Jump to content
ATX Community

Multi-factor authentication: Key protection to tax professionals’ security arsenal now required


Recommended Posts

Posted

Yes, I am tired of protecting myself from myself.  I am tired of running to get my cellphone because someone is sending me a code to get into a site.  I, too, am a sole proprietor with my office in an addition built on to my home.  Nobody does or has any reason to go anywhere near my work computer.  My husband, who is the only other human living in this house, doesn't even know or want to know how to turn it on.  There are two other computers in the original part of the office on which we do data entry, bookkeeping, look things up, etc.  My office door to the outside has a double lock and a deadbolt.  My filing cabinet has a lock.  My main desk has a lock.  My computer has a password; my cellphone has a password.  My safe has a key.  We even shut the watermain off when we leave for the weekend.  How safe is safe??  Oh, my outside dropbox also is under lock and key.

  • Like 3
  • Haha 1
Posted

Even with the FTC requirement, one can still self-manage. MFA is not required, there are other options. But, when the data is not in your direct control (online), things like MFA become reasonable if the software creating said data does not "do" something else, such as self-managed encryption.

The other issues. Computers and software are now appliances. They are expected to do all for you with a button push. Learning how to use computers and software is not something people expect to have to do. Thus, a huge part of programming is preventing human actions from causing issues - rather than the user having any responsibility. So a company which stores your data online is not going to want to let you self-manage since they will not want to deal with customers who have forgotten their security code, login, etc. This is where MFA makes it easier for the vendor (with only a tiny fraction of security) since all you need is access to a device or email account (which even a new scammer can get/spoof easier than the public believes).

Then, we deal with those we elect who want to "do" something to prove their worth, such as the myriads of local "protection" laws, which do not even make sense (such as requiring data to be kept in the control of the owner, within the local jurisdiction, so no online storage/backup is practical).

Here is another wasteful aspect of MFA. I am using a very popular process to share access with a trusted person, to manage our company web site. It has an MFA aspect, which is a mobile app, and I can see the mobile app creates a MFA code even when not asked for. Not sure if it is constant, or only when I open the new password app on my phone, but maybe once every month I need the MFA code, but it generates and times out what appears to be constantly. How secure it that? How wasteful in resources?

One may also want to look at the laws for access. IIRC, face lock does not require a warrant, but a pin type code needs to be compelled by warrant. I use both, but my ultimate protection is a boot/IOS code, which is complicated, cannot be brute forced, and no known (to me) hacks when coupled with BootLocker. MFA has and continues to be less worthy.

  • Like 1
Posted

Unless we change our legal system, it is what it has to be. Defending against even the most frivolous of suit can put a business out of business (with no risk to the plaintiff other than expenses, especially if they find contingency representation, since there is zero penalty for losing). Much worse are those who use "review" sites to try to intimidate or to use as a protection racket.

I get nastygrams almost daily from those complaining saying they expect me to keep them from harming themselves (in some manner, such as sending their data online for safety without consent, hacking into their computer to keep them from doing something or fixing what they did, etc.). Maybe the worst is from those who pay the license, then expect me to handhold them through every payroll, teaching them payroll processing along the way. Such is life, being reachable to consumers I suppose, but said life has to be worth living, so one must do what can be done to insulate.

  • Like 2
  • 1 month later...
Posted

I have a laptop that I take home with me each night from my office.  I am the only one that works on this laptop.  I have all my protection, including encryption.  My laptop requires my fingerprint or PIN or password.  I always use my fingerprint.  My understanding is that under this new law I won't be able to use my fingerprint; a password will be required then I will get a text message to accept in order to get into my computer.  Has anyone found a way to get this authentication and still be able to use their finger print?  Is there anyone who has decided not to do this because they already have great protection (like I do)? I  totally protest this!

  • 5 weeks later...
Posted
On 11/12/2024 at 4:11 PM, Tracy Lee said:

I have a laptop that I take home with me each night from my office.  I am the only one that works on this laptop.  I have all my protection, including encryption.  My laptop requires my fingerprint or PIN or password.  I always use my fingerprint.  My understanding is that under this new law I won't be able to use my fingerprint; a password will be required then I will get a text message to accept in order to get into my computer.  Has anyone found a way to get this authentication and still be able to use their finger print?  Is there anyone who has decided not to do this because they already have great protection (like I do)? I  totally protest this!

Using your fingerprint or facial recognition meets the requirements,

but your tax software gets to choose which method they want to use.

  • Like 1
Posted

Following up on the matter of choosing an authenticator.  I was on the verge of paying for an authenticator when I ran across a comment about Google offering a free one -(by Lee or Judy, can't recall which).   I think something was also mentioned about Google tracking our activity, but I don't see that as a problem since they already track much (or most) of what I do online anyhow. Maybe I'm being naieve. 

My question is, what benefit might there be in using an authenticator that charges a fee?

Posted

I searched on "CCH + authenticator" and found Home > Knowledge Base > Article >

Article Number: 000280864

https://support.cch.com/oss/ml/kb/solution/Multi-Factor-Authenticators-for-Customers

"Multi-Factor Authenticators for Customers

Objectives

Any Time-based One-Time Password -capable validator will work with Multi-Factor Authentication (MFA) and your Wolters Kluwer application. The list below is collected from popular, secure Wolters Kluwer and third-party authenticators to help you in selecting the one best suited for your needs.

Environment

All Wolters Kluwer Applications

Windows OS

iOS or Android

Details 

[Then a nice table that I don't seem to be able to copy with 11 different authenticators, links to get them, and which work with Mobile, Windows, &/or Browser.]

The list of authentication providers has been tested by Wolters Kluwer and have been determined to be compatible with our systems.  However, please be advised, Wolters Kluwer does not endorse or recommend any individual provider, and each firm/user is advised to conduct their own due diligence to select a provider that is appropriate for their business needs."

  • Thanks 1
Posted
2 hours ago, JohnH said:

Following up on the matter of choosing an authenticator. 

My question is, what benefit might there be in using an authenticator that charges a fee?

The free ones will generate the codes and meet the needs of logging into the tax software. The paid apps may offer more advanced features like secure backup, syncing multiple devices, password management & integration, etc.

 

  • Thanks 1
Posted

The 2 out of 11 that note "(paid subscription may be required)" talk about advanced features, such as automatically entering the authentication code, keeping devices up-to-date, etc. Read about all the authenticators that WK says have been tested with their software to see if you need or want the advanced features.

  • Like 1
  • Thanks 2
Posted

I'm late to the party, am I reading all these comments that there is no way to circumvent this authenticator thing? My 80 year old dad does not have a cell phone. Does that mean he won't be able to access his own ATX program? This is crazy! 

Posted
1 minute ago, G2R said:

I'm late to the party, am I reading all these comments that there is no way to circumvent this authenticator thing? My 80 year old dad does not have a cell phone. Does that mean he won't be able to access his own ATX program? This is crazy! 

If the software vendor elects to force something (such as use of a cell phone for their security purposes), then the software vendor is sating, yes, you must have a cell phone. If this is an issue, contact the software vendor directly.

As I have likely spouted several times, using SMS or authenticator apps for MFA/security compliance is not required by the FTC, they allow several compliance options. But the FTC rules to not mean SMS for MFA is bad (there are better means) or authenticator apps are bad, or that it is unreasonable for software designed for tax pros comes with requirements such as being able to use SMS or authenticator apps for MFA.

I actually answer similar messages routinely, similar to "I am too old to X", and I have to be sincere and honest when I say if they feel this way, maybe it is time to have someone else do what they are doing. We all have to face this. I have the experience and skills to do many things I elect not to do to keep SWMBO happy, to increase the odds I keep getting older, etc. Although, if our granddaughter elects to be a racer, I will likely strap up at least one more time to be on track with her, to help her learn (and honestly, I miss it too).

Posted
23 minutes ago, G2R said:

I'm late to the party, am I reading all these comments that there is no way to circumvent this authenticator thing? My 80 year old dad does not have a cell phone. Does that mean he won't be able to access his own ATX program? This is crazy! 

There are desktop authenticators or he could an old cellphone that someone has lying around.

  • Like 1
Posted

I want to go back to what g2r said. I am a one person operation and I have the old flip phone that does not have app possibilities. How can I get MFA to work with an email address? ATX program is what I use.

Posted
37 minutes ago, Abby Normal said:

There are desktop authenticators or he could an old cellphone that someone has lying around.

 

30 minutes ago, TAXMAN said:

I want to go back to what g2r said. I am a one person operation and I have the old flip phone that does not have app possibilities. How can I get MFA to work with an email address? ATX program is what I use.

There are authenticators that will send 2FA via text or phone call, and Google's authenticator has an extension that works in Chrome, but those would be for accessing web-based internet site, or sites that don't need to scan a QR box for setup.

Using a web-based extension within a browser or desktop version, how would it be possible to scan the QR box from the ATX program's screen to receive the initial setup/pairing code without having some sort of mobile device. The mobile device must have QR scanning capability and the ability to download and install the authenticator.

@G2R and @TAXMAN A tablet would also work, and it would need to be modern enough to download the app and have QR scanning capability.

Posted

The first one I downloaded was Google.  It worked, so I didn't try anything else.  If it's good enough for Judy, it's good enough for me.  We were even able to set up access to my computer by my assistant in the event of illness or absence.  Always remember that the device is tied to the computer.  She has a different access code for her computer.  This is all laid out step by step in prior posts.  Good Luck.  I know how frazzled I was until I figured it out.

Posted

I reached out to ATX.  The guy said 95% of his calls since October were complaints about this.  Nothing they can do at this point unless rules change.  He did advise of a browser based authenticator if cell phone wasn't an option.  I tried it and it worked so it'll be a bit easier to explain to my low-tech/no-tech dad.

I downloaded the Authenticator.cc browser extension in Chrome.

Hope this helps. 

 

  • Like 4

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...