Lee B Posted August 9 Report Share Posted August 9 The Microsoft webcast that I watched said that basic 2FA with either PINs texted to your phone or emailed to you are 99 + % effective. According to the webcast most hackers aren't that sophisticated and that the sophisticated hackers aren't going to spend their time on a single account. 2 Quote Link to comment Share on other sites More sharing options...
Catherine Posted August 12 Report Share Posted August 12 The requirement for MFA means people will turn back to sending us sensitive documents by plaintext, readable in transit, email. Or text messages. I'll be retiring faster. 1 1 Quote Link to comment Share on other sites More sharing options...
Yardley CPA Posted August 12 Report Share Posted August 12 Did the IRS provide any statistics on the number of breaches that occurred in the past that caused concern and made them implement this requirement? While there is something to be said for being proactive, requiring MFA seems excessive if you already have security parameters in place. 3 Quote Link to comment Share on other sites More sharing options...
Lee B Posted August 12 Report Share Posted August 12 Copied from IRS News Release 2024 - 32: "The Federal Trade Commission’s safeguards rule now mandates that all tax professionals use multi-factor authentication, or MFA, to secure sensitive client data." 2 Quote Link to comment Share on other sites More sharing options...
Lee B Posted August 12 Report Share Posted August 12 43 minutes ago, Lee B said: Copied from IRS News Release 2024 - 32: "The Federal Trade Commission’s safeguards rule now mandates that all tax professionals use multi-factor authentication, or MFA, to secure sensitive client data." To clarify this is the IRS implementation of the FTC's Safeguards Rule. 2 Quote Link to comment Share on other sites More sharing options...
Abby Normal Posted August 12 Report Share Posted August 12 On 8/8/2024 at 2:27 PM, Margaret CPA in OH said: The authenticator I use provides a 6 digit code to your mileage must vary. Both my Google authenticator and my Microsoft authenticator provide 6 digit codes. I hope they provide desktop versions of these because it's convenient to copy and paste the code on the phone. Might not be deemed secure enough to have on desktop, though. 2 Quote Link to comment Share on other sites More sharing options...
Medlin Software, Dennis Posted August 16 Report Share Posted August 16 Was just asked by a customer. My reply is since our software is on their computer, they control access to all the software on their computer. (Especially since we do not require constant internet connection!) So any need to prevent access, whether you call it MFA or (what is not un)common sense, thinks like a pin, WIndoes password, Windows Hello, ant best a BIOS password are available. 1 Quote Link to comment Share on other sites More sharing options...
Medlin Software, Dennis Posted August 17 Report Share Posted August 17 Terrible spell check/human check. Was just asked by a customer. My reply is since our software is on their computer, they control access to all the software on their computer. (Especially since we do not require constant internet connection!) Any need to prevent access, whether you call it MFA or (what is now un)common sense, things like a pin, WIndows password, Windows Hello, and best most importantly a BIOS password are available to anyone, without needing a second device, SMS message, or an authenticator. SMS is not secure at all, phones can still be spoofed, and many phone accounts can be outright stolen. Quote Link to comment Share on other sites More sharing options...
Lee B Posted August 17 Report Share Posted August 17 Yes, sms is not secure and phones can be spoofed and phone accounts can be stolen. However based on tech articles I have read 2FA using PINs texted or emailed will stop 98 or 99 % all all attempted hacks, which is good enough. 1 Quote Link to comment Share on other sites More sharing options...
Medlin Software, Dennis Posted August 17 Report Share Posted August 17 5 minutes ago, Lee B said: Yes, sms is not secure and phones can be spoofed and phone accounts can be stolen. However based on tech articles I have read 2FA using PINs texted or emailed will stop 98 or 99 % all all attempted hacks, which is good enough. Self protection is even better. I have found zero known hacks of a device protected by bitlocker, boot password, and properly powered off of hibernated. There are many many cases of things like sms pins and phones being compromised. Plus, the safeguard mentions and maybe requires encryption anyway. 1 Quote Link to comment Share on other sites More sharing options...
Abby Normal Posted August 18 Report Share Posted August 18 This looks useful for password protecting our folders of client records and tax returns. https://www.wisecleaner.com/wise-folder-hider.html 4 Quote Link to comment Share on other sites More sharing options...
Medlin Software, Dennis Posted September 9 Report Share Posted September 9 Here is what I came up with. https://medlin.com/misc/security/ Notice the FTC rules have three points, any 2 can be used to meet their requirements. None of the three require any sort of third-party authentication, all can be self-managed. There is no requirement to individually protect a set of data, protecting all of your data at once, such as BitLocker, suffices. What I suggest (using all three FTC 'points') also meets common sense, as it means you can let someone access your device, knowing they are not getting in with any reasonable means (and still no known BitLocker hacks have been made public). The KEY is to power off or hibernate your computer, NEVER use sleep mode. It had been a few years since we stayed in a hotel, so when we recently did, I researched and found out hotel in room safes are not (safe), so I went with locking the device to a large piece of furniture and powering it off. With my device now hibernating when my phone is not within short range, even a straight up snatch/grab does not worry me. I a sl use a very short time out, short enough a thief will not likely try it before it hibernates. If you have your data online/cloud, then you may need to do more, such as some sort of trusted security method from the storage provider. This assumes your locale and other subject rules even allow you to not have data in your personal control within the jurisdiction you have nexus in. (At least one local jurisdiction required payroll and accounting data - IIRC - to be kept under the responsible party's control, within their jurisdiction. This is a local attempt by local politicians to prove to their constituents they are doing something about data theft.) 4 Quote Link to comment Share on other sites More sharing options...
TAXMAN Posted September 13 Report Share Posted September 13 I must be as dumb as a box of rocks. ATX requires user name and password to get into program. Do I have to assign a password to each client? I am 1 person self employed office. Ideas pleasew? Quote Link to comment Share on other sites More sharing options...
Medlin Software, Dennis Posted September 13 Report Share Posted September 13 6 minutes ago, TAXMAN said: I must be as dumb as a box of rocks. ATX requires user name and password to get into program. Do I have to assign a password to each client? I am 1 person self employed office. Ideas pleasew? For compliance, you do not need to protect each set of data individually. The things I suggest on my web site are compliant and can be self-managed. They are also good enough for all to use, going beyond the requirements (because of not using sleep mode). A username and password for an app is NOT compliant as it is only one part. If you use the methods I suggest, you will be compliant, and not need to have a password per app (unless you want to). be aware, if your app stored non encrypted data online, you may want/need to take additional steps. Quote Link to comment Share on other sites More sharing options...
Lee B Posted September 13 Report Share Posted September 13 29 minutes ago, TAXMAN said: I must be as dumb as a box of rocks. ATX requires user name and password to get into program. Do I have to assign a password to each client? I am 1 person self employed office. Ideas pleasew? You will need to check with ATX as to how they will meet the 2FA requirements for the coming tax season. It looks like Drake will be requiring the use of an authenticator app. Quote Link to comment Share on other sites More sharing options...
Medlin Software, Dennis Posted September 13 Report Share Posted September 13 51 minutes ago, Lee B said: You will need to check with ATX as to how they will meet the 2FA requirements for the coming tax season. It looks like Drake will be requiring the use of an authenticator app. Definitely true to have some sort of app level protection if there is an online aspect. If all data is local, then requiring extra auth (beyond license check to see if you are paid) is overkill - assuming you self-protect for compliance. Meaning if the data is in your control, but the vendor required some secondary process to access their "software", then that secondary process adds nothing and does not ensure compliance. The data sitting on your computer is not protected unless it is scrambled and secured by the app, or you have done whole computer protection. 1 Quote Link to comment Share on other sites More sharing options...
mcb39 Posted September 15 Report Share Posted September 15 I can honestly say that as I am just recovering from a bad Pneumonia, I totally don't GET it. I am turning the corner now, though, so may be able to figure it out. 2 Quote Link to comment Share on other sites More sharing options...
Lee B Posted September 15 Report Share Posted September 15 I have read several articles that say Gmail will require MFA effective September 30th. That means that password only login to Gmail will stop working. I have already switched. Most of the time it works quickly. Sometimes on weekends, I have had to wait more than 5 minutes before I can access Gmail. 1 Quote Link to comment Share on other sites More sharing options...
Abby Normal Posted September 16 Report Share Posted September 16 22 hours ago, Lee B said: have had to wait more than 5 minutes before I can access Gmail If you use an authenticator app, you don't have to wait. I've had MFA since 2016, but I set my computers to be trusted so I almost never need to enter the 2nd code. But maybe they're eliminating the option to "trust this device" so we have to enter the code every time? Quote Link to comment Share on other sites More sharing options...
Lee B Posted September 16 Report Share Posted September 16 11 minutes ago, Abby Normal said: If you use an authenticator app, you don't have to wait. I've had MFA since 2016, but I set my computers to be trusted so I almost never need to enter the 2nd code. But maybe they're eliminating the option to "trust this device" so we have to enter the code every time? I am using Google's authenticator app. No code required. Entering a code or PIN is considered to be lower level of security which according to Google is not allowed. 1 Quote Link to comment Share on other sites More sharing options...
Sara EA Posted September 17 Report Share Posted September 17 UltraTax has had MFA since the beginning of the year. It's no big deal and takes maybe 15 seconds extra to log in. The big deal is that we only have one cell phone for the office, so everyone had to give Thompson Reuters their personal cell numbers. 1 Quote Link to comment Share on other sites More sharing options...
Corduroy Frog Posted September 17 Report Share Posted September 17 More and more people are wanting to bail out of this electronic age. As the identity theft becomes more astute, websites/providers are having to put up more hoops to jump through all the time. Many folks are going back to simply writing checks and putting them in the mail, and looking for alternatives to electronic obstacle-dodging. 3 Quote Link to comment Share on other sites More sharing options...
Gail in Virginia Posted September 17 Report Share Posted September 17 9 hours ago, Corduroy Frog said: More and more people are wanting to bail out of this electronic age. As the identity theft becomes more astute, websites/providers are having to put up more hoops to jump through all the time. Many folks are going back to simply writing checks and putting them in the mail, and looking for alternatives to electronic obstacle-dodging. The problem with going back to writing checks and putting them in the mail, is that the mail is becoming more and more unreliable, at least where I live. When it sometimes takes 3 WEEKS or more for a check to arrive where you mail it, you cannot rely on that method to pay bills on time. And we have had problems with mail being stolen from not just personal mail boxes but from the blue boxes that belong to the postal service. So what are you going to do? 5 Quote Link to comment Share on other sites More sharing options...
Lee B Posted September 17 Report Share Posted September 17 1 hour ago, Gail in Virginia said: The problem with going back to writing checks and putting them in the mail, is that the mail is becoming more and more unreliable, at least where I live. When it sometimes takes 3 WEEKS or more for a check to arrive where you mail it, you cannot rely on that method to pay bills on time. And we have had problems with mail being stolen from not just personal mail boxes but from the blue boxes that belong to the postal service. So what are you going to do? I totally agree, I rarely write a check for either business or personal bills unless there is no other option and then I use my banks bill paying service. 2 Quote Link to comment Share on other sites More sharing options...
Randall Posted September 17 Report Share Posted September 17 I still have questions about this. First, if the tax software has a MFA to access the software (currently I think ATX has only the password), what happens to the Program Files and Program Data that the software stores on my c drive. Isn't that still subject to hackers without opening my software? Second, if I get a MFA app, once I'm into my computer, isn't my computer subject to any of the hacking out there in cyberville? And how can I trust a 3rd party app anymore than my own computer? Third, does Microsoft have somthing like this thru their os system? I'm just wondering why I would need to send myself a code by text to my cell phone in order to access my own computer? And once I have access to my own computer, isn't my computer susceptible to any online hacking that might be going on? I'm just a one person office, no staff. I turn my computer off every night. I come in the next day, use a key for the outside door of the building, use a second key for the inside door of my office, then turn on my computer, enter the password. Isn't that MULTI-FACTOR??? That unlocks the computer and my c drive. I have a second password for a second hard drive (where I store my pdf files and scan client documents). But the software (ATX) I let install where it installs (the c drive) and I let the software program files and program data install where their software tells it to (the c drive). I learned long ago not to mess with changing this. 5 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.