Get the inside scoop with LoginTC and learn about relevant security news and insights.

What you need to know about the IRS’s MFA requirements

February 01, 2023Victoria Savage

If you’ve managed federal tax information in the past few months, you may have noticed the introduction of multi-factor authentication to the process.

As part of the IRS’s initiative to ensure tax professionals are protecting their client data, the IRS began mandating the use of MFA on critical infrastructure. In this article, we’ll dig into what those requirements are, why they were introduced, and how you can ensure your company is compliant.

What are the IRS’s MFA requirements?

Here’s what the IRS’s guidelines on multi-factor authentication implementation say:

  • Tax Information Security Guidelines for Federal, State, and Local Agencies (Pub. 1075) requires that all access to federal tax information (FTI) occurs from agency-owned equipment.
  • It also requires that any remote access has multi-factor authentication implemented.
  • Remote access, defined by Pub. 1075, is any access to an agency information system by a user communicating through an external network (i.e. the internet).

The IRS regulation uses the NIST Digital Identity Guidelines to inform what methods of authentication are valid, and the minimum controls each authentication method should have in place.

These regulations define the minimum requirements for each of the three identity dimensions: something you know, something you have, and something you are. The guidelines should be reviewed in full by relevant IT personnel at your organization.

If you’re unsure if your MFA implementation meets the NIST standards, feel free to reach out to us.

Why has the IRS introduced MFA requirements?

In the words of the IRS themselves, “of the numerous data thefts reported to the IRS from tax professional offices this year, most could have been avoided had the practitioner used multi-factor authentication to protect tax software accounts.”

Those numbers hold up across the board. According to IBM’s 2022 Cost of a Data Breach report, cyber attacks caused by stolen and compromised credentials are the most common, take the longest to identify, and cost $150,000 USD more than the average data breach.

The effects of this are magnified when sensitive data is stolen, such as Social Security Numbers (SSNs), federal tax information, or banking information.

Multi-factor authentication prevents attacks that are caused by stolen and compromised credentials. By requiring more than just a password to authenticate someone’s identity, hackers have a harder time infiltrating your critical infrastructure and stealing sensitive data.

Recently one of our MSP partners told us about when MFA protected $10 Million USD in losses for one of their law firm clients. For more information on how to use MFA to protect your organization’s data, or your client’s data, reach out to us today.

Do the IRS’s MFA requirements apply to my company?

If your organization handles or files United States federal tax information on behalf of clients, these regulations apply to you. Your organization’s IT administrators should implement MFA on your critical infrastructure, especially remote access and email services.

If your IT is handled through a third-party Managed Services Provider (MSP) or Managed Security Service Provider (MSSP), they can implement MFA on your infrastructure. In some cases, they may be asked to certify to the IRS that MFA has been correctly set up on your system.

MSPs and MSSPs looking for more information on ensuring your clients have MFA fully implemented should reach out.

How do I get started with MFA implementation?

MFA is a crucial cybersecurity control to keep you and your client safe from cyber threats. Now that the IRS is mandating its use, your cybersecurity posture may need to be improved.

MFA doesn’t have to be a complicated process. Our MFA solution, LoginTC, can be set up in just one hour. We also provide expert advice on MFA compliance and regulations including for the IRS, cyber insurance, and supply chain requirements.

Contact us today to start your free trial.

Start your free trial today. No credit card required.

Sign up and Go