The Internal Revenue Service (IRS), in partnership with the Security Summit, announced today that multi-factor authentication (MFA) is now a federal requirement for all tax professionals under the Federal Trade Commission’s safeguards rule. This mandate aims to bolster the security of sensitive client information by requiring more than just a username and password for system access.
IRS Commissioner Danny Werfel emphasized the importance of MFA in protecting both tax professionals and their clients from potential data breaches.
Key Points on MFA Implementation
The new rule, effective as of June 2023, mandates the use of MFA across all platforms where customer information is accessed, including tax preparation software. MFA requires at least two forms of authentication, such as:
- Something a user knows (e.g., username and password).
- Something a user has (e.g., a token or a one-time code sent to a mobile device).
- Something unique to the user (e.g., biometric data like a fingerprint or facial recognition).
The Security Summit partners, which include tax professionals, industry stakeholders, state tax agencies, and the IRS, have been working together since 2015 to protect the tax system from identity theft and fraud. Implementing MFA is one of the most cost-effective ways to safeguard against phishing, social engineering, and other cyber threats that exploit weak or stolen passwords.
Common MFA Practices
MFA is already widely used by the public in various applications. For example:
- Smartphones: Many users unlock their devices using fingerprint or facial recognition, which serves as an additional authentication layer.
- Online Banking: Banks often require MFA for account access, particularly for high-risk transactions like money transfers.
- IRS Online Account: Taxpayers using IRS Online Account services are required to use MFA, which involves logging in with an email and password, receiving a one-time passcode via text or call, and entering the passcode to complete the sign-in process.
Legal Requirements and Best Practices
The FTC’s MFA rules apply to all businesses, including tax professionals, regardless of company size. Failure to implement MFA, particularly within tax preparation software, is a violation of the FTC safeguards rules.
Tax professionals are encouraged to:
- Implement MFA across all services and data access points.
- Regularly evaluate and update MFA methods and technologies to stay protected against emerging threats.
- Enable MFA within all software products and cloud storage services that contain sensitive client data.
- Avoid sharing usernames to further enhance security.
This article, "IRS Requires Multi-Factor Authentication for Tax Professionals to Enhance Security" was first published on Small Business Trends
0 Comments