ECNETNews reports that the Internal Revenue Service (IRS), in collaboration with the Security Summit, has announced a new federal mandate requiring multi-factor authentication (MFA) for all tax professionals. This measure, part of the Federal Trade Commission’s safeguards rule, seeks to enhance the security of sensitive client information by mandating more than just a username and password for system access.
IRS Commissioner highlighted the critical role of MFA in safeguarding both tax professionals and their clients against potential data breaches.
Overview of MFA Requirements
The regulation, effective June 2023, compels the use of MFA across all platforms where customer information is accessed, including tax preparation software. MFA necessitates at least two forms of authentication, such as:
- Something a user knows (e.g., username and password).
- Something a user has (e.g., a token or a one-time code sent to a mobile device).
- Something unique to the user (e.g., biometric data like a fingerprint or facial recognition).
The Security Summit partners, which consist of tax professionals, industry stakeholders, state tax agencies, and the IRS, have been engaged in collaborative efforts since 2015 to protect the tax system from identity theft and fraud. The implementation of MFA is deemed one of the most effective defenses against phishing, social engineering, and cyber threats that exploit weak or stolen passwords.
Notable MFA Practices
MFA is already a common practice across various sectors. For instance:
- Smartphones: Users often unlock their devices using biometric verification, providing an extra layer of security.
- Online Banking: Financial institutions typically require MFA for account access, especially for high-risk transactions like fund transfers.
- IRS Online Account: Taxpayers utilizing IRS Online Account services must employ MFA, which requires logging in with an email and password, receiving a one-time passcode, and entering that passcode to finalize the sign-in process.
Compliance and Security Best Practices
The FTC’s MFA regulations apply to all businesses, including tax professionals, regardless of their size. Non-compliance, especially concerning tax preparation software, constitutes a violation of FTC safeguards rules.
Tax professionals are urged to take the following actions:
- Implement MFA for all services and data access points.
- Regularly review and enhance MFA methods to counter emerging threats.
- Enable MFA within all software products and cloud services that house sensitive client information.
- Refrain from sharing usernames to further bolster security.
