Elrod Posted August 7 Report Share Posted August 7 IR-2024-201, Aug. 6, 2024 WASHINGTON — The Internal Revenue Service and the Security Summit partners remind tax professionals that using multi-factor authentication is now more than an important protection for their businesses and their clients – it’s now a federal requirement. https://www.irs.gov/newsroom/multi-factor-authentication-key-protection-to-tax-professionals-security-arsenal-now-required 4 Quote Link to comment Share on other sites More sharing options...
Abby Normal Posted August 7 Report Share Posted August 7 Surely they can't mean to access our own software on our own computers, but they don't make that clear. Quote Link to comment Share on other sites More sharing options...
Lee B Posted August 7 Report Share Posted August 7 (edited) 2 hours ago, Abby Normal said: Surely they can't mean to access our own software on our own computers, but they don't make that clear. That is exactly what they mean - IR 2024 - 201 Edited August 7 by jklcpa corrected IR from "21" to "201" 1 Quote Link to comment Share on other sites More sharing options...
jklcpa Posted August 7 Report Share Posted August 7 Elrod's link in the original post does go directly to IRS' IR 2024-201, and for those that don't like links or won't search for yourselves, here is the text: Quote Multi-factor authentication: Key protection to tax professionals’ security arsenal now required Week 5 of Protect Your Clients; Protect Yourself series focuses on strengthening account security IR-2024-201, Aug. 6, 2024 WASHINGTON — The Internal Revenue Service and the Security Summit partners remind tax professionals that using multi-factor authentication is now more than an important protection for their businesses and their clients – it’s now a federal requirement. All tax professionals are now required under the Federal Trade Commission’s safeguards rule to use multi-factor authentication, or MFA, to protect clients’ sensitive information. The June 2023 change mandates MFA to strengthen account security by requiring more than just a username and password to confirm an identity when accessing any system, application or device. “Multi-factor authentication is now more than just a good idea for tax professionals; it’s a requirement,” said IRS Commissioner Danny Werfel. “This is an effective way to increase security and protect tax professionals and their clients from a data breach. Multi-factor authentication is a little like a deadbolt on a door; it’s additional security supplementing the doorknob lock. This is an important step to protect not just tax professionals and their firms, but also the sensitive taxpayer information from their clients.” This is the fifth week of an eight-part Protect Your Clients; Protect Yourself summer series, part of an annual education effort by the Security Summit, a group that includes tax professionals, industry partners, state tax agencies and the IRS. The public-private partnership has worked since 2015 to protect the tax system against tax-related identity theft and fraud. Security is a key focus of the Nationwide Tax Forum, being held this summer in five cities throughout the U.S. In addition to the series of eight news releases, the tax professional security component is featured at the three-day continuing education events. The forums continue the weeks of August 12 in Baltimore, August 19 in Dallas and September 9 in San Diego. The IRS reminds tax pros that registration deadlines are quickly approaching for the Baltimore and Dallas forums, as San Diego has already sold out. In upcoming weeks, the news release series and the IRS Tax Forums will provide timely tips to help protect sensitive taxpayer data that tax professionals hold while also protecting their own businesses from identity thieves. A key part of tax pro security now revolves around MFA. The extra layers of different authentication factors include something only a user knows, like a username and password; something they have, like a token or random number sequence sent to their cell phone; or something unique, like biometric information. These provide extra assurance that a tax pro’s client, not an impostor, is gaining access. The Summit partners noted that implementing MFA is one of the most cost-effective ways to increase security and reduce a tax pro’s fraud and data breach risks. Once in place, MFA helps protect against phishing, social engineering and other types of technology attacks that exploit weak or stolen passwords. Common MFA examples The general public makes wide use of MFA these days, so tax pro clients shouldn’t be surprised by the extra scrutiny asked of them. For example, many smartphone users are accustomed to fingerprint or facial recognition that authenticates their identity before unlocking their device. Certain smartphone applications can also rely on that biometric factor along with a PIN or password for app-level MFA. Many online banks, financial applications and payroll services use MFA to verify account holders’ identities before granting access or allowing high-risk transactions, such as money transfers. In addition, taxpayers connecting to the IRS will be asked to set up MFA to create an IRS Online Account. After that, to sign in, they will first log in with an email address and password, then receive a one-time passcode by text or call to one’s chosen device and finally enter the passcode into the account to complete sign-in. A bad actor cannot access one’s account without also having their passcode. MFA required by law Under the new FTC MFA rules, there’s a requirement to use at least two of the following factors for anyone accessing customer information: something a user knows like a username; something sent to them like numbers texted to a cell phone; or a physical part of them like a fingerprint or facial scan. In addition, MFA should be used to secure client information on a tax pro’s computer or network, but it should also be used to access client information stored within their tax preparation software. MFA is required by law for all companies – not just tax professionals. The size of the company does not matter. Opting out of using MFA in tax prep software is a violation of the FTC safeguards rules. Best implementation practices Tax pros should implement MFA across all their services and data access points. In addition, they should regularly evaluate current MFA methods, standards and new technologies to stay protected against the latest threats, and they should offer a variety of authentication factors to suit the needs of different users. Finally, tax pros should always enable MFA within tax software products and cloud storage services containing sensitive client data, and they should never share usernames. Additional resources If a tax pro or their firm are the victim of data theft, they should: Report the incident to their local IRS Stakeholder Liaison. Speed is critical. IRS stakeholder liaisons will ensure all the appropriate IRS offices are alerted. If reported quickly, the IRS can take steps to block fraudulent returns in the clients' names and assist tax pros through the process. Visit the Federation of Tax Administrators to find state contact information. Tax professionals can share information with the appropriate state tax agency by visiting the special Report a Data Breach. Review Publication 5293, Data Security Resource Guide for Tax Professionals PDF, which provides an overview and resources about how to avoid data theft. Tax professionals can also get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data PDF, and the IRS' Identity theft information page for tax pros. Read Small Business Information Security: The Fundamentals PDF, by the National Institute of Standards and Technology. Tax professionals should also stay connected to the IRS through subscriptions to e-News for tax professionals and its social media sites. 2 Quote Link to comment Share on other sites More sharing options...
Abby Normal Posted August 7 Report Share Posted August 7 2 hours ago, Lee B said: That is exactly what they mean - IR 2024 - 201 Greeeaat. I'm sure ATX will implement this flawlessly. I sure hope I can use an authenticator on my phone and not rely on getting a text from ATX. 1 Quote Link to comment Share on other sites More sharing options...
Abby Normal Posted August 7 Report Share Posted August 7 How are we going to use MFA to access PDFs of client data on our drives? Totally unrealistic. 3 Quote Link to comment Share on other sites More sharing options...
Lee B Posted August 7 Report Share Posted August 7 23 minutes ago, Abby Normal said: How are we going to use MFA to access PDFs of client data on our drives? Totally unrealistic. I assume that you would turn MFA for logging into your Win 10 or Win 11 System. With Drake I can password encrypt the PDFs of tax return copies. Quote Link to comment Share on other sites More sharing options...
Margaret CPA in OH Posted August 7 Report Share Posted August 7 I was just now reading about this through Tax Talk News and am scratching my head on how to manage. So as a sole practitioner I have to use 2FA to access a pdf file on my computer? I have to text to myself or call myself or email myself every time I want to look at a client file? My computer is password protected as is the ATX software but I don't have each client pw protected as I am the only user. If so, how do I confirm to myself that I am me, the authorized user? I realize that I will have to do something more now with Verifyle but my clients are not going to like it. At least I know it is an option so will have to read up on how to implement for myself and for each client. Retirement is REALLY looking better all the time! I'm getting too tired of soooo many hoops.... 6 Quote Link to comment Share on other sites More sharing options...
Abby Normal Posted August 7 Report Share Posted August 7 4 hours ago, Lee B said: I assume that you would turn MFA for logging into your Win 10 or Win 11 System. With Drake I can password encrypt the PDFs of tax return copies. I used to password protect my PDFs but it was a PITA to open them, and I mostly did that just to email them. Even if Windows had password protected folders, there's still no way to add MFA to that process, unless Windows creates it. 2 Quote Link to comment Share on other sites More sharing options...
Margaret CPA in OH Posted August 8 Report Share Posted August 8 I, too, used to password protect pdf copies of returns before using Verifyle. Now Verifyle requires the client to access with email and password but has 2fa as an option which I will look into soon. Sigh.... 2 Quote Link to comment Share on other sites More sharing options...
Lee B Posted August 8 Report Share Posted August 8 IMHO, the key thing is to enable 2FA or passwordless login for my computer system. Just watched a MS webcast about this and I am going to try using "Windows Hello" Quote Link to comment Share on other sites More sharing options...
BrewOne Posted August 8 Report Share Posted August 8 kind of funny, for 2022 and 2023 in ATX when I checked the box for 2FA, all it did was require 2FA when I downloaded the software. Obviously that is not in compliance. 2 Quote Link to comment Share on other sites More sharing options...
mcbreck Posted August 8 Report Share Posted August 8 19 hours ago, Abby Normal said: I sure hope I can use an authenticator on my phone and not rely on getting a text. Using an authenticator is so simple - hope Drake implements that as an option. I've got 3 on my phone and they all work perfectly and easily. I do always wonder what happens if I lose my phone. 1 Quote Link to comment Share on other sites More sharing options...
Margaret CPA in OH Posted August 8 Report Share Posted August 8 I also have an authenticator on my phone which I was required by the bank to have for my position as church treasurer. I turns out that OH|ID was added to the list. I don't recall that it was an option to select when I set that up (I tend to forget too much these days) so it must be possible to keep adding those that offer or require this. Yes? I, too, wonder about losing or even changing my phone. It's a Pixel 4a so kind of old but I love the smaller size. There are very few available now that I can comfortably hold in my hand but I know I need a newer phone soon! 2 Quote Link to comment Share on other sites More sharing options...
mcbreck Posted August 8 Report Share Posted August 8 52 minutes ago, Margaret CPA in OH said: so it must be possible to keep adding those that offer or require this. Yes? Yes you can have multiple programs / websites that use the same authenticator. I have 2 of them that use Okta. I'll ask my wife about replacing the phone, she just bought a new one and had to work through all that. She's literally taking a work test at the moment and would reach through the phone and choke me if I called. 1 1 Quote Link to comment Share on other sites More sharing options...
Lion EA Posted August 8 Report Share Posted August 8 My phone is usually in my purse in the bedroom. It's time consuming to retrieve it and fire it up when my software asks me to type in a code they sent to my cell. What is an authenticator? Is it an app for my phone? I guess I'll have to glue my phone to my hip. 1 Quote Link to comment Share on other sites More sharing options...
Margaret CPA in OH Posted August 8 Report Share Posted August 8 I hear you! I HATE having to have my phone at my fingertips all the time. I try to remember that I'm adding steps. Yes, my authenticator is a phone app but I don't have to use it often so am prepared to have the phone available. My choice was to use my fingerprint which is how I protect my phone. It can get annoying but I now automatically pick it up with my left hand and my fingertip goes right to the spot. I still have a landline for my business and will keep it until I retire. I leave my cell on vibrate and the sound off about 90% of the time. It annoys some folks trying to reach me because they have to leave a message. And I don't answer unidentified calls on either phone. Since I don't have every contact ever in my cell, lots of calls are unidentified and not all callers leave a message. Also my cell isolates identified spam calls very effectively. 3 Quote Link to comment Share on other sites More sharing options...
Lee B Posted August 8 Report Share Posted August 8 It's good to hear that someone else has had a good experience with authenticators. I tried using Google's authenticator to sign in into my gmail account. It was a very frustrating experience, sometimes waiting as long as 10 minutes for the authenticator to respond. Currently, I rely on PINs texted to my phone or emailed to me. Quote Link to comment Share on other sites More sharing options...
mcbreck Posted August 8 Report Share Posted August 8 46 minutes ago, Lion EA said: My phone is usually in my purse in the bedroom. It's time consuming to retrieve it and fire it up when my software asks me to type in a code they sent to my cell. What is an authenticator? Is it an app for my phone? I guess I'll have to glue my phone to my hip. An authenticator is an APP on your phone and you either go to it, look at the 4 digit code and then enter it (basically the same as a text) or the app pops up on your phone asking you to verify it's you trying to log into the software. With that you just hit "yes". 4 Quote Link to comment Share on other sites More sharing options...
Lee B Posted August 8 Report Share Posted August 8 I have read that with some programs if your cell phone is synced then as long your cell phone is on and nearby then you are allowed to log in. 2 Quote Link to comment Share on other sites More sharing options...
Margaret CPA in OH Posted August 8 Report Share Posted August 8 The authenticator I use provides a 6 digit code to your mileage must vary. 3 Quote Link to comment Share on other sites More sharing options...
jklcpa Posted August 8 Report Share Posted August 8 4 hours ago, mcbreck said: Using an authenticator is so simple - hope Drake implements that as an option. I've got 3 on my phone and they all work perfectly and easily. I do always wonder what happens if I lose my phone. Drake has had this for years. You just need to turn it on in the settings and set up the app with Drake through your phone. 3 Quote Link to comment Share on other sites More sharing options...
mcbreck Posted August 9 Report Share Posted August 9 17 hours ago, jklcpa said: Drake has had this for years. You just need to turn it on in the settings and set up the app with Drake through your phone. ohhh, I didn't know they allowed an authenticator. Thanks. 1 Quote Link to comment Share on other sites More sharing options...
jklcpa Posted August 9 Report Share Posted August 9 9 minutes ago, mcbreck said: ohhh, I didn't know they allowed an authenticator. Thanks. Drake's program uses only authenticators. It doesn't email any codes, if that is what you were thinking. Here's the complete setup: https://drakesoftware.com/Site/Browse/15895/Drake-Tax-MultiFactor-Authentication-Drake18-and-Future 2 Quote Link to comment Share on other sites More sharing options...
Medlin Software, Dennis Posted August 9 Report Share Posted August 9 On 8/7/2024 at 5:26 PM, Lee B said: IMHO, the key thing is to enable 2FA or passwordless login for my computer system. Just watched a MS webcast about this and I am going to try using "Windows Hello" The safest computer level protection is a bios/boot password. That process stops brute force because of limiting attempts before a waiting period. Coupled with bit locker and hibernate instead of sleep, you have the best practical protection available. Phone as second method is silly as it is still easy to spoof or steal phone accounts. Protect the device and the second factor is moot (use the least obtrusive). 3 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.