security1_11074722

June 27, 2017

Protect Your Firm and Clients with Multi-Factor Authentication

Authentication is simply a process that verifies a user’s identity. The most common form of authentication is a password, but given the rise of tax-related identity theft and phishing schemes that accounting firms face, a password is no longer enough ...

Jim Boomer

You’ve probably noticed more and more of your email and bank accounts requiring multi-factor authentication before allowing you to log into your accounts online.

When you try to log in to your email from a new computer or access your bank online in a new location that the website doesn’t recognize, the website will text a code to your phone that you’ll have to enter before you can proceed. This is multi-factor authentication, and it helps ensure that if thieves manage to steal your credentials (i.e. username and password), they’ll be blocked from actually accessing your accounts.

What is multi-factor authentication?

Authentication is simply a process that verifies a user’s identity. The most common form of authentication is a password, but given the rise of tax-related identity theft and phishing schemes that accounting firms face, a password is no longer enough to protect the private information of your firm and your clients.

According to the security platform Endgame, there are two major methods that attackers use to steal usernames and passwords: attacking the users directly and attacking the websites people use. Attacking users directly might involve sending scam emails to customers of a certain bank, prompting them to enter usernames and passwords into a fake login page. Attacking a website involves exploiting a vulnerability in the website itself, stealing the usernames and passwords of everyone who uses the site. These are usually the large-scale data breaches that make the news, like when the IRS’s “Get Transcript” system was hacked, comprising the personal information of more than 700,000 taxpayers.

Authentication methods

While a hack of your firm’s systems may never reach the scale of the IRS data breach, you don’t want to be the one that has to alert your clients that their personal information has been compromised. That’s why any system that houses sensitive data should be configured to require the use of two or more different authentication methods. Strong authentication requires two or more of the following:

  1. Something you know. Providing a password or correct answers to previously established security questions are the most common examples. This is the most common authentication method and also the least expensive in terms of initial cost. Perhaps not surprisingly, it’s also the least secure of the three. In 2016, Yahoo announced that a hacker had stolen information from a minimum of 500 million accounts in late 2014. The information stolen included not only email addresses and passwords but also security questions and answers.
  2. Something you have. This is some physical object in the possession of a user. Some financial institutions provide USB sticks with a secret token or key fob that produces a new code every 30 seconds. Many websites will text a secret code to your phone. Think of it like having a key to your front door, but the key and lock change shape each time you unlock the door.
  3. Something you are. This method relies on biometric technologies that use a personal feature of the user, such as a fingerprint, handprint, facial recognition, eye scans, or voice verifications. The most commonly employed in mobile applications is fingerprint recognition. Biometric technology is the most costly method, but many mobile computer vendors are building in capabilities for biometric authentication into their hardware.

Even with the use of multi-factor authentication, a thief in physical possession of your laptop or tablet will be able to defeat it, so it’s important to physically secure your property and use encryption as well as authentication.

Last month, I asked whether your accounting firm is serious about security. Serious software providers and accounting firms are moving beyond passwords to require multi-factor authentication for the firm’s staff and clients. When evaluating software vendors, the ones who can apply multi-factor technology are probably the better choice. It may up the nuisance factor, but it’s what you need to do to make sure your clients’ information is secure.

Jim Boomer is CEO of Boomer Consulting.

 

 

Thanks for reading CPA Practice Advisor!

Subscribe for free to get personalized daily content, newsletters, continuing education, podcasts, whitepapers and more…

Subscribe for free to get personalized daily content, newsletters, continuing education, podcasts, whitepapers and more...

Leave a Reply

Jim Boomer (WB)

Jim Boomer

CPA, CITP, CEO

Jim Boomer is the CEO of Boomer Consulting, Inc. He is the director of the Boomer Technology Circles ™ and an expert on managing technology within an accounting firm. He also serves as a strategic planning and technology consultant and firm adviser in the areas of performance and risk management. In addition, Jim is leading a new program, The Producer Circle, in collaboration with CPA2BIZ and the AICPA. Jim was selected for the 2011 AICPA Leadership Program and the inaugural class of the KSCPA’s "20 Under 40” Leadership Program. He has been named to The CPA Technology Advisor’s "Forty Under Forty” and "Top 25 Thought Leaders” lists multiple times.