FTC safeguard rule now requires multi-factor authentication

All tax professionals are now required under the FTC’s safeguards rule to use multi-factor authentication (MFA) to protect your clients’ sensitive information. The June 2023 change mandates MFA to strengthen account security by requiring more than just a username and password to confirm an identity when accessing any system, application or device.

MFA required by law

A key part of tax pro security now revolves around MFA. The three extra layers of different authentication factors provide extra assurance that a tax pro’s client, not an impostor, is gaining access. Under the new FTC MFA rules, there’s a requirement to use at least two of the following factors for anyone accessing customer information:

1. Something only a user knows, such as a username and password.
2. Something they have, including a token or random number sequence sent to their cell phone.
3. Something unique, such as biometric information.

Implementing MFA is one of the most cost-effective ways to increase security, and reduce a tax pro’s fraud and data breach risks. Once in place, MFA helps protect against phishing, social engineering, and other types of technology attacks that exploit weak or stolen passwords.

In addition, MFA should be used to secure client information on a tax pro’s computer or network, but it should also be used to access client information stored within their tax preparation software. MFA is required by law for all companies – not just tax professionals. The size of the company does not matter. Opting out of using MFA in tax prep software is a violation of the FTC safeguards rules. 

Common MFA examples   

The general public makes wide use of MFA these days, so tax pro clients shouldn’t be surprised by the extra scrutiny asked of them. 

For example, many smartphone users are accustomed to fingerprint or facial recognition that authenticates their identity before unlocking their device. Certain smartphone applications can also rely on that biometric factor, along with a PIN or password for app-level MFA. 

Many online banks, financial applications, and payroll services use MFA to verify account holders’ identities before granting access or allowing high-risk transactions, such as money transfers. In addition, taxpayers connecting to the IRS will be asked to set up MFA to create an IRS Online Account. After that to sign in, they will log in with an email address and password, receive a one-time passcode by text or call to one’s chosen device, and enter the passcode into the account to complete sign-in. A bad actor cannot access one’s account without also having their passcode. 

Best implementation practices   

Tax pros should implement MFA across all their services and data access points. They should also regularly evaluate current MFA methods, standards, and new technologies to stay protected against the latest threats, and should offer a variety of authentication factors to suit the needs of different users.

Tax pros should always enable MFA within tax software products and cloud storage services containing sensitive client data, and should never share usernames. 

Additional resources   

If a tax pro or their firm are the victim of data theft, they should:

• Report the incident to their local IRS Stakeholder Liaison. Speed is critical. IRS stakeholder liaisons will ensure all the appropriate IRS offices are alerted. If reported quickly, the IRS can take steps to block fraudulent returns in the clients’ names and assist tax pros through the process.
• Visit the Federation of Tax Administrators to find state contact information. Tax professionals can share information with the appropriate state tax agency by visiting the special “Report a Data Breach.”
• Review Publication 5293, Data Security Resource Guide for Tax Professionals, which provides an overview and resources about how to avoid data theft.
• Tax professionals can also get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data, and the identity theft information page for tax pros.
• Read Small Business Information Security: The Fundamentals by the National Institute of Standards and Technology.