Attention FAE Customers:
Please be aware that NASBA credits are awarded based on whether the events are webcast or in-person, as well as on the number of CPE credits.
Please check the event registration page to see if NASBA credits are being awarded for the programs you select.

IRS Reminder to Tax Pros: Multifactor Authentication Now Required

By:
MYSSCPA Staff
Published Date:
Aug 7, 2024

The IRS and its Security Summit partners have reminded tax professionals that using multifactor authentication  to protect their businesses and their clients is now a federal requirement.

In June 2023, the Federal Trade Commission (FTC) mandated multifactor authorization to protect clients’ sensitive information. Multifactor authentication strengthens account security by requiring more than just a user name and password to confirm an identity when accessing any system, application or device.

The extra layers of different authentication factors include something only users know, such as a user name and password; something they have, such as a token or random number sequence sent to their cell phones; or something unique, such as biometric information. Under the new FTC multifactor authentication rules, there’s a requirement to use at least two of those factors for anyone accessing customer information. These provide extra assurance that a tax pro’s client, not an impostor, is gaining access.

Once in place, multifactor authentication helps protect against phishing, social engineering and other types of technology attacks that exploit weak or stolen passwords, the Security Summit partners noted.

“Multifactor authentication is now more than just a good idea for tax professionals; it’s a requirement,” said IRS Commissioner Danny Werfel in a statement. “This is an effective way to increase security and protect tax professionals and their clients from a data breach. Multifactor authentication is a little like a deadbolt on a door; it’s additional security supplementing the doorknob lock. This is an important step to protect not just tax professionals and their firms, but also the sensitive taxpayer information from their clients.”

This is the fifth week of an eight-part Protect Your Clients; Protect Yourself summer series, an annual education effort by the Security Summit, a group that includes tax professionals, industry partners, state tax agencies and the IRS. The public-private partnership has worked since 2015 to protect the tax system against tax-related identity theft and fraud.

In addition to the series of eight news releases, the tax professional security component is featured at a series of three-day continuing education events, the Nationwide Tax Forum. The forums continue the weeks of August 12 in Baltimore, August 19 in Dallas and September 9 in San Diego. 

Common multifactor authentication examples include fingerprint or facial recognition that authenticates a user’s identity before unlocking a device. Certain smartphone applications can also rely on that biometric factor along with a personal identification number or password for app-level multifactor authentication. Many online banks, financial applications and payroll services use multifactor authentication to verify account holders’ identities before granting access or allowing high-risk transactions, such as money transfers.

Multifactor authentication, which is required by law for all companies, not just tax professionals, should be used to secure client information on a tax pro’s computer or network, as well as to access client information stored within their tax preparation software. Opting out of using multifactor authentication in tax preparation software is a violation of the FTC safeguards rules.

Taxpayers who connect to the IRS will be asked to set up multifactor authentication to create an IRS Online Account.

If tax professionals or their firms are the victims of data theft, they should:

● Report the incident to their local IRS Stakeholder Liaison. Speed is critical. IRS stakeholder liaisons will ensure all the appropriate IRS offices are alerted. If reported quickly, the IRS can take steps to block fraudulent returns in the clients' names and assist tax pros through the process;

● Visit the Federation of Tax Administrators to find state contact information. Tax professionals can share information with the appropriate state tax agency by visiting the special Report a Data Breach;

● Review Publication 5293, Data Security Resource Guide for Tax Professionals, which provides an overview and resources about how to avoid data theft;

● Tax professionals can also get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data, and the IRS' Identity theft information page for tax pros; and

● Read Small Business Information Security: The Fundamentals, by the National Institute of Standards and Technology.

Tax professionals should also stay connected to the IRS through subscriptions to e-News for tax professionals and its social media sites.

Click here to see more of the latest news from the NYSSCPA.