The IRS has suggested that tax professionals should made use of multi-factor authentication to protect their systems and information in News Release IR-2020-32.[1]

Multi-factor authentication (MFA) requires the user to provide multiple, independent pieces of information or items to authenticate their right to access a system or information. Such a system would involve providing two or more of the following items:

Something you know (username/password combination);
Something you are (fingerprint);
Something you have (a hardware token)

Traditionally users had only been asked to provide a user name and password in order to access a system or information. The use solely of a username/password to get into a system can easily fail to provide true authentication in various situations such as:

The user chooses a poor password (dictionary word, common password, child’s name, etc.) that a third party guesses;
The user uses the same password for multiple accounts. In this case if one password database for a site is breached (as happened in the past to LinkedIn), attackers can attempt to use that username password combination on other sites (such as the electronic filing site for your tax software provider) to gain access due to password reuse; and
The attacker successfully phishes the username/password from the user via an email that directs the user to a website that appears to be the regular login page when, in fact, it is simply getting that information from the user.

The IRS news release describes the following potential attack:

The IRS reminded tax professionals to beware of phishing scams that are commonly used by thieves to gain control of their computers. Thieves may claim to be a potential client, a cloud storage provider, a tax software provider or even the IRS in their effort to trick tax professionals to download attachments or open links. These scams often have an urgent message, implying there are issues with the tax professionals’ accounts that need immediate attention.

MFA has been suggested to protect against the shortcomings of passwords. The password is still required to gain entry to the system or site, but by itself it is not enough to allow the user access. Rather, at least one other authentication method (what the user is or what the user has) must be produced before the system treats the user as properly authenticated.

The IRS systems today only support a form of “what you have” MFA authentication, providing an SMS message to the user’s cell phone number. While much better than not using MFA at all, the National Institute of Standards and Technology, U.S Department of Commerce (NIST) has cautioned that such use of telephone numbers is on a “restricted” list due to risks that the message could be redirected to a device other than the one held by the intended user.[2]

The most likely redirection that could evade the IRS’s notice (or that of other organizations, such as your tax software vendor or bank) would be SIM jacking, when a third party targets the victim. Knowing the victim’s cell phone carrier and phone number, the attacker convinces an employee of the cell phone carrier to issue the attacker a replacement SIM card for the user’s account (the small card inserted in a cell phone that ties that phone to the user’s phone number and account).

When that new card is activated, the phone number moves to the device with that card—now one held by the unauthorized user. The attacker then receives the text and so can provide the second factor. The attacker, who would have previously arranged to phish the username/password combination, now has full access to the system and/or information meant to be protected from unauthorized access.

The good news is that this attack only works if a party is targeted, is relatively labor intensive to pull off and the user will eventually notice that his/her phone no longer works, limiting the time the attacker has to take advantage of access. But it still is a possibility that would be best to avoid if other options are available.

But even SMS-based MFA is far better than not using any MFA protection, as was noted in a study conducted by Google and researchers from New York University and the University of California, San Diego. Even in a targeted attack, the SMS option blocked 76% of attempted account take-overs where attackers obtained the user’s username/password. In the far more likely case of a bulk phishing attack, SMS blocked 96% of all attempts.[3]

The fact that the IRS uses the SMS routine does impact their description of MFA in the news release:

Multi-factor authentication means returning users must enter their username/password credentials plus another data point that only they know, such as a security code sent to their mobile phone. For example, thieves may steal passwords but will be unable to access the software accounts without the mobile phones to receive the security codes.[4]

In addition to SMS systems, some systems that are preferred if offered include:

Authenticator apps: These applications are loaded on a phone and generate a six-digit code that changes every 30 seconds. The system to be logged into has the ability to generate the same code, based on a shared secret code generated when the MFA is initially turned on and the date and time when the log-in is taking place. Unlike SMS, in this case a third-party SIM jacking the phone will still not have the secret stored on the physical phone that has the authenticator app. Most of these systems use the standard originally made popular by Google Authenticator.
Vendor specific authenticator: Some vendors provide the user with an app that is installed on the phone and which creates a prompt to respond to when access is attempted. These can be secure if properly designed.
Hardware keys: The highest security option available today is the use of hardware keys tied to an account that must be inserted into the computer or in radio distance of a phone (for NFC or Bluetooth connection) when access is attempted. The YubiKey by Yubico is an example of such a key.

Tax advisers should make use of the most secure option they have access to for all relevant systems. The IRS news release notes:

Already, nearly two dozen tax practitioner firms have reported data thefts to the IRS this year. Use of the multi-factor authentication feature is a free and easy way to protect clients and practitioners’ offices from data thefts. Tax software providers also offer free multi-factor authentication protections on their Do-It-Yourself products for taxpayers.

“The IRS, state tax agencies and the private-sector tax industry have worked together as the Security Summit to make sure the multi-factor authentication feature is available to practitioners and taxpayers alike,” said Kenneth Corbin, Commissioner of the IRS Wage and Investment division. “The multi-factor authentication feature is simple to set up and easy to use. Using it may just save you from the financial pain and frustration of identity theft.”[5]

The IRS also notes that MFA is being offered by more and more organizations:

Multi-factor authentication protections are now commonly offered by financial institutions, email providers and social media platforms to protect online accounts. Users should always opt for multi-factor authentication when it is offered but especially with tax software products because of the sensitive data held in the software or online accounts.

Organizations attempting to get staff (including owners) to use MFA will encounter complaints that it’s “too complicated” or “gets in the way.” It is clearly inconvenient, but nowhere near as inconvenient as dealing with a data breach when a partner’s account gets compromised because he/she refused to figure out how to use MFA.

Now that the IRS has specifically told tax professionals they should be using MFA, a failure to implement such a requirement may expose the firm to disciplinary action and professional liability if a problem arises that regulators and/or clients note could have been prevented by the use of MFA.

[1] “IRS urges tax professionals, taxpayers to protect tax software accounts with multi-factor authentication,” IRS News Release IR-2020-32, February 14, 2020, https://www.irs.gov/newsroom/irs-urges-tax-professionals-taxpayers-to-protect-tax-software-accounts-with-multi-factor-authentication, retrieved February 15, 2020

[2] NIST Special Pubication 800-63B, Digital Identity Guidelines, June 2017, Section 5.1.3.3, https://pages.nist.gov/800-63-3/sp800-63b.html, retrieved February 15, 2020

[3] “New research: How effective is basic account hygiene at preventing hijacking,” Google Security Blog, May 17, 2019, https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html (retrieved February 15, 2020)

[4] IR-2020-32

[5] IR-2020-32