Why Security Six 2FA Matters for Tax Preparers
In today’s digital environment, implementing Security Six 2FA (two-factor authentication) is essential for tax professionals handling sensitive client data. As tax preparers manage nonpublic personal information (NPPI)—Social Security numbers, bank account details, and complete tax returns—the IRS Security Six requirements provide critical protection against unauthorized access. Two-factor authentication requires tax preparers to provide two distinct forms of identification—typically a password plus a time-based code, hardware token, or biometric factor—before accessing tax software, client portals, or e-file systems.
The IRS’s Security Six (Publication 4557) identifies 2FA (often called multifactor authentication, or MFA, when more than two factors are used) as a foundational control for safeguarding NPPI. By implementing two-factor authentication across all systems that handle client data—tax-preparation applications, remote-access VPNs, and cloud storage—tax preparers drastically reduce the risk of unauthorized access, even if a malicious actor obtains a password through phishing or malware. According to recent IRS guidance, MFA is now mandatory for all tax professionals under federal regulations.
Although enabling 2FA may add a small step to your login workflow, the benefits—stronger data protection, reduced breach risk, and compliance with IRS requirements—far outweigh any inconvenience. Below, we’ll explore common 2FA methods, explain IRS recommendations, and offer guidance on training your staff and configuring 2FA for popular tax-related platforms.
2025 MFA Adoption Statistics and Industry Trends
The landscape of multi-factor authentication has evolved significantly, with new data revealing critical insights for tax professionals implementing Security Six requirements:
Current MFA Usage Patterns
According to 2025 industry research, 95% of employees using MFA do so via a software program, such as a mobile app, making authenticator apps the dominant choice for businesses. This overwhelming preference reflects the convenience and security balance that software-based solutions provide.
However, adoption varies significantly by organization size. In companies with over 10,000 employees, 87% use MFA, while in smaller companies with 26 to 100 employees, the rate drops to 34%. For tax practices with fewer than 25 employees, the adoption rate is even lower at 27%.
Market Growth and Financial Impact
The two-factor authentication market has experienced explosive growth. In 2023, the Multi-Factor Authentication market generated USD 14.4 billion in revenue. Looking ahead, The Two Factor Authentication Market industry is projected to grow from USD 8,984.7 million in 2024 to USD 31,084.5 million by 2032, representing a compound annual growth rate that underscores the technology’s critical importance.
For tax professionals, this growth reflects both opportunity and necessity. As 42% of businesses in 2025 mentioned costs as a reason for not deciding to use multi-factor authentication, understanding cost-effective implementation strategies becomes crucial for smaller practices.
Emerging Authentication Technologies
The authentication landscape is rapidly evolving beyond traditional methods. By 2025, 45% of MFA implementations will include biometric factors such as fingerprint or facial recognition. Additionally, By 2026, 40% of MFA solutions are expected to use AI-driven behavioral analytics to detect anomalies in user behavior, adding an invisible layer of security that doesn’t burden users with additional authentication steps.
These advancements are particularly relevant for tax professionals handling sensitive data. As passwordless authentication methods are expected to become mainstream in 2025, tax practices should begin evaluating FIDO2-compliant solutions that eliminate password vulnerabilities entirely while maintaining strong security. The NIST Cybersecurity Framework provides excellent guidance on implementing these advanced authentication methods.
Exploring Popular Security Six 2FA Methods
Tax professionals can choose from several 2FA methods to meet both IRS guidelines and everyday business needs. Each method pairs “something you know” (your password) with “something you have” (a device or token) or “something you are” (biometrics).
Time-Based One-Time Passcodes (TOTP) via Mobile Authenticator Apps
- How It Works: You install an authenticator app (Google Authenticator, Microsoft Authenticator, or Authy) on your smartphone. When logging into tax software or your practice’s VPN, you enter your password and then open the authenticator app to retrieve a 6- to 8-digit code that changes every 30 seconds.
- Advantages for Tax Preparers: App-based codes avoid SMS interception risks and work even if you’re offline. Many tax-prep platforms (Lacerte, ProSeries, Drake Software) offer built-in TOTP support, ensuring seamless integration. Consider implementing cloud services with built-in MFA support to streamline authentication across your practice.
- Considerations: Employees must keep their smartphones physically secure. Encourage setting up device-level PINs or biometrics to prevent unauthorized access to the authenticator app.
Hardware Tokens (FIDO2 Security Keys)
- How It Works: A small USB, NFC, or Bluetooth security key (YubiKey, Feitian, or Titan Key) generates cryptographic signatures when touched. During login, after entering your password, you insert—or tap—your hardware token to authenticate.
- Advantages for Tax Preparers: Hardware tokens provide phishing-resistant protection—an attacker cannot steal a one-time password via email or SMS. They are especially valuable for high-level staff (partners, senior CPAs) who handle large volumes of NPPI.
- Considerations: Tokens must be physically safeguarded. Firms should maintain an inventory (serial numbers, assigned user names) and plan for token replacement if lost or damaged. Only 4% of employees utilize a hardware solution, often due to cost and management complexity.
SMS Text or Email Codes
- How It Works: After submitting a password, the system sends a unique, time-limited code via SMS or email. You enter that code into the login prompt to gain access.
- Advantages for Tax Preparers: Easy setup—many tax software portals (e-file systems, cloud practice management) offer built-in SMS or email 2FA options. No additional apps or hardware are required.
- Considerations: SMS is susceptible to SIM-swap attacks and interception. Email codes can be compromised if the user’s email account is already exposed. Use only as a secondary option when app-based or hardware tokens aren’t available. The IRS specifically warns against SMS-based authentication for high-security applications.
Biometric Authentication
- How It Works: The system verifies a physical trait—fingerprint, facial recognition, or iris scan—alongside your password. For example, Windows Hello or Touch ID on macOS can tie a biometric scan to a tax software login.
- Advantages for Tax Preparers: Biometric factors are unique to each individual, making them extremely difficult to replicate. Ideal for solo practitioners or small offices that rely on laptops or tablets for client data work.
- Considerations: Not all business tax platforms support biometrics natively. Devices must be capable (modern laptops, tablets, or smartphones). Biometric data must remain local to the device—never stored unencrypted in the cloud. Currently, a mere 1% rely on biometric methods like facial or fingerprint recognition, though this is expected to increase significantly.
IRS Recommendations for Enhanced Security Through 2FA
The IRS strongly encourages tax software users—both individual taxpayers and tax professionals—to adopt multifactor authentication to safeguard digital accounts. Key IRS recommendations include:
Use the Most Secure 2FA Option Available
- For Tax Software: Whenever possible, select app-based TOTP (e.g., Microsoft Authenticator) or a hardware token rather than SMS. These methods avoid common pitfalls of one-time codes sent via text.
- For Email and Cloud Services: Configure MFA on any email account used for client communication and on cloud storage that holds scan files or e-documents. Email is a prime target for phishing; robust MFA prevents credential theft from compromising client data.
Enforce MFA for Remote Access to Office Networks
- VPN Access: If your team works from home or on client sites, require VPN connections with mandatory 2FA. This adds a strong barrier preventing unauthorized users from accessing your internal file server containing NPPI.
- Remote Desktop and Remote Management: Any remote management console (RDP, VNC, or remote-desktop portals) should have MFA layered on top of strong passwords. Attackers often scan for open RDP ports—2FA stops them from leveraging stolen credentials.
Use 2FA and Strong Passwords for Cloud Storage
- Cloud File Shares: Whether you use OneDrive for Business, Google Drive, or Dropbox Business to store encrypted backups of client data, enable MFA at both the account and folder levels.
- Phishing Guards: Cloud services often allow only “app passwords” or one-time codes for third-party apps. Make sure your tax software’s cloud backup integration uses OAuth or certificate-based tokens, not static application passwords.
Consider Additional MFA for Self-Hosted Websites and Portals
- Client Portals: If you host a client-portal website (to receive client documents or share completed returns), implement MFA for both client logins and your administrative console.
- Practice-Management Systems: Many on-premises tax practice applications (Thomson Reuters Practice CS, CCH ProSystem fx) can be configured to require an authentication app or hardware token at login.
By following these IRS recommendations, you ensure that every access point—desktop, remote VPN, cloud storage, and client portal—requires at least two factors, dramatically lowering the risk of credential-based breaches.
2025 Federal Requirements and Compliance Updates
The regulatory landscape for multi-factor authentication has become more stringent, with federal mandates now in full effect for tax professionals.
FTC Safeguards Rule MFA Mandate
As highlighted in recent IRS communications, All tax professionals are now required under the Federal Trade Commission’s safeguards rule to use multi-factor authentication, or MFA, to protect clients’ sensitive information. This isn’t just a recommendation—it’s a legal requirement enforced by the FTC Safeguards Rule.
The June 2023 change mandates MFA to strengthen account security by requiring more than just a username and password to confirm an identity when accessing any system, application or device. For tax professionals, this means:
- MFA must be implemented on all systems handling client data
- The size of your practice doesn’t matter—solo practitioners and large firms alike must comply
- Opting out of MFA in tax preparation software violates FTC safeguards rules
Understanding these requirements is crucial. Review our comprehensive guide on FTC Safeguards Rule compliance for tax preparers to ensure your practice meets all federal mandates.
IRS Security Summit Updates for 2025
The Security Summit continues to evolve its recommendations based on emerging threats. Recent updates emphasize that tax professionals now need to have a Written Information Security Plan, or WISP that specifically addresses MFA implementation.
Key components of the 2025 requirements include:
- Written MFA Policies: Your WISP must document which systems require MFA and acceptable authentication methods
- Incident Response Plans: Include procedures for lost MFA devices and compromised accounts in your incident response plan
- Annual Risk Assessments: Evaluate MFA effectiveness and update policies based on new threats
Emerging Threats: AI-Powered Attacks Targeting MFA
The threat landscape for 2025 has evolved dramatically, with artificial intelligence enabling sophisticated attacks specifically designed to bypass traditional security measures, including some forms of multi-factor authentication implementations.
AI-Enhanced Phishing and Deepfakes
Recent threat intelligence reveals alarming trends. 63% of cybersecurity leaders are concerned about AI and the potential creation of deep fakes. For tax professionals, this manifests in several ways:
- Voice Cloning Attacks: According to CrowdStrike’s 2025 Global Threat Report, there was a 442% increase in voice phishing (vishing) attacks between the first and second halves of 2024. Attackers can now clone voices from brief recordings, potentially bypassing voice-based authentication.
- Deepfake Video Calls: In 2024, a multinational firm fell victim to a deepfake scam that cost the business $25 million in damages. The attackers created convincing video representations of company executives to authorize fraudulent transactions.
- AI-Generated Phishing: 75% of cyberattacks began with a phishing email in 2024, with 67.4% of all phishing attacks in 2024 utilized some form of AI. These attacks are grammatically perfect and highly personalized, making them difficult to detect.
Protecting Against AI-Enhanced Threats
To combat these emerging threats, tax professionals must implement advanced phishing defense strategies alongside two-factor authentication:
- Use Phishing-Resistant MFA: Hardware security keys (FIDO2) cannot be fooled by deepfakes or AI-generated content
- Implement Behavioral Analytics: Modern MFA solutions can detect unusual login patterns that might indicate compromise
- Regular Security Awareness Training: Educate staff about deepfake threats and verification procedures
- Multi-Channel Verification: For high-value transactions, verify requests through multiple independent channels
The Rise of MFA Fatigue Attacks
Cybercriminals have developed new tactics to exploit MFA systems. 28% of users who have activated MFA, attackers continue to target them through sophisticated techniques like:
- MFA Bombing: Repeatedly triggering authentication requests until users approve out of frustration
- Session Hijacking: Stealing authenticated sessions after MFA is completed
- Man-in-the-Middle Attacks: Intercepting MFA codes in real-time
These evolving threats underscore why tax professionals need comprehensive security strategies beyond basic MFA implementation. Consider upgrading to advanced endpoint detection solutions that can identify and block sophisticated attack patterns. The CISA cybersecurity resources provide additional guidance on defending against these advanced threats.
Implementing Security Six 2FA: Benefits and Best Practices
Key Advantages of Two-Factor Authentication
- Enhanced Security Beyond Passwords:
- Even if a hacker steals a password—via phishing email or keylogger—they lack the second factor (TOTP code, hardware token, or biometric), preventing unauthorized login.
- Mitigates Password Reuse Risks:
- Clients often reuse passwords across sites. If one site is breached, attackers cannot pivot to your tax software without the second factor.
- Protection Against Stolen Devices:
- If an employee’s laptop or smartphone is lost or stolen, that device alone cannot be used to log in—unless the thief also knows the user’s password and has the hardware token or biometric registered.
- Complementary to Other Security Controls:
- 2FA works alongside firewalls, antivirus/EDR, and VPNs to form a layered defense-in-depth. When one control fails, 2FA acts as an additional barrier.
- Secure Data Entry on Shared or Untrusted Devices:
- When logging in from a client’s office computer or public terminal, requiring a second factor ensures that the person entering credentials is authorized, protecting NPPI during transit.
Best Practices for Rolling Out 2FA in a Tax Practice
- Develop a 2FA Policy: Document which systems require 2FA (tax software, VPN, email, cloud storage), acceptable 2FA methods (authenticator apps or hardware tokens), and procedures for lost-device recovery.
- Gradual Deployment: Start by enabling 2FA for all administrators and partners. Then expand to preparers, support staff, and seasonal hires. This staged approach allows troubleshooting and user training before firm-wide rollout.
- Backup Options: Provide backup codes or alternate tokens in case an employee loses their primary 2FA device. Store backup codes in a securely locked cabinet—only accessible to the practice’s security administrator.
- Monitor 2FA Adoption: Use management consoles (e.g., Azure AD, Google Workspace) to track which users have enabled 2FA. Follow up with those who have not complied within a designated timeframe (30 days).
- Retire Legacy Methods: Disable any weak methods (PPTP VPN, RDP without MFA, or single-factor email logins). Enforce a firm policy that “no 2FA = no remote access.”
Cost-Effective MFA Solutions for Small Tax Practices
Understanding that 48% of respondents felt it was challenging to integrate MFA into current systems, and 49% cited poor user experience as a barrier, here are budget-friendly approaches for smaller practices implementing two-factor authentication:
Free and Low-Cost MFA Options
- Microsoft Authenticator: Free app that integrates seamlessly with Microsoft 365 and many tax software platforms
- Google Authenticator: No-cost solution supporting TOTP for multiple accounts
- Authy: Free multi-device authenticator with cloud backup capabilities
- Basic Hardware Tokens: Entry-level FIDO2 keys start at $25-30 per user
Implementation Strategies for Resource-Constrained Practices
For practices concerned about costs and complexity:
- Phase Implementation: Start with critical systems (tax software, email) before expanding
- Leverage Existing Infrastructure: Many tax software vendors now include MFA at no additional cost
- Group Training Sessions: Reduce training costs by conducting group sessions
- Partner with MSPs: Consider working with a managed security service provider for implementation support
Educating Your Team on Best Practices
A successful two-factor authentication rollout depends on user awareness and buy-in. Follow these steps to ensure employees understand and embrace the new security measure:
1. Provide Formal Training
- Initial Workshop: Host a live or virtual session explaining “Why 2FA Matters”—demonstrate common phishing scams, show how stolen credentials lead to data breaches, and illustrate how 2FA blocks unauthorized logins.
- Step-By-Step Setup Guides: Distribute detailed instructions—screenshots or video tutorials—on installing and configuring the authenticator app, registering hardware tokens, and using backup codes.
- Q&A Session: Allow staff to ask questions about registering devices, transitioning off older methods (SMS/text), and the department-specific impact (e.g., how 2FA affects client-document scanning procedures).
2. Lead by Example
- Executive Participation: Partners and senior staff should enable 2FA first and periodically share “security highlights” in staff meetings—e.g., “Last week, 2FA prevented a phishing attacker from logging into my email.”
- Visible Enforcement: Publicize the implementation timeline, reminding employees that “beginning May 1, 2FA is required for all remote system access.”
3. Create and Enforce Policies
- Written Policy: Document requirements: “All employees must have at least one 2FA method—authenticator app or hardware token—registered by [date].” Specify permitted devices (no jailbroken/rooted phones), token storage rules, and lost-device notification procedures.
- Periodic Reminders: Send automated email reminders to employees who haven’t completed 2FA setup. Include clear instructions for getting help from IT support.
4. Monitor Adoption and Address Resistance
- Track 2FA Enrollment: Use your directory service or identity provider (Azure AD, Google Workspace) to generate reports on which users have not enabled 2FA after the deadline.
- One-on-One Assistance: For employees struggling with setup—scheduling a short call to walk them through registration builds confidence and ensures compliance.
- Incentivize Completion: Offer small rewards (gift cards, recognition at staff meetings) for early adopters to encourage a positive security culture.
IRS Compliance: Enabling MFA to Avoid Penalties
Mandatory 2FA for Tax Software and E-File Systems
As of the 2022 tax year, the IRS requires all professional tax software to support—and tax preparers to enable—multifactor authentication for e-file and online portals. Recent enforcement has intensified, with the IRS has already received more than 250 reports of data breach incidents from tax professionals affecting approximately 200,000 clients in 2024 alone.
Failure to comply can result in:
- Fines and Penalties: The IRS may impose monetary penalties for gross negligence if NPPI is compromised due to lack of 2FA.
- PTIN Suspension or Revocation: Continued non-compliance could lead to suspension of your Preparer Tax Identification Number (PTIN), preventing you from legally filing tax returns.
- Increased Audit Scrutiny: Practices without adequate 2FA controls may be flagged for deeper IRS audits, risking not only data security but also protracted compliance reviews.
Protecting Client Cloud Storage and Email
- Tax Document Repositories: If you store client scan files in cloud services (OneDrive, Google Drive), the IRS expects you to have MFA enabled on those accounts. A breach of a single cloud storage account can expose hundreds of client documents.
- Practice Email Accounts: Email is a leading vector for phishing. IRS Pub. 4557 recommends enabling 2FA on all email accounts used to communicate with clients or receive sensitive attachments.
Consequences of Ignoring Requirements
- Data Breach Liability: Without 2FA, a stolen password can lead to catastrophic leakage of NPPI. The cost of forensic investigation, client notification, and potential client lawsuits can easily exceed $100,000 for a small practice.
- Regulatory Sanctions: The FTC, under the GLBA Safeguards Rule, can impose civil penalties for each instance of willful non-compliance—amounting to tens of thousands per violation.
- Reputation Damage: News of a tax practice breach—especially if linked to poor authentication controls—can irreparably harm your reputation. Rebuilding client trust takes years, if not decades.
EFIN Security and MFA Requirements
Your Electronic Filing Identification Number (EFIN) represents another critical authentication point. The IRS requires robust security measures, including MFA, for all EFIN access. Learn more about EFIN security requirements to ensure comprehensive protection of your e-filing capabilities.
How to Enable Two-Factor Authentication on Key Tax-Related Platforms
Below are step-by-step instructions for enabling two-factor authentication on widely used tax software, cloud services, and remote access tools. Always refer to the latest vendor documentation for interface updates.
Tax Software Portals (e.g., Drake, Lacerte, ProSeries)
- Log In to your tax software’s secure portal (often via a web browser).
- Navigate to Security Settings (sometimes under “Account Settings,” “User Profile,” or “Admin Console”).
- Locate “Two-Factor Authentication” or “Multifactor Authentication” section.
- Choose Your Method: Select TOTP (authenticator app) or Hardware Token if supported.
- Scan the QR Code: Open your authenticator app (Google Authenticator, Authy) on your smartphone. Tap “Add Account,” scan the vendor’s QR code, and note the recovery codes.
- Enter One-Time Code: The app will display a 6-digit code. Type that into the portal to confirm setup.
- Save Backup Codes: Store printed or digital backup codes in a secure location—such as an encrypted password manager or a locked file cabinet.
Practice Management or Cloud Storage (e.g., TaxDome, ShareFile, OneDrive for Business)
- Sign In to your practice-management or cloud-storage account.
- Open Security or Personal Settings: Look for “Security,” “Privacy,” or “Account Security.”
- Activate “Two-Step Verification”: Toggle the setting on.
- Select Authenticator App (Preferred): Follow on-screen instructions to scan a QR code in the OneDrive/TaxDome environment.
- Confirm and Test: Input the time-based code from your authenticator app.
- Backup Methods: Optionally, register a phone number for SMS codes, but rely on the app for primary authentication. Secure any printed or written backup codes.
Remote Access VPN (e.g., Cisco AnyConnect, OpenVPN Access Server, Perimeter 81)
- Log in to the VPN administration console (requires admin credentials).
- Go to Authentication Settings: Look under “Security,” “Global Settings,” or “User Authentication.”
- Enable “MFA” or “2FA”: Turn on the checkbox.
- Choose Your MFA Provider: Commonly Duo Security, Microsoft Azure MFA, or a SAML-based solution (Okta, OneLogin).
- Configure Timeout Settings: Set a reasonable re-authentication interval (e.g., every 12 hours) so users aren’t prompted too frequently, balancing security and convenience.
- Enroll Users: Instruct each remote user to install the chosen authenticator app or register their hardware token with the VPN system.
- Test Connectivity: Have users connect from a non-trusted network (home Wi-Fi or mobile hotspot) to verify the VPN prompts for a second factor before granting access.
Advanced MFA Considerations for 2025 and Beyond
As we look toward the future of authentication, tax professionals should prepare for emerging technologies and evolving threats:
Passwordless Authentication
The industry is moving toward eliminating passwords entirely. In 2025, passwordless authentication methods are expected to become mainstream. These methods use biometrics (e.g., facial recognition, fingerprints) or hardware tokens compliant with FIDO2 standards. Benefits include:
- Elimination of password-related vulnerabilities
- Improved user experience with faster logins
- Reduced help desk costs from password resets
- Complete protection against phishing attacks
Adaptive Authentication
Modern MFA systems are incorporating machine learning to assess risk dynamically. Use case: A low-risk login attempt from a familiar device might require a single factor, while a high-risk attempt prompts additional verifications. This approach balances security with user convenience.
Decentralized Identity Solutions
Blockchain-based identity systems are emerging as a game-changer. Decentralized identity systems, powered by blockchain technology, are emerging as a game-changer. These systems grant users ownership of their digital identities, reducing dependence on centralized databases that are vulnerable to breaches.
For tax professionals, this could mean:
- Clients maintaining control over their identity verification
- Reduced liability for storing authentication credentials
- Enhanced privacy protection for sensitive client data
Employee Training for MFA Best Practices
Rolling out two-factor authentication firm-wide requires clear communication and ongoing awareness efforts. Follow these steps to ensure employees understand why 2FA matters and how to use it correctly:
1. Host Regular Training Sessions
- “Why MFA Matters” Workshop: Demonstrate real-world phishing examples—show how a stolen password alone can lead to a breach, then illustrate how 2FA blocks that attack.
- Platform-Specific Walkthroughs: Provide hands-on demos for setting up TOTP on tax software portals, enrolling tokens in the VPN, and enabling 2FA on cloud storage accounts.
- Q&A and Feedback: Encourage staff to ask questions about scenarios—e.g., “What happens if my phone battery dies?” or “How do I access backup codes if I lose my token?”
2. Lead by Example
- Executive Adoption: All partners, senior CPAs, and managers should have two-factor authentication enabled before any staff member. Publicize their compliance to reinforce the message.
- Visible Reminders: Display posters or digital signage—”Don’t Forget: MFA is Required for All Remote Logins”—in break rooms or on your intranet homepage.
3. Document and Enforce Policies
- Written 2FA Policy: Include details about approved methods (authenticator app or FIDO2 token only; SMS only if no other option), device registration procedures, and lost-device protocols (e.g., “Report lost devices to IT within 4 hours”).
- Disciplinary Measures: Clearly state that “failure to enable 2FA by [Date] will result in restricted access to client data systems until compliance.”
4. Monitor, Remind, and Reward
- Automated Reports: Use identity management tools (Azure AD, Google Workspace, or your VPN’s admin console) to track who has not enrolled in 2FA.
- Follow-Up Notices: Email or call individuals who haven’t completed registration, offering hands-on support.
- Recognition for Compliance: Acknowledge early adopters or departments with 100% 2FA adoption—small incentives like a gift card or public praise help reinforce positive behavior.
Avoiding Security Risks: The Consequences of Not Using MFA
Two-factor authentication isn’t optional for tax professionals—it’s a necessity. Without proper MFA implementation, your practice is exposed to:
- Credential Theft and Unauthorized Access: Passwords can be phished, cracked, or purchased on the dark web. Once an attacker has a stolen credential, they can access your tax software, client database, or VPN without impediment.
- Data Breach Liability: A single breach of NPPI can result in five-figure or six-figure costs—incident forensics, legal counsel, regulatory fines, and client notifications. IRS Publication 4557 outlines breach-reporting requirements; failure to notify clients promptly can lead to additional penalties.
- PTIN Suspension or IRS Sanctions: The IRS can suspend or revoke your PTIN if they discover you did not implement MFA/2FA as mandated. Without a valid PTIN, you cannot prepare or e-file individual tax returns.
- Reputation Damage: Clients trust you with their most sensitive data. A breach—especially traced to poor authentication controls—can irreversibly harm your reputation. Rebuilding that trust can take years, if not an entire career.
With cybercrime costs projected to reach staggering levels—the global cost of cybercrime is projected to rise from $9.22 trillion in 2024 to $13.82 trillion by 2028—the financial impact of inadequate security measures continues to escalate. The FBI’s Cyber Division provides additional resources on protecting against cybercrime.
How to Enable MFA on Key Tax Platforms
Below are concise instructions for enabling multi-factor authentication on common tax-industry tools. Always consult the vendor’s latest documentation for UI updates.
Drake Software (Cloud Portal)
- Log In to your Drake Cloud Portal.
- Navigate to “My Account” → “Security Settings.”
- Click “Enable Two-Factor Authentication.”
- Select “Authenticator App” as your preferred method.
- Scan the Displayed QR Code with Google Authenticator or Authy on your mobile device.
- Enter the 6-Digit Code generated by the app to verify.
- Download and Secure Backup Codes—store them in your encrypted password vault.
Intuit ProSeries/Lacerte (Intuit Account Center)
- Sign In to Intuit Account (proconnect.intuit.com or lacerte.intuit.com).
- Go to “Account Settings” → “Sign-in & Security.”
- Under “Two-Step Verification,” click “Turn On.”
- Choose “Use an Authenticator App.”
- Scan QR Code with your authenticator app.
- Enter Code and click “Verify.”
- Save Backup Codes provided by Intuit and keep them in a secure location.
Practice CS or CCH ProSystem fx (CCH Account Center)
- Access CCH Account Center at myaccount.cch.com.
- Select “Security Settings.”
- Click “Enable Multi-Factor Authentication.”
- Choose “Authenticator App” and scan the QR code.
- Input the One-Time Code from your authenticator app.
- Record Backup Codes displayed and store them offline (e.g., locked cabinet).
Microsoft 365 (for Outlook and OneDrive)
- Log In to portal.office.com as your practice’s global administrator.
- Navigate to “Azure Active Directory” → “Security” → “MFA Settings.”
- Under “User Settings,” select the user accounts you want to enable.
- Choose “Require Selected Users to Provide Contact Methods Again.”
- Users Will Be Prompted at next login to configure Microsoft Authenticator or receive SMS codes.
Cisco AnyConnect VPN
- Log In to the Cisco ASA or FTD management console.
- Go to “Configuration” → “Remote Access VPN” → “AAA/Local Users.”
- Under “AAA Server Group,” select your MFA provider (e.g., Duo, Azure MFA).
- Configure RADIUS or SAML Integration according to your MFA vendor’s documentation.
- Ensure Client Profiles have “Enable AnyConnect Profile” with the “allowSmartCard” and “anyconnectMFA” attributes turned on.
Continuing Your Security Six 2FA Cybersecurity Journey
Enabling robust Security Six 2FA two-factor authentication is a critical step toward safeguarding client data and meeting IRS Security Six requirements. However, 2FA is only one layer of a comprehensive cybersecurity strategy. To stay ahead of evolving threats:
- Regularly Review and Update Your WISP: Conduct annual risk assessments and adjust policies when you adopt new tax software or expand remote work. Our 2025 cybersecurity guide for tax professionals provides comprehensive compliance strategies.
- Perform Quarterly Phishing Simulations and Staff Trainings: Keep employees vigilant against evolving social-engineering tactics, especially AI-enhanced attacks.
- Maintain a Patch-Management Schedule: Automate OS and application updates on all workstations and servers—no exceptions.
- Implement Endpoint Protection (EDR): Combine 2FA with advanced EDR solutions to detect fileless malware, zero-day exploits, and ransomware.
- Secure Physical Documents: Shred old tax returns, lock file cabinets, and control who has access to workstations.
- Enable Drive Encryption: Implement full-disk encryption on all devices storing client data.
- Maintain Secure Backups: Follow IRS-compliant backup strategies to ensure business continuity.
By layering two-factor authentication on top of these measures, your practice will not only comply with IRS guidelines but also earn client confidence as a secure, trustworthy tax-preparation firm. Stay proactive, stay vigilant, and continuously adapt to new threats to keep your clients’ data—and your reputation—safe.
For personalized guidance on implementing comprehensive security measures, including MFA deployment, consider consulting with cybersecurity providers specializing in tax professional compliance. As the threat landscape continues to evolve with AI-powered attacks and sophisticated social engineering, maintaining robust authentication controls becomes not just a compliance requirement, but a fundamental business necessity.