The U.S. Internal Revenue Service is asking tax professionals to enable additional forms of authentication in software that provides the option as an improved defense against hacker takeover attempts.
The agency specifically refers to multi-factor authentication (MFA), which requires at least two supplementary data points besides the username/password combination to check the identity of a user.
A step down from this security standard is two-factor authentication (2FA), a subset of MFA, where the user needs to provide their credentials and another form of authentication, such as a code received on the phone or generated by an application.
Protect tax software accounts
The IRS asking professionals to enable MFA where possible is part of a five-part series of tips for protecting tax data, especially if they are working remotely. The campaign is called “Working Virtually: Protecting Tax Data at Home and at Work.”
To make its point, the agency describes a scenario where an attacker compromises a tax professional’s network or computer and uses malware to steal the login to their tax software account.
Without MFA or 2FA, the hacker can complete pending taxpayer returns, alter refund information, and file a fraudulent return. Adding one of these layers of security, though, prevents the attacker from accessing the account.
In this scenario, 2FA would prevent the account takeover since the attacker would need the second authentication code, which is typically obtained from the victim’s mobile phone (delivered either via text or generated by a dedicated app).
Starting 2021, this extra security step will be a requirement for all providers of tax software to defends against unauthorized access to customer accounts.
The IRS seems to recommend 2FA, pointing professionals to authenticator-type of apps in Google Play and Apple Store find security code generators that are compatible with their tax software.
The recommendation for 2FA goes beyond tax software, though, and should be used wherever possible as threat actors are after credentials for other services, too (social media, email, cloud storage).
This public awareness initiative is from the IRS, state tax agencies, and the private-sector tax industry, all working together as the Security Summit.