Multi-Factor Authentication (MFA) Now Required (IR-2024-201)
Article #: 18589
Last Updated: November 04, 2024
As part of the IRS’ ongoing effort to bolster security for tax return preparers and taxpayers, multi-factor authentication (MFA) is now a federal requirement for all tax professionals accessing any system, application, or device containing taxpayer information (IR-2024-201).
The IRS Safeguards Program defines MFA by access that requires at least two of the following types of authentication:
-
Knowledge factors ("something you know”), such as a password, PIN, challenge question, or pattern
-
Possession factors ("something you have”), such as a hardware or software token or a code sent to an authorized party
-
Inheritance factors ("something you are”), such as biometric characteristics, including fingerprints or facial scans
The Federal Trade Commission (FTC) allows for other means of security so long as they meet or beat the MFA requirements above and are fully documented within the preparer’s written information security plan (WISP). Per 16 CFR 314.4(c)(5) of the FTC Safeguard Rules, tax professionals must “Implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls.”
Drake Software has been dedicated to protecting your and your clients’ data by automatically enabling MFA for preparers since Drake Tax 2021 and for all web-based applications thereafter (Drake Software single sign-on (SSO) accounts, including the Drake User Manager, Support site, Drake Portals (firms), Drake Zero, and Web1040). If tax professionals have other sufficient means of security that meet or exceed IRS MFA requirements, they may choose to disable MFA; however, those who disable MFA without adequate safeguards in place are in direct violation of FTC 16 CFR 314.4(c)(5). For this reason, Drake Software strongly recommends enabling MFA on all Drake Software products.
For information on MFA in Drake Software, refer to the applicable Knowledge Base article:
-
Drake User Manager (single sign-on account for Drake Software web-based applications) – See Drake User Manager – Overview and Configuration and Drake User Manager – Password Recovery and Expiration
-
Drake Portals (SecureFilePro) for Taxpayers (not active by default)