In June 2023, the IRS made Multi-Factor Authentication (MFA) mandatory for tax preparers due to a significant rise in data threats. As one of the most common targets of data and cybersecurity threats, tax preparers have a duty to enforce Multi-Factor Authentication systems. This is essential to protect their clients’ data, as outlined in Publication 4557. Multi-Factor Authentication is like a door with multiple locks on it, and each of those locks must be opened in a specific manner with only a limited number of individuals holding the keys.
For tax preparers, having an MFA system means that even if a cybercriminal manages to obtain their password through a phishing scam or data breach, they will still need the second “key,” typically a unique, time-sensitive code sent to the preparer’s mobile device, to access sensitive client data and IRS e-filing systems. This crucial extra layer of security significantly hinders unauthorized access, safeguarding confidential information. It also helps tax preparers meet their professional and legal obligation to protect taxpayer data.
This blog helps tax preparers understand that implementing an MFA system will fulfill the IRS Security Requirements for tax preparers and, to do so, what an ideal MFA system should include.
How Multi-Factor Authentication Helps Meet IRS Security Requirements
Multi-Factor Authentication helps tax preparers meet IRS Security Requirements for tax preparers. It serves as a crucial step toward establishing a robust and secure system. This system prevents data leaks and identity theft, ultimately protecting tax preparers’ clients. Here’s how MFA systems meet IRS Security Requirements for tax preparers:
Verifies User Identity
An additional security level for users is provided by MFA, which goes beyond the traditional use of just a username and password for user identification by adding an additional layer of protection. There are several ways to verify and authenticate a user’s identity with MFA, and they consist of:
- Knowledge: Knowledge-based authentication is based on something that a user knows such as a password.
- Possession: The second category, possession, uses an item that belongs to the user to provide a second layer of security that is separate from the username and password. Examples include a one-time code sent to the user’s mobile phone or a USB token that generates the code and sends it to the user.
- Biometrics: These methods include fingerprints, facial recognition and other ways that identify an individual as themselves.
Using multiple authentication methods to verify identity increases the likelihood that the individual attempting to log in is the authorized user and not an unauthorized user.
Incorporating MFA by integrating another form of authentication to one already existing establishes a major deterrent against intruders breaching security systems, which is similar to how a deadbolt locks out intruders attempting to enter through the knob’s latch. If an intruder were able to acquire your password via theft or human manipulation (i.e., phishing scams), he/she would still require your second factor before they would be allowed access. Therefore, MFA limits the possibility of a non-permitted party obtaining sensitive client/personal information and internally stored data on organizational systems.
It protects EFINs
The Electronic Filing Identification Number (EFIN) is an essential identifier for IRS tax preparer security requirements that allows tax returns to be submitted electronically to the IRS tax preparer security requirements. If the EFIN is compromised, identity thieves can use it to file fraudulent returns in the tax preparer’s name. Tax professionals can help protect their business and clients from fraud by securing the systems and software in which they use or store their EFINs with multi-factor authentication (MFA) to hinder unauthorized access to this sensitive identifier.
It enhances overall security posture during tax preparation
A tax preparation firm can improve its overall security posture by implementing MFA on all entry points (tax software, email provider, and cloud storage services). MFA is one of the most effective and affordable ways to reduce the potential for a data breach. The multifaceted nature of implementing MFA is typically incorporated into a Written Information Security Program (WISP), as mandated by the Federal Trade Commission’s (FTC) Safeguards Rule. The implementation of MFA reflects a firm’s commitment to maintaining strong security, thereby enabling the firm to retain client confidence while also fulfilling its obligations under federal law.
It mitigates the risk of stolen credentials
A password may be considered weak if it is too simple or easy to guess, or if it has already been stolen or hacked by a hacker. As such, the risks associated with using compromised credentials are reduced with the introduction of multi-factor authentication (MFA); once an account password has been stolen, the only way to log into the account is through the use of additional, unrelated means for authentication. Cybercriminals, therefore, cannot successfully log into your account using only your stolen credentials; they will need at least one additional element of verification before they can access the account.
It protects from specific cyberattacks
MFA provides added security to help defend users against common cyber threats, such as phishing, social engineering, and similar malicious digital tactics. As an illustration of this point: if a preparer is the target of a phishing attack and is tricked into giving away their password, the attacker, even with the password, won’t be able to access the preparer’s account due to the required secondary factor (e.g., one-time codes generated and sent by text message to the preparer’s phone) needed for login. As a result, phishing attempts will be less successful when MFA is in place.
Conclusion
Although the IRS tax preparer security requirements may require supporting Multi-Factor Authentication (MFA) to protect taxpayers’ private information, it can provide IRS tax preparer security requirements and CPA firms with additional benefits beyond those mandated by law. These include improving overall security. Although the actual financial losses associated with data breaches or identity fraud can be substantial, the damage to the reputation of a tax preparer or CPA firm can be even greater. Hefty federal fines resulting from breaches of client data can erode the trust between preparer and client, leading clients to withdraw their business.
On a wider level, the incidence of a security breach can further damage the reputation of the entire firm or individual practitioner, leading to long-lasting negative effects. It is possible for even one incident of a breach of client data to negatively affect the tax preparer’s identity and significantly lower his credibility. For these reasons, tax preparers who maintain strong Multi-Factor Authentication systems will find that they not only protect their client data, but they also build and maintain a reputation for trustworthiness and professional integrity.
