WASHINGTON, D.C. — The Internal Revenue Service (IRS) is reminding tax professionals that multi-factor authentication (MFA) is now not only a crucial safeguard for their business and clients but also a federal requirement. This mandate, under the Federal Trade Commission’s (FTC) safeguards rule, aims to bolster account security by requiring more than just a username and password for identity verification.
Effective June 2023, all tax professionals must implement MFA to protect sensitive client information. IRS Commissioner Danny Werfel emphasized the significance of this new regulation, stating, “Multi-factor authentication is now more than just a good idea for tax professionals; it’s a requirement. This is an effective way to increase security and protect tax professionals and their clients from a data breach. Multi-factor authentication is a little like a deadbolt on a door; it’s additional security supplementing the doorknob lock. This is an important step to protect not just tax professionals and their firms, but also the sensitive taxpayer information from their clients.”
Understanding Multi-Factor Authentication
MFA is a security measure that requires users to provide two or more verification factors to gain access to a system, application, or device. Commonly used MFA methods include:
- Biometric Verification: Fingerprint or facial recognition used by many smartphone users.
- One-Time Passcodes: Codes sent via text or phone call to the user’s device, required to complete login processes.
- Application-Level MFA: Some smartphone applications require a PIN or password in addition to biometric verification.
The IRS also uses MFA for taxpayer accounts. Taxpayers must log in with an email and password, receive a one-time passcode on their chosen device, and enter the passcode to access their account. This multi-layered approach ensures that even if a bad actor obtains a user’s login credentials, they cannot access the account without the passcode.
Legal Requirements for MFA
Under the new FTC rules, MFA must use at least two of the following factors for anyone accessing customer information:
- Something a user knows: Such as a username or password.
- Something sent to the user: Such as a code texted to their phone.
- Something unique to the user: Such as a fingerprint or facial scan.
This requirement applies not only to tax professionals but to all companies, regardless of size. Opting out of MFA in tax preparation software is a violation of the FTC safeguards rules.
Best Practices for Implementation
Tax professionals should adopt MFA across all services and data access points. They should:
- Evaluate MFA Methods: Regularly assess current MFA methods, standards, and technologies to stay protected against emerging threats.
- Offer Diverse Authentication Options: Provide various authentication factors to meet the needs of different users.
- Secure Sensitive Data: Always enable MFA within tax software products and cloud storage services that contain sensitive client data.
- Avoid Sharing Usernames: Ensure usernames are not shared among employees or users.
The IRS’s mandate on MFA underscores the growing importance of robust cybersecurity measures. By implementing these practices, tax professionals can significantly reduce the risk of data breaches and protect the integrity of sensitive client information.
For the latest news on everything happening in Chester County and the surrounding area, be sure to follow MyChesCo on Google News and MSN.