
MFA for Tax Software: IRS-Required Security Every Tax Professional Needs
Multi-factor authentication (MFA) for tax software is a mandatory compliance requirement under both the IRS Security Six framework and the FTC Safeguards Rule (16 CFR Part 314) — not an optional best practice. Tax professionals who handle taxpayer data must implement MFA across all systems or face real regulatory consequences, including PTIN suspension, e-filing privilege revocation, and civil penalties up to $250,000 per incident.
The reason tax firms are targeted so aggressively is straightforward: Drake Tax, Lacerte, ProSeries, UltraTax CS, and similar platforms hold Social Security numbers, financial records, and personally identifiable information (PII) for hundreds or thousands of clients. That concentration of sensitive data makes a single compromised login extraordinarily valuable to attackers. According to the 2025 Verizon Data Breach Investigations Report, stolen or weak credentials remain the leading cause of hacking-related breaches — and MFA directly neutralizes that attack vector by making stolen passwords alone insufficient for account access.
This guide covers what the IRS and FTC actually require, which MFA methods meet those standards, step-by-step setup for Drake, ProSeries, Lacerte, and UltraTax CS, and how to document your implementation in a compliant Written Information Security Plan (WISP).
Tax Cybersecurity By The Numbers
IBM Cost of Data Breach Report 2024
Verizon DBIR 2025 — MFA eliminates most of this risk
FTC Safeguards Rule civil penalties for non-compliant firms
2026 Compliance Requirement — MFA Is Mandatory
All tax preparers handling taxpayer data must have MFA enabled on all in-scope systems for the 2026 filing season. The FTC Safeguards Rule MFA provisions have been fully in effect since June 2023, and the IRS has increased cybersecurity enforcement as part of its identity theft prevention initiative. Firms without MFA risk PTIN suspension, e-filing privilege revocation, and FTC enforcement action.
What the IRS and FTC Actually Require
Two separate federal regulatory frameworks govern MFA requirements for tax professionals, and both carry enforcement authority. Understanding which rules apply — and where they overlap — is the foundation of a compliant security posture.
IRS Security Six and Publication 4557
The IRS Security Six is a set of baseline cybersecurity actions required of all tax professionals. MFA is listed explicitly as one of the six. IRS Publication 4557, the Data Security Resource Guide for Tax Professionals, specifies in Section 3.4 that MFA must be enabled on all systems that access, store, or transmit taxpayer information — not just tax preparation software, but also email, cloud storage, and client portals.
The technical requirements align with NIST SP 800-63B Digital Identity Guidelines, targeting Authenticator Assurance Level 2 (AAL2), which requires two distinct authentication factors from separate categories. Non-compliance puts your Preparer Tax Identification Number (PTIN) at risk. The IRS has signaled increasing enforcement of cybersecurity requirements, and failure to implement MFA can result in e-filing privilege suspension — effectively shutting down your practice during filing season. For a full breakdown of what's required to maintain your PTIN, see our guide to PTIN and WISP requirements for tax preparers.
FTC Safeguards Rule (16 CFR Part 314)
The Gramm-Leach-Bliley Act (GLBA), enacted in the late 1990s, established the legal foundation for protecting consumer financial data by defining "financial institutions" broadly — a definition that explicitly includes tax preparation services. The FTC updated its implementing Safeguards Rule in 2021, with MFA provisions taking full effect in June 2023.
Under 16 CFR § 314.4(c), tax preparers must implement access controls that include MFA for any individual accessing customer information systems. The rule permits a narrow exception: firms may document why MFA is not technically feasible for a specific system. In practice, this exception rarely applies — and convenience is not a valid justification. The FTC has pursued enforcement actions against firms of all sizes, with penalties documented at over $100,000 plus personal liability risk for firm principals. Learn more about how these requirements specifically apply to your practice in our detailed guide to FTC Safeguards Rule compliance for tax preparers.
Understanding MFA Types: Which One Should Tax Firms Use?
Multi-factor authentication (MFA) — sometimes called two-factor authentication (2FA) — requires users to verify their identity using at least two factors from distinct categories: something you know (password or PIN), something you have (phone, hardware token, or smart card), or something you are (fingerprint or facial recognition). Combining factors from different categories is what makes MFA for tax software effective — if an attacker steals a password, they still cannot access the system without the physical device or biometric tied to that account.
For tax software specifically, five authentication methods are in common use, and they are not all equal in terms of security or regulatory alignment:
- Authenticator Apps (Recommended) — Microsoft Authenticator, Google Authenticator, or Duo Mobile generate time-based one-time passwords (TOTP) that rotate every 30 seconds. This method satisfies NIST SP 800-63B AAL2 requirements, is the IRS's preferred approach, works offline, costs nothing, and is not vulnerable to SIM-swapping attacks.
- SMS Text Message Codes — A verification code sent to a registered mobile number. Convenient, but NIST guidelines classify SMS as a reduced-security option due to SIM-swapping and SS7 protocol vulnerabilities. Acceptable for baseline compliance but not recommended as the primary method for accounts with access to all client data.
- Hardware Tokens — Physical devices like YubiKey or RSA SecurID generate or store authentication credentials independently of a smartphone. These provide the strongest security posture and are worth considering for practice owners and administrators with broad access to client records.
- Push Notifications — Mobile app notifications (common in Duo Security and Microsoft Authenticator) that require an explicit tap to approve. Fast, user-friendly, and substantially more secure than SMS.
- Biometric Authentication — Fingerprint or facial recognition, typically layered on top of a password as the second factor. Widely available on modern smartphones and laptops, and increasingly integrated into tax software login flows.
The practical takeaway: authenticator apps offer the best combination of strong security, zero cost, and ease of use for most tax practices. Hardware tokens are worth the investment for owners or administrators whose credentials would give an attacker access to every client's records. SMS is a fallback, not a first choice — particularly as the IRS and NIST continue signaling that SMS-based MFA may face stricter scrutiny in future guidance updates.
MFA Rollout: Implementation Steps for Tax Practices
Inventory All In-Scope Systems
List every platform that accesses, stores, or transmits taxpayer data: tax software, email, cloud storage, client portals, remote access tools, and practice management software.
Choose Your Authenticator App
Select one authenticator app (Microsoft Authenticator, Google Authenticator, or Duo Mobile) for firm-wide standardization. One app for all platforms simplifies staff training.
Enable MFA on Tax Software First
Configure MFA on Drake, ProSeries, Lacerte, or UltraTax CS before rolling out to other systems. Use the platform-specific setup steps below. Start with the practice owner account, then all staff accounts.
Extend to Email and Cloud Storage
Enable MFA on Microsoft 365 or Google Workspace, then on ShareFile, Dropbox Business, or OneDrive. Email breaches can expose every document your firm has ever shared with clients.
Configure Remote Access Controls
Require MFA at the VPN and remote desktop gateway level, in addition to the application level. This defense-in-depth approach ensures no single compromised factor grants full access.
Document in Your WISP
Record the authentication method, device registration procedures, backup codes policy, and staff training dates in your Written Information Security Plan per IRS Publication 4557 Section 3.4.
Train Staff and Test Recovery Procedures
Ensure every staff member has backup codes saved and knows how to authenticate if their primary device is unavailable. Test recovery procedures before filing season begins.
Step-by-Step MFA Setup for Major Tax Software Platforms
Each major tax software platform has its own MFA configuration path. Setup is straightforward across all of them, typically taking under 10 minutes per user account. The steps below cover the four most widely used platforms.
Drake Tax MFA Configuration
Drake Tax supports authenticator apps (recommended), SMS verification, and email-based backup codes. MFA applies to both the desktop application login and Drake Portal online services. To enable MFA, log into your Drake Tax account at drakesoftware.com, navigate to Account Settings, and select Two-Factor Authentication. Follow the prompts to scan the QR code with your authenticator app or enter your mobile number for SMS. Drake recommends enabling MFA on the practice owner account first, then rolling out to all staff before configuring portal access for clients.
ProSeries and Lacerte (Intuit Account)
ProSeries and Lacerte share a unified authentication system through the Intuit Account platform. Log into accounts.intuit.com, navigate to Sign In & Security, and select Two-step verification. Intuit supports authenticator apps, SMS, and voice call verification — select the authenticator app option and scan the QR code with Microsoft Authenticator, Google Authenticator, or Authy.
One useful feature of Intuit's implementation: a single MFA setup covers the entire Intuit ecosystem. Tax professionals using ProSeries Tax Online or Lacerte Tax Online benefit from unified MFA that protects both desktop and cloud environments simultaneously. Firm administrators can access the Team Management section to audit MFA compliance status across all staff accounts — verify that every team member has MFA active well before January.
UltraTax CS and CS Professional Suite (Thomson Reuters)
Thomson Reuters provides MFA setup through the CS Professional Suite Portal. Administrators navigate to Security Settings > Multi-Factor Authentication to enable firm-wide policies. UltraTax CS supports role-based authentication policies, allowing practice administrators to configure different MFA requirements by user role and access level — a useful control for larger firms with tiered staff permissions.
For enterprise practices, UltraTax CS integrates with SAML-based single sign-on (SSO) providers including Microsoft Azure AD, Okta, and OneLogin, centralizing authentication management across all business systems. If your firm already uses one of these identity providers, configure UltraTax CS to authenticate through your existing SSO rather than maintaining a separate credential set. For broader guidance on securing all technology your practice uses, review our overview of online tax filing security risks.
MFA Compliance Checklist for Tax Firms
- MFA enabled on all tax software platforms (Drake, ProSeries, Lacerte, UltraTax CS)
- MFA enabled on all firm email accounts (Microsoft 365, Google Workspace)
- MFA enabled on cloud storage platforms (ShareFile, Dropbox Business, OneDrive)
- MFA required at VPN and remote desktop gateway before network access is granted
- MFA enabled on practice management software (Canopy, TaxDome, Karbon)
- MFA enabled on client portals for staff access
- All staff have completed MFA setup and have backup codes saved
- WISP documents the authentication method and procedures for every in-scope system
- Device registration and emergency access procedures are documented and tested
- Annual MFA review is scheduled and assigned to a named staff member
WISP Documentation Requirements for MFA
IRS Publication 4557 frames MFA as one component of a broader security strategy — not a standalone fix. Section 3.4 is explicit: MFA must be implemented on all in-scope systems, and tax professionals must document their implementation as part of their Written Information Security Plan (WISP). Without that documentation, your MFA deployment is invisible to regulators reviewing your compliance posture.
That documentation requirement serves two purposes. First, it demonstrates compliance if you are ever subject to an IRS audit, PTIN review, or FTC inquiry. Second, it provides operational continuity guidance so staff know exactly what to do when a device is lost, an account is locked, or a new employee needs onboarding.
A WISP that references MFA in general terms without specifics does not satisfy the requirement under Publication 4557. Your WISP's MFA section should include a complete inventory of all systems where MFA is enabled, the authentication method used for each system, device registration and replacement procedures, emergency access and backup authentication protocols, staff training records with completion dates, and annual review dates with the staff member responsible for MFA policy maintenance.
Use our WISP template for tax preparers to build a compliant document from scratch, or review the detailed requirements in our guide to PTIN and WISP requirements to identify gaps in an existing plan. The IRS Publication 5708 sample WISP provides an official starting point, but it requires customization to reflect your firm's actual systems and procedures.
Bottom Line
MFA implementation is a 10-minute task that eliminates the most common attack vector against tax practices. Authenticator apps are free, every major tax platform supports them, and the regulatory requirement under both IRS Publication 4557 and the FTC Safeguards Rule has no size exemption. The risk profile for non-compliance — PTIN suspension, FTC penalties, and breach liability — makes delay difficult to justify for any firm size.
Overcoming Common MFA Implementation Challenges
Tax practices encounter predictable obstacles when deploying MFA for tax software and related systems. Most are solvable with planning — and implementation is substantially easier when it happens during the off-season rather than in January under filing deadline pressure.
Managing Multiple Software Platforms
Firms using both Drake for individual returns and UltraTax CS for business returns face the practical problem of managing multiple MFA setups across different vendor systems. The solution is standardizing on a single authenticator app across all platforms. Microsoft Authenticator and Google Authenticator both support unlimited accounts, so staff can manage every platform's MFA codes from one app rather than juggling separate authentication tools for each system. This single-app approach also makes staff training straightforward — learn the process once, apply it everywhere.
Seasonal Workflow Pressure
Any additional login step creates friction during peak filing season, and staff will resist changes that slow them down under deadline pressure. Address this proactively by implementing MFA between May and August, configuring "remember this device" policies for trusted, firm-owned office workstations, and setting session timeout policies appropriate for tax season workflows — typically 30 to 60 minutes of inactivity rather than aggressive 10-minute lockouts that frustrate staff in the middle of complex return preparation. Before January 1st, verify that all staff have backup codes saved and know how to use them.
Solo and Small Practice Constraints
Solo and small practices often assume MFA requires significant technology investment. It does not. Authenticator apps are free, every major tax software platform includes MFA at no additional charge, and setup takes less than 10 minutes per user. For practices without in-house IT support, a specialized cybersecurity provider for accounting firms can handle deployment, staff training, and WISP documentation — typically for far less than the cost of a single data breach incident response engagement. There is no size exemption under the FTC Safeguards Rule, and the IRS applies the same Publication 4557 requirements regardless of whether a firm files 50 returns or 5,000.
Remote and Mobile Access
Practices with remote staff or field preparers need MFA configured at multiple layers: at the VPN for network access, at the workstation login for device access, and at the tax software level for application access. This defense-in-depth approach ensures that bypassing one authentication layer still leaves additional controls in place. Establish clear procedures for how remote staff handle MFA when working from areas with limited cell coverage — hardware tokens work without a network connection and are a reliable backup in these scenarios. For a broader look at securing distributed teams, our remote work security guide for small teams covers VPN configuration, device management, and access controls.
MFA Beyond Tax Software: Securing Your Entire Practice
Implementing MFA for tax software satisfies the most visible compliance requirement — but both the IRS Security Six and the FTC Safeguards Rule apply to your entire technology environment. Any system that accesses, stores, or transmits taxpayer information is in scope.
A compromised email account, for example, can expose every client document attachment and communication thread your firm has ever sent or received — months of sensitive data made accessible through a single weak password. The risk posed by phishing attacks targeting tax professionals is particularly acute here, since email is the primary delivery mechanism for phishing campaigns and the first account attackers target once inside your network.
The full list of systems requiring MFA in a typical tax practice extends well beyond your preparation software:
- Email (Microsoft 365, Google Workspace) — Enable MFA on all firm email accounts without exception. Email breaches are particularly damaging because attackers can use compromised inboxes to reset passwords on every other platform.
- Cloud Storage (ShareFile, Dropbox Business, OneDrive) — Any platform used to store or share tax documents requires MFA for all users with access. Review the full requirements for secure tax client portals and document handling to ensure your practices meet regulatory standards.
- Client Portals — Secure portals used for document collection must implement MFA for staff access and should strongly encourage or require it for clients submitting sensitive documents.
- Practice Management Software (Canopy, TaxDome, Karbon) — These platforms contain client records, case notes, billing data, and communication histories. They are explicitly in scope under Publication 4557 and the Safeguards Rule.
- Remote Access Systems — VPNs and remote desktop gateways must require MFA before granting network access. Unauthenticated remote access is one of the leading ransomware entry points for tax practices, and a compromised remote access credential can give an attacker persistent access to your entire network. Learn more about how ransomware attacks work and why remote access is a primary target.
- Accounting and Billing Software (QuickBooks Online, Bill.com) — These systems contain sensitive firm financial data and are increasingly targeted by attackers who establish a foothold in a network through tax software before pivoting to financial systems.
The practical approach is building your MFA deployment around a single authenticator app that covers all platforms. Once staff are comfortable using it for tax software, adding accounts for email and cloud storage takes seconds per user. For firms managing MFA across multiple office locations, our guide to centralized security management for multi-location tax offices covers policy enforcement and auditing across distributed environments.
Need Help with MFA Implementation?
Our security team specializes in helping tax professionals deploy MFA, build compliant WISPs, and meet IRS Publication 4557 and FTC Safeguards Rule requirements — without disrupting filing season workflows.
Why Tax Preparers Are Classified as Financial Institutions
Many tax professionals are surprised to learn they are classified as financial institutions under federal law — and that this classification directly creates their MFA obligation. The Gramm-Leach-Bliley Act (GLBA), enacted in the late 1990s, defined financial institutions broadly to include any business that provides financial products or services to consumers. Tax preparation falls squarely within that definition, which subjects tax preparers to the FTC's Safeguards Rule regardless of firm size, revenue, or number of returns filed annually.
The practical consequence is that the MFA requirement has two independent legal sources. Even if the IRS were to modify its Security Six guidance, the FTC Safeguards Rule would still independently require MFA for any individual accessing customer information systems. Non-compliance exposes tax professionals to enforcement from two separate federal agencies — a dual liability that makes the compliance calculus straightforward.
The reputational consequences of a breach extend beyond regulatory penalties. Tax professionals who experience a data breach face client loss, potential professional liability claims, and in severe cases, business closure. Understanding the full scope of what to do after a data breach — including notification obligations, regulatory reporting, and client communication — underscores why preventive controls like MFA are far less disruptive than incident response. For firms that want to build out a full incident preparedness posture, our incident response plan guide for tax practices covers the key components required under Publication 4557.
Given that MFA implementation costs nothing for most platforms and takes minutes to configure, the risk profile for non-compliance is difficult to justify. The IRS Publication 4557 compliance requirements are detailed and specific — but MFA is one of the most straightforward items on that list to implement.
Staying Current as MFA Requirements Evolve
The regulatory environment around MFA for tax software is tightening, not stabilizing. The FTC has signaled ongoing review of its Safeguards Rule technical requirements as authentication technology evolves, and the IRS has increased its focus on cybersecurity enforcement as part of broader efforts to combat tax-related identity theft. The identity theft prevention resources for tax professionals published through the IRS's Security Summit initiative reflect this increased regulatory attention to authentication specifically.
The National Association of Tax Professionals (NATP) and IRS Stakeholder Liaison teams regularly publish updated guidance on security requirements — following these channels keeps your firm ahead of changes rather than scrambling to catch up. The direction of travel is toward stronger authentication methods. SMS-based MFA, while currently acceptable for baseline compliance, faces increasing scrutiny from NIST and the FTC as SIM-swapping attacks become more common. Firms that adopt authenticator apps or hardware tokens now will be positioned for future regulatory updates without needing to re-deploy their entire authentication infrastructure.
Annual review of your MFA implementation — documented in your WISP — satisfies the review requirements under both IRS Publication 4557 and the FTC Safeguards Rule. That review should include verifying that every in-scope system still has MFA enabled, confirming that new staff have completed MFA setup and training, updating the system inventory if new platforms were added during the year, and testing backup and recovery procedures to confirm they work when needed. If any staff members left the firm during the year, verify that their MFA-enrolled devices have been removed from all platforms to prevent unauthorized access through former employee credentials. For small firms building out their security program, our WISP guide for small tax firms covers the annual review process in detail.
Get Your Tax Practice Fully MFA-Compliant in 2026
Our cybersecurity team specializes in helping tax professionals meet IRS Publication 4557 and FTC Safeguards Rule requirements — including MFA deployment, WISP documentation, and staff training.
Frequently Asked Questions
MFA for tax software is required under two separate federal regulatory frameworks. The IRS Security Six — documented in IRS Publication 4557 — lists MFA as one of six mandatory baseline security controls for all tax professionals. Separately, the FTC Safeguards Rule (16 CFR Part 314) requires tax preparers — who qualify as financial institutions under the Gramm-Leach-Bliley Act — to implement MFA for any individual accessing customer information systems. Both rules carry enforcement authority. Non-compliance can result in PTIN suspension from the IRS and civil penalties up to $250,000 per incident from the FTC.
Authenticator apps (Microsoft Authenticator, Google Authenticator, or Duo Mobile) are the recommended method for tax software. They satisfy NIST SP 800-63B Authenticator Assurance Level 2 (AAL2) requirements, work offline, cost nothing, and are not vulnerable to SIM-swapping attacks that can intercept SMS codes. SMS is acceptable for baseline compliance under current IRS and FTC rules, but NIST guidelines classify it as a reduced-security option. For practice owners and administrators with broad access to client data, hardware tokens like YubiKey provide the strongest available protection.
MFA is required on all systems that access, store, or transmit taxpayer information — not just tax preparation software. Under IRS Publication 4557 Section 3.4 and the FTC Safeguards Rule, in-scope systems include email accounts (Microsoft 365, Google Workspace), cloud storage (ShareFile, Dropbox Business, OneDrive), client portals, practice management software (Canopy, TaxDome, Karbon), remote access tools (VPNs, remote desktop gateways), and accounting software. A compromised email account can expose every client document your firm has ever shared and enable password resets on every other platform.
The IRS can suspend your Preparer Tax Identification Number (PTIN) for failure to meet cybersecurity requirements, including the MFA requirement in Publication 4557. PTIN suspension means you cannot legally prepare federal tax returns for compensation. Additionally, the IRS can revoke e-filing privileges, preventing your firm from electronically submitting returns on behalf of clients — a significant operational disruption during filing season. The FTC can independently pursue civil enforcement action and penalties. See our PTIN and WISP requirements guide for the full enforcement picture.
Your Written Information Security Plan (WISP) must document MFA implementation at the system level — not just a general statement that MFA is enabled. Per IRS Publication 4557, your WISP's MFA section should include: a complete inventory of all systems where MFA is enabled, the authentication method used for each system (authenticator app, SMS, hardware token), device registration and replacement procedures, emergency access and backup authentication protocols, staff training records with completion dates, and the name of the staff member responsible for annual MFA policy review. Use our WISP template for tax preparers to ensure your documentation meets the regulatory standard.
No. There is no size exemption from the MFA requirement under IRS Publication 4557 or the FTC Safeguards Rule. Both frameworks apply to all tax professionals who handle taxpayer data, regardless of firm size, revenue, or the number of returns filed annually. The FTC's Safeguards Rule does allow a narrow exception for systems where MFA is not technically feasible — but convenience is not a valid reason, and this exception rarely applies to standard tax software platforms. Authenticator apps are free and setup takes under 10 minutes per user, so the compliance cost is minimal for practices of any size.
Two-factor authentication (2FA) and multi-factor authentication (MFA) describe the same concept with slightly different scope. 2FA specifically means exactly two factors; MFA means two or more factors. In practice, the terms are used interchangeably in tax software vendor documentation, IRS guidance, and FTC Safeguards Rule materials. Both refer to the same requirement: users must verify their identity using at least two distinct factor types — something they know (password), something they have (phone or token), or something they are (biometric). Either term in a vendor's settings satisfies the IRS and FTC requirement when implemented correctly.
Remote staff need MFA configured at three layers: at the VPN or remote desktop gateway (for network access), at the workstation login (for device access), and at the tax software application level. This layered approach — sometimes called defense in depth — ensures that compromising one authentication layer does not grant full access. For staff working from areas with limited cell coverage where SMS codes may not deliver, hardware tokens work without any network connection and are a reliable backup. Document remote access procedures in your WISP, including how staff authenticate when their primary MFA device is unavailable. Our remote work security guide covers these configurations in detail.
IRS Publication 4557 and the FTC Safeguards Rule both require annual review of your security controls, including MFA. Your annual MFA review should verify that every in-scope system still has MFA enabled, confirm that new staff have completed MFA setup and training, update the system inventory if new platforms were added during the year, test backup and recovery procedures to confirm they work, and remove MFA-enrolled devices for any staff who left the firm. Document the review date and findings in your WISP. If your firm adopted any new software platforms during the year — a new practice management tool, a new client portal, or a new cloud storage service — ensure those systems are added to your MFA policy immediately, not at the next annual review.
IRS Publication 4557 and the FTC Safeguards Rule specifically require MFA for staff and firm personnel accessing systems that contain taxpayer data. Requiring MFA from clients is not explicitly mandated for the client-facing side of portals, but it is strongly recommended as a best practice — particularly when clients upload sensitive documents like W-2s, Social Security cards, or financial statements. Many secure portal platforms (ShareFile, TaxDome, Canopy) offer client-side MFA as an option. Enabling it for clients adds a meaningful layer of protection for data in transit and at rest, and reduces your firm's exposure if a client's own account is compromised. See our guide on securing tax client portals for platform-specific settings.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.


