Tuesday, August 6, 2024

IR-2024-201: Multi-Factor Authentication: Key protection to tax professionals’ security arsenal now required  

Bookmark and Share

IRS.gov Banner
IRS Newswire August 6, 2024

News Essentials

What's Hot

News Releases

IRS - The Basics

IRS Guidance

Media Contacts

Facts & Figures

Around The Nation

e-News Subscriptions


The Newsroom Topics

Multimedia Center

Noticias en Español

Radio PSAs

Tax Scams

The Tax Gap

Fact Sheets

IRS Tax Tips

Armed Forces

Latest News Home


IRS Resources

Contact My Local Office

Filing Options

Forms & Instructions

Frequently Asked Questions

News

Taxpayer Advocate

Where to File

IRS Social Media


Issue Number:    IR-2024-201

Inside This Issue


Multi-Factor Authentication: Key protection to tax professionals' security arsenal now required  

Week 5 of "Protect Your Clients; Protect Yourself" series focuses on strengthening account security  

WASHINGTON — The Internal Revenue Service and the Security Summit partners remind tax professionals that using multi-factor authentication is now more than an important protection for their businesses and their clients – it's now a federal requirement. 

All tax professionals are now required under the Federal Trade Commission's safeguards rule to use multi-factor authentication, or MFA, to protect clients' sensitive information. The June 2023 change mandates MFA to strengthen account security by requiring more than just a username and password to confirm an identity when accessing any system, application or device. 

"Multi-factor authentication is now more than just a good idea for tax professionals; it's a requirement," said IRS Commissioner Danny Werfel. "This is an effective way to increase security and protect tax professionals and their clients from a data breach. Multi-factor authentication is a little like a deadbolt on a door; it's additional security supplementing the doorknob lock. This is an important step to protect not just tax professionals and their firms, but also the sensitive taxpayer information from their clients." 

This is the fifth week of an eight-part "Protect Your Clients; Protect Yourself" summer series, part of an annual education effort by the Security Summit, a group that includes tax professionals, industry partners, state tax agencies and the IRS. The public-private partnership has worked since 2015 to protect the tax system against tax-related identity theft and fraud. 

Security is a key focus of the Nationwide Tax Forum, being held this summer in five cities throughout the U.S. In addition to the series of eight news releases, the tax professional security component is featured at the three-day continuing education events. The forums continue the weeks of August 12 in Baltimore, August 19 in Dallas and September 9 in San Diego. The IRS reminds tax pros that registration deadlines are quickly approaching for the Baltimore and Dallas forums, as San Diego has already sold out. 

In upcoming weeks, the news release series and the IRS Tax Forums will provide timely tips to help protect sensitive taxpayer data that tax professionals hold while also protecting their own businesses from identity thieves. 

A key part of tax pro security now revolves around MFA. The extra layers of different authentication factors include something only a user knows, like a username and password; something they have, like a token or random number sequence sent to their cell phone; or something unique, like biometric information. These provide extra assurance that a tax pro's client, not an impostor, is gaining access. 

The Summit partners noted that implementing MFA is one of the most cost-effective ways to increase security and reduce a tax pro's fraud and data breach risks. Once in place, MFA helps protect against phishing, social engineering and other types of technology attacks that exploit weak or stolen passwords. 

Common MFA examples   

The general public makes wide use of MFA these days, so tax pro clients shouldn't be surprised by the extra scrutiny asked of them. 

For example, many smartphone users are accustomed to fingerprint or facial recognition that authenticates their identity before unlocking their device. Certain smartphone applications can also rely on that biometric factor along with a PIN or password for app-level MFA. 

Many online banks, financial applications and payroll services use MFA to verify account holders' identities before granting access or allowing high-risk transactions, such as money transfers. 

In addition, taxpayers connecting to the IRS will be asked to set up MFA to create an IRS Online Account. After that, to sign in, they will first log in with an email address and password, then receive a one-time passcode by text or call to one's chosen device and finally enter the passcode into the account to complete sign-in. A bad actor cannot access one's account without also having their passcode. 

MFA required by law   

Under the new FTC MFA rules, there's a requirement to use at least two of the following factors for anyone accessing customer information: something a user knows like a username; something sent to them like numbers texted to a cell phone; or a physical part of them like a fingerprint or facial scan. 

In addition, MFA should be used to secure client information on a tax pro's computer or network, but it should also be used to access client information stored within their tax preparation software. MFA is required by law for all companies – not just tax professionals. The size of the company does not matter. Opting out of using MFA in tax prep software is a violation of the FTC safeguards rules. 

Best implementation practices   

Tax pros should implement MFA across all their services and data access points. 

In addition, they should regularly evaluate current MFA methods, standards and new technologies to stay protected against the latest threats, and they should offer a variety of authentication factors to suit the needs of different users. 

Finally, tax pros should always enable MFA within tax software products and cloud storage services containing sensitive client data, and they should never share usernames. 

Additional resources   

If a tax pro or their firm are the victim of data theft, they should: 

Tax professionals should also stay connected to the IRS through subscriptions to e-News for tax professionals and its social media sites.

Back to Top


FaceBook Logo  YouTube Logo  Instagram Logo  Twitter Logo  LinkedIn Logo


Thank you for subscribing to the IRS Newswire, an IRS e-mail service.

If you know someone who might want to subscribe to this mailing list, please forward this message to them so they can subscribe.

This message was distributed automatically from the mailing list IRS Newswire. Please Do Not Reply To This Message.


This email was sent to business.solutions.ve@gmail.com by: Internal Revenue Service (IRS) · Internal Revenue Service · 1111 Constitution Ave. N.W. · Washington, D.C. 20535 GovDelivery logo

No comments:

Post a Comment