MFA for Tax Software: Essential Security for Tax Professionals
Multi-factor authentication (MFA) for tax software has become a critical requirement for tax professionals, not just a recommended security practice. With the IRS Security Six framework and FTC Safeguards Rule (16 CFR Part 314) mandating enhanced cybersecurity measures, implementing MFA for tax software is now essential for compliance and client data protection.
Tax professionals handle some of the most sensitive financial information, making them prime targets for cybercriminals. Popular tax software platforms like Drake Tax, Lacerte, ProSeries, and UltraTax CS contain Social Security numbers, financial records, and personal identifying information that criminals actively seek. Without proper MFA implementation, your tax practice remains vulnerable to data breaches that could devastate your business and harm your clients.
According to the 2025 Verizon Data Breach Investigations Report, 81% of hacking-related breaches involve stolen or weak credentials. MFA implementation reduces the risk of credential-based attacks by 99.9%, according to Microsoft Security research. For tax professionals handling taxpayer data, this isn't just about security—it's about regulatory compliance and professional liability.
MFA Security Impact By The Numbers
MFA blocks credential-based attacks (Microsoft Security)
Verizon Data Breach Investigations Report 2025
Per violation for Safeguards Rule non-compliance
IRS Security Six and FTC Safeguards Rule Requirements
The IRS Security Six framework explicitly requires tax professionals to implement multi-factor authentication as part of their comprehensive cybersecurity strategy. This isn't merely a suggestion—it's a mandatory requirement for tax preparers who want to maintain their Preparer Tax Identification Number (PTIN) and avoid potential penalties.
Under the FTC Safeguards Rule (16 CFR § 314.4(c)), which applies to tax professionals as financial institutions, firms must implement access controls that include MFA for accessing customer information systems. The rule specifically states that covered institutions must "implement multi-factor authentication for any individual accessing customer information systems, unless the covered institution documents why such implementation is not feasible."
IRS Publication 4557, the Data Security Resource Guide for Tax Professionals, provides detailed guidance on implementing MFA for tax software. The publication emphasizes that MFA should be enabled on all systems containing taxpayer data, including tax preparation software, email systems, and cloud storage platforms. Specifically, Publication 4557 Section 3.4 outlines authentication requirements that align with NIST SP 800-63B digital identity guidelines.
Failure to comply with these requirements can result in IRS sanctions, including suspension of e-filing privileges, PTIN suspension, and potential FTC enforcement actions with civil penalties up to $250,000 per violation. The regulatory landscape continues to evolve, with the IRS increasing enforcement of cybersecurity requirements during the 2026 tax season.
2026 Tax Season Compliance Requirement
The IRS requires all tax preparers to have MFA implemented before the start of the 2026 filing season. Tax professionals without compliant multi-factor authentication face potential PTIN suspension and e-file privilege revocation. The FTC has also increased Safeguards Rule enforcement, with recent audits targeting firms that lack documented MFA implementation.
Understanding MFA Types for Tax Software
Multi-factor authentication requires users to provide at least two different types of authentication factors from separate categories: something you know (password or PIN), something you have (smartphone, hardware token, or smart card), or something you are (fingerprint, facial recognition, or other biometric).
For tax software implementations, the most common MFA methods include:
- Authenticator Apps – Software like Microsoft Authenticator, Google Authenticator, or Duo Mobile generate time-based one-time passwords (TOTP) that change every 30 seconds. This method is recommended by the IRS and aligns with NIST SP 800-63B authenticator assurance level 2 (AAL2) requirements.
- SMS Text Messages – A verification code sent to a registered mobile phone. While convenient, NIST guidelines note that SMS is vulnerable to SIM-swapping attacks and should be considered a lower-security option.
- Hardware Tokens – Physical devices like YubiKey or RSA SecurID that generate or store authentication credentials. These provide the highest security level but require upfront investment and device management.
- Push Notifications – Mobile app notifications that require approval to authenticate, combining convenience with security.
- Biometric Authentication – Fingerprint or facial recognition on supported devices, often used as a second factor alongside authenticator apps.
Most tax software platforms support multiple MFA methods, allowing firms to choose the approach that best balances security requirements with operational workflow needs.
Tax Software MFA Methods Comparison
| Feature | Security Level | Setup Complexity | Cost | Best For |
|---|---|---|---|---|
| Authenticator App | ||||
| SMS Text Code | ||||
| Hardware Token | ||||
| Push Notification |
Setting Up MFA on Major Tax Software Platforms
Each major tax software platform has implemented MFA capabilities to help tax professionals comply with IRS Security Six requirements. The setup process varies by platform, but all follow similar principles and support multiple authentication methods.
Drake Tax MFA Configuration
Drake Tax has implemented robust MFA capabilities that integrate with both the desktop application and Drake Portal online services. The platform supports authenticator apps (recommended), SMS verification, and email-based codes for account recovery.
Drake Tax MFA Setup Steps
Access Drake Portal Security Settings
Log into your Drake Portal account at portal.drakesoftware.com and navigate to Account Settings > Security.
Enable Multi-Factor Authentication
Click "Enable MFA" and select your preferred authentication method. Authenticator apps (Microsoft Authenticator, Google Authenticator, or Duo Mobile) are recommended for security.
Scan QR Code with Authenticator App
Open your authenticator app and scan the QR code displayed in Drake Portal. The app will generate a 6-digit verification code.
Enter Verification Code
Enter the 6-digit code from your authenticator app to verify the setup. Drake will confirm successful MFA activation.
Save Backup Codes
Drake provides 10 single-use backup codes. Print or securely save these codes in your password manager for emergency access if your primary device is unavailable.
Configure Firm-Wide Enforcement (Admins)
Practice administrators can navigate to Firm Settings > Security Policy to require MFA for all user accounts and set grace periods for compliance.
ProSeries and Lacerte MFA Implementation
ProSeries and Lacerte, both Intuit professional tax software solutions, share a unified MFA system through the Intuit Account platform. The implementation integrates seamlessly with both desktop applications and associated online services.
To enable MFA for ProSeries or Lacerte, log into your Intuit Account at accounts.intuit.com and navigate to Sign In & Security settings. Intuit supports authenticator apps, SMS verification, and voice call verification. For maximum security, select the authenticator app option and use Microsoft Authenticator, Google Authenticator, or Authy.
One unique aspect of Intuit's MFA implementation is its integration across the entire Intuit ecosystem. Tax professionals who use ProSeries Tax Online or Lacerte Tax Online benefit from unified MFA that protects both desktop and cloud environments with a single authentication setup. This integration is particularly valuable for practices that have adopted hybrid workflows combining traditional desktop preparation with cloud-based collaboration tools.
For firms with multiple team members, Intuit Account administrators can access the Team Management section to view MFA compliance status across all users. While Intuit does not currently force MFA at the administrator level, best practice is to require all users to enable MFA and document this requirement in your firm's Written Information Security Plan (WISP).
UltraTax CS and Lacerte CS MFA Setup
Thomson Reuters UltraTax CS and the CS Professional Suite have developed comprehensive MFA capabilities that integrate with the broader ecosystem of CS products. The implementation process involves both the desktop application and the associated cloud services that many large tax practices rely on for collaboration and data management.
UltraTax CS MFA implementation includes advanced features designed for enterprise-level tax practices. The system supports role-based authentication policies, allowing practice administrators to configure different MFA requirements based on user responsibilities and access levels. This granular control is particularly valuable for large firms that need to balance security requirements with operational efficiency.
Thomson Reuters provides MFA setup through the CS Professional Suite Portal. Administrators access Security Settings > Multi-Factor Authentication to enable firm-wide policies. The platform supports SAML-based single sign-on (SSO) integration with enterprise identity providers like Microsoft Azure AD, Okta, and OneLogin, allowing large firms to centralize authentication management across all business systems.
Key Takeaway
All major tax software platforms now support MFA, but simply enabling the feature isn't enough. Tax practices must enforce MFA across all user accounts, document the implementation in their WISP, and establish procedures for backup authentication and emergency access during tax season.
Best Practices for Tax Firms Implementing MFA
Successful MFA implementation in tax firms requires more than just enabling security features in your tax software. It demands a comprehensive approach that considers workflow impacts, staff training, and long-term maintenance requirements. The most effective implementations balance security requirements with operational efficiency, ensuring that MFA enhances rather than hinders your tax preparation processes.
Staff Training and Change Management
Staff training represents one of the most critical aspects of successful MFA implementation. Tax professionals often work under intense time pressure, especially during tax season, and any security measure that slows down their workflow will face resistance. Comprehensive training should cover not just the technical aspects of using MFA, but also the business and regulatory reasons why it's necessary.
Develop clear procedures for common MFA scenarios, including what to do when devices are lost or unavailable, how to handle backup codes, and procedures for accessing systems during emergencies. These procedures should be documented and easily accessible to all staff members, with regular refresher training to ensure everyone remains current on best practices.
Schedule MFA implementation during slower periods—ideally in late spring or summer after tax season ends. This gives staff time to adapt to the new authentication process without the pressure of client deadlines. Conduct hands-on training sessions where team members can set up MFA on their devices with IT support immediately available.
Device Management and Backup Planning
Device management becomes crucial when implementing MFA across a tax practice. Consider what happens when a key staff member's phone is lost or damaged during tax season. Establish clear policies for device registration, backup authentication methods, and emergency access procedures that maintain security while ensuring business continuity.
Best practices include:
- Require all staff to save backup codes in a secure password manager like 1Password, LastPass, or Bitwarden
- Maintain a secure physical backup code repository (locked safe) for critical accounts
- Document device replacement procedures so staff know exactly what to do if they lose their phone
- Register multiple devices for key staff members (primary phone + tablet or secondary phone)
- Establish an expedited MFA reset process for verified employees during tax season emergencies
- Consider hardware tokens as backup authentication devices for practice owners and administrators
For comprehensive guidance on implementing cybersecurity measures in tax practices, including MFA deployment strategies, visit our detailed guide on tax preparer security planning.
Tax Practice MFA Implementation Checklist
- Inventory all systems requiring MFA (tax software, email, cloud storage, portal access)
- Select primary MFA method for each platform (authenticator app recommended)
- Enable MFA on admin accounts first to test the process
- Create written MFA procedures including device loss and emergency access protocols
- Schedule staff training sessions with hands-on setup support
- Require all users to save backup codes in secure password manager
- Document MFA implementation in your Written Information Security Plan (WISP)
- Establish firm policy requiring MFA on all accounts with taxpayer data access
- Configure session timeout policies aligned with IRS Publication 4557 guidance
- Test emergency access procedures before tax season begins
- Set calendar reminders for annual MFA policy review and staff refresher training
IRS Publication 4557 MFA Requirements
IRS Publication 4557 provides the authoritative guidance for tax professionals implementing MFA as part of their cybersecurity requirements. The publication specifically addresses MFA implementation in the context of the broader Security Six framework, emphasizing that multi-factor authentication should be viewed as one component of a comprehensive security strategy rather than a standalone solution.
According to Publication 4557 Section 3.4, MFA must be implemented on all systems that access, store, or transmit taxpayer information. This includes not just tax preparation software, but also email systems, cloud storage platforms, and any other technology used in the tax preparation process. The publication emphasizes that MFA should use at least two different authentication factors from separate categories: something you know (password), something you have (phone or token), or something you are (biometric).
The IRS guidance aligns with NIST SP 800-63B Digital Identity Guidelines, which provide technical standards for authentication and lifecycle management. Tax professionals implementing MFA should aim for at least Authenticator Assurance Level 2 (AAL2), which requires two different authentication factors and is achieved through authenticator apps or hardware tokens.
The IRS guidance also addresses specific implementation considerations for tax professionals, including the need for backup authentication methods and procedures for handling MFA during peak tax season workflows. Publication 4557 recommends that tax professionals document their MFA implementation as part of their overall Written Information Security Plan (WISP), creating a clear record of security measures for compliance purposes.
Specific documentation requirements include:
- List of all systems where MFA is enabled
- Authentication methods used for each system
- Procedures for device registration and management
- Emergency access protocols and backup authentication procedures
- Staff training records showing MFA education completion
- Annual review dates and responsible parties for MFA policy updates
This documentation serves dual purposes: demonstrating compliance during IRS audits or PTIN reviews, and providing operational guidance for staff managing authentication systems throughout the year.
Overcoming MFA Implementation Challenges
While implementing MFA for tax software provides essential security benefits, tax practices often encounter specific challenges that can impact adoption and effectiveness. Understanding these challenges and developing proactive solutions ensures successful implementation that enhances rather than hinders your tax preparation operations.
Technology Integration Issues
Technology integration issues frequently arise when tax practices use multiple software platforms that may have different MFA requirements or capabilities. Some older tax software versions may have limited MFA support, while newer cloud-based solutions may require different authentication methods. The key is developing a unified approach that provides consistent security across all platforms while accommodating the specific requirements of each system.
Consider creating a technology inventory that documents all systems requiring MFA, their specific capabilities, and any integration requirements. This inventory becomes the foundation for developing implementation timelines and training programs that address the unique aspects of each platform your practice uses.
For practices using multiple tax software platforms (for example, Drake for individual returns and UltraTax CS for business returns), aim to standardize on a single authenticator app across all systems. Microsoft Authenticator and Google Authenticator both support multiple accounts, allowing staff to manage all their MFA codes in one application rather than juggling multiple authentication tools.
Seasonal Workflow Considerations
Seasonal workflow considerations present unique challenges for tax practices implementing MFA. During peak tax season, any additional steps in the login process can significantly impact productivity when preparers are working under tight deadlines. The solution involves careful planning of MFA implementation timing and configuration of authentication policies that balance security with operational efficiency.
Best practices for managing MFA during tax season include:
- Implement MFA during off-season (May-August) to allow adjustment period before peak workload
- Configure "remember this device" policies that reduce authentication frequency for trusted workstations while maintaining security
- Establish session timeout policies appropriate for tax season workflows—typically 30-60 minutes of inactivity rather than aggressive 10-15 minute timeouts
- Ensure all staff have backup codes saved and accessible before January 1st
- Designate a technology point person available during tax season to handle MFA issues quickly
- Test all MFA systems thoroughly in December to identify and resolve issues before filing season begins
Cost and Resource Constraints
Small and solo tax practices may perceive MFA implementation as requiring significant technology investment or IT expertise they don't have. In reality, modern MFA implementation using authenticator apps requires zero additional cost and minimal technical expertise. The authenticator apps are free, the tax software platforms include MFA at no extra charge, and setup typically takes less than 10 minutes per user.
For practices that lack in-house IT support, consider working with a specialized tax cybersecurity provider that can assist with MFA deployment, staff training, and ongoing security management. The investment in professional setup and training typically pays for itself through reduced security incident risk and improved compliance posture.
Remote Work and Mobile Access
Tax practices with remote staff or mobile workflows require special MFA configuration to maintain both security and accessibility. Cloud-based tax software platforms generally handle remote MFA seamlessly, but practices using desktop software accessed via remote desktop or VPN need additional planning.
For remote access scenarios, implement MFA at multiple layers: at the VPN level for network access, at the Windows login for workstation access, and at the tax software level for application access. This defense-in-depth approach ensures that even if one authentication layer is compromised, additional protections remain in place.
Mobile access considerations include ensuring staff can access authenticator apps on their smartphones even when working from different locations, and establishing clear procedures for handling MFA when staff are traveling or working from areas with limited cell coverage.
Free Tax Cybersecurity Resources
Download our free WISP template and tax season cybersecurity checklist to ensure your practice meets all IRS Publication 4557 requirements, including MFA documentation.
MFA Beyond Tax Software: Complete Practice Protection
While implementing MFA for tax software addresses the most critical compliance requirement, comprehensive security requires extending multi-factor authentication to all systems that access, store, or transmit taxpayer information. The IRS Security Six framework and FTC Safeguards Rule apply to your entire technology ecosystem, not just tax preparation applications.
Additional systems requiring MFA implementation include:
- Email Systems – Microsoft 365, Google Workspace, or other email platforms must have MFA enabled for all accounts. Email is the primary vector for phishing attacks targeting tax professionals, and compromised email accounts provide access to client communications and document attachments containing taxpayer data.
- Cloud Storage – Platforms like ShareFile, Dropbox Business, or OneDrive used to store tax documents or share files with clients require MFA protection. Review our guide on IRS-compliant cloud storage for complete requirements.
- Client Portals – Secure portals used for document collection and client communication must implement MFA for both staff and client access to meet IRS Publication 4557 standards.
- Practice Management Software – Systems like Canopy, TaxDome, or Karbon that contain client information and case management data should be protected with MFA.
- Remote Access Systems – VPNs, remote desktop gateways, and terminal servers used to access office systems remotely must require MFA before granting network access.
- Accounting and Time Tracking – QuickBooks Online, bill.com, and time tracking systems often contain sensitive practice financial information requiring protection.
Creating a comprehensive MFA deployment requires inventorying all cloud services and systems used in your practice, then systematically enabling MFA on each platform. Most modern business applications support MFA through the same authenticator apps used for tax software, making it simple to centralize all authentication codes in a single mobile application.
Complete Practice Protection
MFA for tax software is just the starting point. IRS Publication 4557 requires MFA on ALL systems accessing taxpayer data—including email, cloud storage, client portals, and remote access systems. A piecemeal approach leaves security gaps that violate compliance requirements and expose your practice to credential-based attacks.
Get Expert Help with Tax Practice MFA Implementation
Our cybersecurity specialists have helped thousands of tax professionals implement compliant MFA solutions across all systems. We'll assess your current setup, deploy MFA on all required platforms, train your staff, and document everything for your WISP—ensuring you meet IRS Security Six and FTC Safeguards Rule requirements before tax season begins.
Frequently Asked Questions About MFA for Tax Software
Yes, the IRS Security Six framework and FTC Safeguards Rule (16 CFR § 314.4(c)) require multi-factor authentication on all systems that access, store, or transmit customer information, including all tax software platforms. This applies regardless of which tax software you use—Drake, Lacerte, ProSeries, UltraTax, or any other professional tax preparation system. The requirement extends beyond tax software to include email, cloud storage, client portals, and any other technology handling taxpayer data.
Tax professionals who fail to implement required MFA face multiple consequences: IRS sanctions including potential PTIN suspension and revocation of e-file privileges, FTC enforcement actions with civil penalties up to $250,000 per violation of the Safeguards Rule, increased liability exposure in the event of a data breach, and potential professional malpractice claims if client data is compromised due to inadequate security. Additionally, cyber insurance policies increasingly require MFA implementation, and failure to comply may void coverage in the event of a breach.
While most tax software platforms support SMS-based MFA as an option, authenticator apps are strongly recommended by both the IRS and NIST (National Institute of Standards and Technology). SMS messages are vulnerable to SIM-swapping attacks where criminals hijack your phone number to intercept verification codes. NIST SP 800-63B guidelines note that SMS should be considered a lower-security authentication method. Authenticator apps like Microsoft Authenticator, Google Authenticator, or Duo Mobile generate codes locally on your device and are not vulnerable to interception, making them the preferred choice for tax software protection. Use SMS only as a backup method, not your primary MFA approach.
Configure your MFA settings to balance security with operational efficiency during tax season. Most tax software platforms offer "remember this device" options that reduce authentication frequency for trusted workstations—you'll authenticate once per session or once per day rather than with every login. Set session timeout policies to 30-60 minutes rather than aggressive 10-15 minute timeouts that force frequent re-authentication. Ensure all staff have backup codes saved before January 1st, and designate a technology point person to quickly resolve MFA issues. The key is implementing MFA during the off-season (May-August) so staff become comfortable with the process before peak workload periods.
This is why backup codes are essential. When you first set up MFA on tax software, the platform provides backup codes (typically 10 single-use codes). Save these immediately in a secure password manager like 1Password, LastPass, or Bitwarden, and consider printing a copy to store in a locked safe at your office. If your phone is lost or broken, use one of these backup codes to access your account, then immediately register a new device and generate new backup codes. For practice owners, consider registering multiple devices (primary phone plus tablet or secondary phone) or keeping a hardware token as an emergency backup authentication method. Document your device replacement procedures in your Written Information Security Plan so staff know exactly what to do in an emergency.
Most tax professionals can use a single authenticator app (like Microsoft Authenticator or Google Authenticator) to manage MFA codes for multiple tax software platforms and other business systems. The authenticator app stores multiple accounts, each generating its own 6-digit code. When you enable MFA on Drake, ProSeries, Lacerte, or UltraTax, you scan a QR code that adds that platform to your authenticator app. The same app can also manage MFA for your email, cloud storage, and other business systems. This centralized approach is much simpler than managing separate authentication methods for each platform. Just ensure you save the backup codes separately for each system, as they are platform-specific.
MFA significantly reduces ransomware risk by blocking the most common initial access method: stolen credentials. According to the 2025 Verizon DBIR, 81% of hacking-related breaches involve compromised credentials. By requiring a second authentication factor, MFA prevents attackers from accessing your systems even if they obtain passwords through phishing, data breaches, or password-guessing attacks. However, MFA is just one component of comprehensive ransomware protection. Tax practices also need endpoint protection, email security, regular backups, and staff security awareness training to fully defend against ransomware threats.
Your Written Information Security Plan (WISP) should include a dedicated section documenting your MFA implementation. Specific elements to document include: a list of all systems where MFA is enabled (tax software, email, cloud storage, etc.), the authentication methods used for each system (authenticator app, hardware token, etc.), procedures for device registration and management, emergency access protocols and backup authentication procedures, staff training records showing MFA education completion, and annual review dates with responsible parties for MFA policy updates. This documentation demonstrates compliance during IRS PTIN reviews or FTC audits. Download our free WISP template which includes a pre-formatted MFA documentation section you can customize for your practice.
Client-facing secure portals present a unique MFA challenge. While IRS Publication 4557 emphasizes that systems accessing taxpayer data require MFA, requiring clients to set up authenticator apps creates friction that may reduce portal adoption. Best practice is to implement MFA for all staff accounts accessing the portal (mandatory), while offering MFA as an optional security enhancement for client accounts. At minimum, implement strong password requirements and email verification for client accounts. For high-net-worth clients or those with particularly sensitive information, encourage or require MFA enrollment. Document your client portal authentication policies in your WISP, explaining how you balance security requirements with client accessibility.
Two-factor authentication (2FA) is a specific type of multi-factor authentication that requires exactly two authentication factors. MFA is the broader term that includes 2FA but can also involve three or more factors. In practical terms for tax software, the distinction doesn't matter—most implementations use exactly two factors (password + authenticator code) and the terms are used interchangeably. What matters is using factors from different categories: something you know (password) plus something you have (phone with authenticator app) or something you are (biometric). For more details on authentication terminology, see our guide on two-factor authentication for tax software.
Schedule
Need help with IRS compliance?
Our tax cybersecurity specialists can review your security posture and help you get compliant.
