The Internal Revenue Service and Security Summit partners remind tax professionals that the use of multi-factor authentication is now more than just an important protection for their companies and their clients – it is now a federal requirement.

Under the Federal Trade Commission’s security regulations, all tax professionals are now required to use multi-factor authentication (MFA) to protect sensitive client information. The June 2023 change mandates MFA to strengthen account security by requiring more than just a username and password to confirm an identity when accessing a system, application or device.

“Multi-factor authentication is now more than just a good idea for tax professionals; it’s a requirement,” said IRS Commissioner Danny Werfel. “This is an effective way to increase security and protect tax professionals and their clients from data theft. Multi-factor authentication is a bit like a deadbolt; it’s an additional security that complements the door lock. This is an important step to protect not only tax professionals and their firms, but also their clients’ sensitive taxpayer data.”

This is the fifth week of an eight-part summer series on “Protect Your Customers; Protect Yourself,” part of an annual education initiative by the Security Summit, a group that includes tax professionals, industry partners, state tax agencies and the IRS. The public-private partnership has been working to protect the tax system from tax-related identity theft and fraud since 2015.

Safety is a key focus of the Nationwide Tax Forum, which will be held in five cities across the United States this summer. In addition to the series of eight press releases, the safety aspect for tax professionals will also be addressed during the three-day continuing education events. The forums will continue during the weeks of August 12 in Baltimore, August 19 in Dallas and September 9 in San Diego. The IRS advises tax professionals that the registration deadlines for the Baltimore and Dallas forums are fast approaching, as the San Diego forums are already sold out.

In the coming weeks, we will be offering timely tips in the press release series and on the IRS Tax Forums on how tax professionals can protect confidential taxpayer information and protect their own businesses from identity theft.

A key part of security for accountants today revolves around MFA. The additional layers of different authentication factors include something only the user knows, like a username and password; something the user owns, like a token or random string of numbers sent to their mobile phone; or something unique, like biometric information. These provide additional assurance that an accountant’s client, and not a fraudster, is gaining access.

Summit partners found that implementing MFA is one of the most cost-effective ways to increase security and reduce a tax preparer’s fraud and data privacy risk. Once implemented, MFA protects against phishing, social engineering, and other types of technology attacks that exploit weak or stolen passwords.

Common MFA Examples

The general public makes extensive use of MFA today, so tax advisor clients should not be surprised by the additional scrutiny required of them.

For example, many smartphone users are used to confirming their identity using fingerprint or facial recognition before unlocking the device. Certain smartphone applications can rely on this biometric factor for app-level MFA in addition to a PIN or password.

Many online banks, financial applications, and payroll services use MFA to verify the identity of account holders before granting access or allowing high-risk transactions such as money transfers.

Additionally, taxpayers connecting to the IRS are prompted to set up MFA to create an IRS online account. After that, they first log in with an email address and password, then receive a one-time passcode via text or phone call on the device they choose, and finally enter the passcode into the account to complete the login. A malicious actor cannot access the account without also having the passcode.

MFA required by law

Under the FTC’s new MFA rules, any attempt to access customer information must use at least two of the following: something the user knows, such as a username; something sent to them, such as a text message with a number sent to a cell phone; or a physical part of the person, such as a fingerprint or facial scan.

Additionally, MFA should be used to secure client information on a tax preparer’s computer or network, but also to access client information stored in their tax filing software. MFA is required by law for all businesses – not just tax preparers. The size of the business does not matter. Refusing to use MFA in tax filing software is a violation of the FTC’s security rules.

Proven implementation methods

Tax professionals should implement MFA for all their services and data access points.

In addition, they should regularly evaluate current MFA methods, standards and new technologies to stay protected from the latest threats, and they should offer a variety of authentication factors to meet the needs of different users.

Finally, tax professionals should always enable MFA in tax software products and cloud storage services that contain sensitive client data and never share usernames.

Additional resources

If a tax advisor or his/her firm becomes a victim of data theft, he/she should:

• Report the incident to the local IRS stakeholder liaison. Speed ​​is critical. IRS stakeholder liaisons ensure that all appropriate IRS offices are notified. With a quick report, the IRS can take steps to block fraudulent tax returns on behalf of clients and assist tax professionals during the process.
• Visit the Federation of Tax Administrators to find state contact information. Tax professionals can share information with their state’s tax authority by using the dedicated “Report Data Breach” feature.
• View publication 5293, Data Security Resource Guide for Tax Professionals, in PDF format, which provides an overview and resources for preventing data theft.
• Tax professionals can also get help with security recommendations by reading IRS Publication 4557, Safeguarding Taxpayer Data (PDF) and the IRS’s Identity Theft Resource Page for Tax Professionals. Read the National Institute of Standards and Technology’s Small Business Information Security: The Fundamentals (PDF).