a code they sent to my cell. What is an authenticator? Is it an app for my phone? I guess I'll have to glue my phone to my hip.

An authenticator is an APP on your phone and you either go to it, look at the 4 digit code and then enter it (basically the same as a text) or the app pops up on your phone asking you to verify it's you trying to log into the software. With that you just hit "yes".

  • Like 4
Link to comment
Share on other sites

4 hours ago, mcbreck said:

Using an authenticator is so simple - hope Drake implements that as an option. I've got 3 on my phone and they all work perfectly and easily. I do always wonder what happens if I lose my phone.

Drake has had this for years. You just need to turn it on in the settings and set up the app with Drake through your phone.

  • Like 3
Link to comment
Share on other sites

17 hours ago, jklcpa said:

Drake has had this for years. You just need to turn it on in the settings and set up the app with Drake through your phone.

ohhh, I didn't know they allowed an authenticator. Thanks.

  • Like 1
Link to comment
Share on other sites

On 8/7/2024 at 5:26 PM, Lee B said:

IMHO, the key thing is to enable 2FA or passwordless login for my computer system.

Just watched a MS webcast about this and I am going to try using "Windows Hello"

The safest computer level protection is a bios/boot password. That process stops brute force because of limiting attempts before a waiting period. Coupled with bit locker and hibernate instead of sleep, you have the best practical protection available. Phone as second method is silly as it is still easy to spoof or steal phone accounts. Protect the device and the second factor is moot (use the least obtrusive).

  • Like 3
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...