Taxes
Tax Pros Now Required to Use Multi-Factor Authentication to Protect Client Data
Tax pros should always enable MFA within tax software products and cloud storage services containing sensitive client data, and they should never share usernames.
Aug. 07, 2024
The Internal Revenue Service and the Security Summit partners are reminding tax professionals that using multi-factor authentication is now more than an important protection for their businesses and their clients – it’s now a federal requirement.
All tax professionals are now required under the Federal Trade Commission’s safeguards rule to use multi-factor authentication, or MFA, to protect clients’ sensitive information. The June 2023 change mandates MFA to strengthen account security by requiring more than just a username and password to confirm an identity when accessing any system, application or device.
“Multi-factor authentication is now more than just a good idea for tax professionals; it’s a requirement,” said IRS Commissioner Danny Werfel. “This is an effective way to increase security and protect tax professionals and their clients from a data breach. Multi-factor authentication is a little like a deadbolt on a door; it’s additional security supplementing the doorknob lock. This is an important step to protect not just tax professionals and their firms, but also the sensitive taxpayer information from their clients.”
Thanks for reading CPA Practice Advisor!
Subscribe for free to get personalized daily content, newsletters, continuing education, podcasts, whitepapers and more...
Already registered? Login
Need more information? Read the FAQ's
This is the fifth week of an eight-part Protect Your Clients; Protect Yourself summer series, part of an annual education effort by the Security Summit, a group that includes tax professionals, industry partners, state tax agencies and the IRS. The public-private partnership has worked since 2015 to protect the tax system against tax-related identity theft and fraud.
Security is a key focus of the Nationwide Tax Forum, being held this summer in five cities throughout the U.S. In addition to the series of eight news releases, the tax professional security component is featured at the three-day continuing education events. The forums continue the weeks of August 12 in Baltimore, August 19 in Dallas and September 9 in San Diego. The IRS reminds tax pros that registration deadlines are quickly approaching for the Baltimore and Dallas forums, as San Diego has already sold out.
In upcoming weeks, the news release series and the IRS Tax Forums will provide timely tips to help protect sensitive taxpayer data that tax professionals hold while also protecting their own businesses from identity thieves.
A key part of tax pro security now revolves around MFA. The extra layers of different authentication factors include something only a user knows, like a username and password; something they have, like a token or random number sequence sent to their cell phone; or something unique, like biometric information. These provide extra assurance that a tax pro’s client, not an impostor, is gaining access.
The Summit partners noted that implementing MFA is one of the most cost-effective ways to increase security and reduce a tax pro’s fraud and data breach risks. Once in place, MFA helps protect against phishing, social engineering and other types of technology attacks that exploit weak or stolen passwords.
Common MFA examples
The general public makes wide use of MFA these days, so tax pro clients shouldn’t be surprised by the extra scrutiny asked of them.
For example, many smartphone users are accustomed to fingerprint or facial recognition that authenticates their identity before unlocking their device. Certain smartphone applications can also rely on that biometric factor along with a PIN or password for app-level MFA.
Many online banks, financial applications and payroll services use MFA to verify account holders’ identities before granting access or allowing high-risk transactions, such as money transfers.
In addition, taxpayers connecting to the IRS will be asked to set up MFA to create an IRS Online Account. After that, to sign in, they will first log in with an email address and password, then receive a one-time passcode by text or call to one’s chosen device and finally enter the passcode into the account to complete sign-in. A bad actor cannot access one’s account without also having their passcode.
MFA required by law
Under the new FTC MFA rules, there’s a requirement to use at least two of the following factors for anyone accessing customer information: something a user knows like a username; something sent to them like numbers texted to a cell phone; or a physical part of them like a fingerprint or facial scan.
In addition, MFA should be used to secure client information on a tax pro’s computer or network, but it should also be used to access client information stored within their tax preparation software. MFA is required by law for all companies – not just tax professionals. The size of the company does not matter. Opting out of using MFA in tax prep software is a violation of the FTC safeguards rules.
Best implementation practices
Tax pros should implement MFA across all their services and data access points.
In addition, they should regularly evaluate current MFA methods, standards and new technologies to stay protected against the latest threats, and they should offer a variety of authentication factors to suit the needs of different users.
Finally, tax pros should always enable MFA within tax software products and cloud storage services containing sensitive client data, and they should never share usernames.
Additional resources
If a tax pro or their firm are the victim of data theft, they should:
- Report the incident to their local IRS Stakeholder Liaison. Speed is critical. IRS stakeholder liaisons will ensure all the appropriate IRS offices are alerted. If reported quickly, the IRS can take steps to block fraudulent returns in the clients’ names and assist tax pros through the process.
- Visit the Federation of Tax Administrators to find state contact information. Tax professionals can share information with the appropriate state tax agency by visiting the special Report a Data Breach.
- Review Publication 5293, Data Security Resource Guide for Tax Professionals PDF, which provides an overview and resources about how to avoid data theft.
- Tax professionals can also get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data PDF, and the IRS’ Identity theft information page for tax pros. Read Small Business Information Security: The Fundamentals PDF, by the National Institute of Standards and Technology.