The IRS in a news release issued as part of IRS National Tax Security Awareness Week touted the benefits of multi-factor authentication (MFA) for use by taxpayers and tax professionals.[1]  Multi-factor authentication (also often referred to as two-factor authentication) is being recommended for use in protecting online accounts, especially those containing sensitive information, due to some of the often-seen issues with traditional username/password log-ins to online systems.

The IRS describes the process as follows:

Designed to protect both taxpayers and tax professionals, multi-factor authentication means the returning user must enter two pieces of data to securely access an account or application. For example, taxpayers must enter their credentials (username and password) plus a numerical code sent as a text to their mobile phone.[2]

The example cited by the IRS may be an unfortunate one, as later in the release the IRS notes that the use of numbers sent to mobile phones is known to be less secure than other options that may be available:

There are multiple options for multi-factor authentication. For example, taxpayers and tax practitioners can download an authentication app to their mobile device. These apps are readily available through Google Play or Apple’s App Store. Once properly configured, these apps will generate a temporary, single-use security code, which the user must enter into their tax software to complete authentication. Use a search engine for “Authentication apps” to learn more.

Other options include codes that may be sent to practitioner’s email or mobile phone via text but those are not as secure as an authentication app.[3]

What are these potential security issues with email or SMS messages? One basic problem is that a code sent by text or email automatically creates a transmission over systems which themselves were not designed to be secure. It is possible that emails could be intercepted in transit or even that some party other than the taxpayer or tax professional may be in possession of the credentials to log into the email account.

The text message transmission system also is not designed to be secure, but a second problem arises there—that of “SIM-jacking” where a party seeking to gain access to the account could, by using social engineering techniques (such as giving a good sob story over the phone or at a store) persuade an employee of a cell phone carrier to issue a new SIM for the taxpayer’s or (more likely due to being a higher value target) tax professional’s mobile number, which would cause the texted number to go to the newly activated phone.

While most likely these techniques will not be used against the taxpayer or tax professional, the use of authentication applications (such as Google Authenticator and the plethora of other applications based on the same standard[4]) eliminate the need to transmit a number, thus removing the risk of the additional factor being intercepted in transit.  Therefore, whenever possible the authenticator application option should be used.

The news release goes on to note that MFA will be present in all online tax products for 2021:

Some online products previously offered multi-factor authentication. However, for 2021 all providers agreed to make it a standard feature and all agreed that it would meet requirements set by the National Institute of Standards and Technology. Multi-factor authentication may not be available on over-the-counter hard disk tax products.[5]

The agreement only requires that MFA be offered on the products, not that its use be mandated (although some products are now requiring the use of MFA, at least to perform certain actions).  The release notes:

Because the multi-factor authentication option is voluntary, Summit partners urged both taxpayers and tax professionals to use it. Multi-factor authentication can reduce the likelihood of identity theft by making it difficult for thieves to get access to sensitive accounts.

Users should check the security section in their online tax product account to make the change. It may be labeled as two-factor authentication or two-step verification or similar names.[6]

The release gives the following arguments (with which this author concurs) for the use of MFA with products that deal with tax information for tax professionals:

Use of multi-factor authentication is especially important for tax professionals who continue to be prime targets of identity thieves. Of the numerous data thefts reported to the IRS from tax professional offices this year, most could have been avoided had the practitioner used multi-factor authentication to protect tax software accounts.

Thieves use a variety of scams – but most commonly by a phishing email – to download malicious software, such as keystroke software. This malware will eventually enable them to steal all passwords from a tax pro. Once the thief has accessed the practitioner’s networks and tax software account, they will complete pending taxpayer returns, alter refund information and use the practitioner’s own e-filing and preparer numbers to file the fraudulent return – a dangerous combination.

However, with multi-factor authentication, it’s unlikely the thief will have stolen the practitioner’s cell phone — blocking the ability to receive the necessary security code to access the account. This protects the tax pro’s account information.[7]

The release concludes with a caution that no security measure, even MFA, can provide complete security—but the use of it in as many contexts as it is offered will greatly increase the user’s overall security:

While no product is fool-proof, multi-factor authentication does dramatically reduce the likelihood that taxpayers or tax practitioners will become victims. Multi-factor authentication should be used wherever it is offered. For example, financial accounts, social media accounts, cloud storage accounts and popular email providers all offer multi-factor authentication options.[8]

[1] “IRS National Tax Security Awareness Week, Day 2: 2021 online tax preparation products to offer multi-factor authentication for taxpayers, tax pros,” IRS News Release IRS-2020-266, December 1, 2020 (https://www.irs.gov/newsroom/irs-national-tax-security-awareness-week-day-2-2021-online-tax-preparation-products-to-offer-multi-factor-authentication-for-taxpayers-tax-pros (retrieved December 5, 2020)

[2] “IRS National Tax Security Awareness Week, Day 2: 2021 online tax preparation products to offer multi-factor authentication for taxpayers, tax pros,” IRS News Release IRS-2020-266, December 1, 2020

[3] “IRS National Tax Security Awareness Week, Day 2: 2021 online tax preparation products to offer multi-factor authentication for taxpayers, tax pros,” IRS News Release IRS-2020-266, December 1, 2020

[4] For instance, the Thomson Reuters Authenticator app used for two-factor authentication for Thomson Reuters products uses this same standard authentication mechanism.  While Google may have developed the system, using the system does note require using any Google products.

[5] “IRS National Tax Security Awareness Week, Day 2: 2021 online tax preparation products to offer multi-factor authentication for taxpayers, tax pros,” IRS News Release IRS-2020-266, December 1, 2020

[6] “IRS National Tax Security Awareness Week, Day 2: 2021 online tax preparation products to offer multi-factor authentication for taxpayers, tax pros,” IRS News Release IRS-2020-266, December 1, 2020

[7] “IRS National Tax Security Awareness Week, Day 2: 2021 online tax preparation products to offer multi-factor authentication for taxpayers, tax pros,” IRS News Release IRS-2020-266, December 1, 2020

[8] “IRS National Tax Security Awareness Week, Day 2: 2021 online tax preparation products to offer multi-factor authentication for taxpayers, tax pros,” IRS News Release IRS-2020-266, December 1, 2020