Two-Factor Authentication for Tax Software: Setup Guide

Why Two-Factor Authentication Is Mandatory for Tax Professionals

Tax professionals handle some of the most sensitive data in any business sector—Social Security numbers, bank account details, W-2s, and financial records for thousands of clients. A single compromised login to your tax software exposes this entire dataset to attackers, triggering regulatory penalties, client notification obligations, and lasting damage to your firm's reputation.

The IRS Security Six framework, detailed in IRS Publication 4557, mandates that all tax professionals implement multi-factor authentication as a foundational access control. This requirement applies whether you use Drake Tax, Lacerte, ProSeries, UltraTax CS, CCH Axcess, or any other professional tax preparation platform. Failing to implement 2FA leaves your practice exposed to the credential-based attacks that dominate modern cybercrime—and places you in direct violation of federal security requirements that govern every CPA and accounting firm handling taxpayer data.

This guide covers the technical foundation, platform-specific setup procedures, and real-world implementation strategies you need to deploy two-factor authentication for tax software effectively. Whether you are starting from scratch or strengthening existing controls, the steps here will bring your practice into alignment with IRS cybersecurity requirements and protect the client data your business depends on.

What Is Two-Factor Authentication and Why Does It Matter for IRS Security Six Compliance?

Two-factor authentication (2FA) is a security mechanism requiring users to provide two distinct verification factors before gaining access to systems containing sensitive information. For tax professionals, implementing 2FA on tax software represents a foundational security control that dramatically reduces the risk of unauthorized access to client records and tax preparation data.

The IRS Security Six framework identifies six essential cybersecurity controls that all tax preparers must implement to protect nonpublic personal information (NPPI). Two-factor authentication serves as the primary access control layer within this framework, working alongside antivirus protection, firewall security, secure backups, drive encryption, and VPN security to create defense-in-depth protection. The full scope of these requirements is documented in our guide to IRS Publication 4557 and its cybersecurity obligations.

How Authentication Factors Work

Authentication security relies on three distinct factor categories:

• Something you know — Passwords, PINs, or security questions
• Something you have — Physical tokens, smartphone apps, or smart cards
• Something you are — Biometric identifiers like fingerprints or facial recognition

True two-factor authentication requires factors from two different categories. A password combined with a security question does not constitute 2FA—both fall under "something you know." A password paired with a code from a smartphone authenticator app, however, provides genuine multi-factor security by combining something you know with something you have.

According to NIST Special Publication 800-63-3, this combination achieves Authenticator Assurance Level 2 (AAL2), providing strong protection against credential theft, phishing attacks, and password database breaches that regularly compromise tax practices. According to the Verizon Data Breach Investigations Report 2024, 68% of breaches involve the human element—stolen credentials being the primary pathway attackers use to reach tax software and client data.

Understanding Two-Factor Authentication Methods for Tax Software

Not all two-factor authentication methods provide equal security. Tax professionals must understand the technical characteristics, security strengths, and implementation considerations for each authentication approach before selecting what to deploy across their practice.

Time-Based One-Time Passwords (TOTP): The Industry Standard

TOTP authentication uses the RFC 6238 standard to generate temporary codes through HMAC-based cryptographic functions. The algorithm combines a shared secret key with the current timestamp to produce a 6–8 digit code valid for 30 seconds. Both the authentication server and the client device independently generate the same code using synchronized time, enabling verification without transmitting the shared secret across the network.

TOTP provides strong protection against credential theft because codes expire rapidly and cannot be reused. Unlike SMS-based codes, TOTP functions offline and is not vulnerable to telecommunication interception or SIM-swap attacks. The primary limitation is susceptibility to real-time phishing attacks where an adversary immediately uses a captured code before it expires—a risk that FIDO2 hardware keys eliminate entirely.

Popular TOTP authenticator apps for tax practices include Microsoft Authenticator (integrates with Microsoft 365, supports push notifications), Google Authenticator (simple, widely supported, works with most tax software platforms), Authy (offers cloud backup and multi-device synchronization for practitioners working across multiple computers), and Duo Mobile (enterprise-grade with detailed audit logs and device health checks). According to 2025 industry research, 95% of employees using MFA authenticate via mobile authenticator apps, making TOTP the dominant enterprise authentication method by a wide margin.

FIDO2 Hardware Security Keys: Maximum Phishing Protection

FIDO2 (Fast Identity Online) authentication uses public-key cryptography where the hardware token stores a private key that never leaves the device. During authentication, the server sends a challenge that the token signs with its private key, and the server verifies the signature using the corresponding public key. This design eliminates shared secrets that attackers could intercept.

Hardware tokens provide the highest level of phishing resistance because they verify the authenticity of the login page through cryptographic domain binding. Attackers cannot trick users into authenticating to fraudulent sites because the token will only respond to challenges from registered domains. NIST SP 800-63-3 classifies hardware authenticators at Authenticator Assurance Level 3 (AAL3), the highest designation available for any authentication method.

Recommended hardware tokens include the YubiKey 5 Series ($45–70 per key, supports FIDO2, TOTP, and smart card protocols), Google Titan Security Key ($30–35, FIDO2-certified with USB-A and NFC), and Feitian ePass FIDO2 ($20–25, budget-friendly for larger deployments). Currently only 4% of employees use hardware security keys, primarily due to procurement costs—but at $25–70 per user, the investment is minimal compared to what a single breach costs a tax practice.

Tax Software-Specific 2FA Setup: Platform-by-Platform Guide

Each major tax preparation software platform implements two-factor authentication differently. The configuration steps below reflect current procedures for the platforms serving the majority of professional tax preparers in 2026.

Drake Tax Software

Drake Tax supports 2FA through integration with Microsoft Authenticator and Google Authenticator. To enable two-factor authentication in Drake:

1. Navigate to Setup → Security → User Security in Drake Tax
2. Select the user account and enable "Require Multi-Factor Authentication"
3. Users receive a QR code during their next login to pair their authenticator app
4. Store backup recovery codes securely offline in case of device loss

Drake Tax also supports hardware security keys for administrator accounts through FIDO2 protocol when accessing Drake Cloud services—a configuration worth implementing for any account with administrative access to client records.

Lacerte and ProSeries

Intuit's professional tax software platforms use Intuit Account authentication with support for the Intuit Authenticator app (push notifications), third-party TOTP apps (Google Authenticator, Microsoft Authenticator, Authy), and FIDO2-certified hardware security keys. Enable 2FA through your Intuit Account settings under Security → Two-step verification.

A notable limitation: all users must individually enable 2FA through their own Intuit Account—administrators cannot enforce it centrally without Intuit practice management tools. For larger firms, this makes centralized enforcement through Microsoft Entra ID a preferable alternative. Tax professionals also use these platforms alongside secure client portals that require their own independent 2FA configuration.

CCH Axcess and Related Platforms

Wolters Kluwer's CCH platforms implement 2FA through their Axcess Portal identity management system. Navigate to User Settings → Security Settings, enable Multi-Factor Authentication, and select your preferred method. CCH Axcess supports authenticator apps, hardware tokens, and biometric authentication on compatible devices. Administrators can enforce 2FA requirements for all users through the Admin Portal under Security Policies—making CCH Axcess one of the more straightforward platforms for firm-wide mandatory enrollment.

Thomson Reuters UltraTax CS and GoSystem

Thomson Reuters platforms support 2FA through their CSIdentity authentication system. From the Admin Console, navigate to Security Settings and enable "Require Multi-Factor Authentication for All Users." Users configure their 2FA method at next login, choosing from TOTP apps, SMS (not recommended for sensitive taxpayer data), and hardware security keys.

Thomson Reuters also offers single sign-on (SSO) integration with identity providers like Microsoft Entra ID (formerly Azure AD), enabling centralized 2FA management across all firm applications. This approach is particularly valuable for practices using multiple Thomson Reuters products alongside document management systems and client communication platforms.

Advanced 2FA Strategies and Emerging Authentication Technologies

Tax practices deploying two-factor authentication today should also understand where authentication technology is heading—both to future-proof their architecture and to take advantage of stronger controls as they become available across major tax software platforms.

Passwordless Authentication

The authentication industry is moving away from passwords entirely. Passwordless systems use biometrics or hardware tokens as the sole authentication factor, removing password vulnerabilities from the attack surface altogether. Modern passwordless implementations use FIDO2 protocol where hardware security keys or platform authenticators (Windows Hello, Touch ID) perform cryptographic operations without requiring a password at any point.

During account registration, the device generates a unique cryptographic key pair—the private key stays on the device while the public key registers with the server. Authentication consists of the server sending a challenge the device signs with its private key, proving possession without transmitting secrets. Microsoft Entra ID and Google Workspace both support passwordless authentication for business applications today, enabling tax firms to eliminate password vulnerabilities while maintaining compliance with IRS WISP requirements.

Risk-Based Adaptive Authentication

Modern authentication platforms incorporate machine learning that assesses risk continuously and adjusts authentication requirements dynamically. By 2026, an estimated 40% of MFA solutions are expected to incorporate AI-driven behavioral analytics for access anomaly detection. Adaptive authentication evaluates device recognition (trusted device fingerprinting), location analysis (flagging logins from unusual locations or VPN exit nodes), time patterns (detecting after-hours access), behavioral biometrics (keystroke and mouse movement patterns), and access patterns (unusual file access or privilege escalation attempts).

This approach balances security with usability by applying stronger authentication only when risk indicators suggest potential compromise. Low-risk scenarios—a recognized device at normal hours—may require only biometric verification. High-risk scenarios trigger hardware token requirements plus manager approval workflows. Platforms like Microsoft Entra ID Conditional Access, Duo Beyond, and Okta Adaptive MFA bring this capability to tax software environments today, and they integrate directly with the threat vectors documented in analyses of cyberattacks targeting tax firms.

Common 2FA Implementation Challenges and How to Solve Them

Tax practices deploying two-factor authentication encounter predictable obstacles. Understanding these challenges in advance lets you implement countermeasures before they become blockers to a firm-wide rollout.

User Resistance and Adoption

Research shows 49% of organizations cite poor user experience as a barrier to MFA adoption. Users perceive authentication as workflow friction, especially when prompted multiple times daily. Resistance shows up as workarounds like storing credentials insecurely, elevated help desk call volume, and simple non-compliance with enrollment deadlines.

Address resistance through communication that emphasizes personal benefits—2FA protects users' own financial accounts and identities, not just firm data. Implement adaptive authentication to reduce repeated prompts on recognized trusted devices. Offer multiple method options so users can choose what fits their workflow—some prefer hardware tokens, others favor mobile apps. Executive sponsorship matters more than most firms expect: when partners and firm owners actively use 2FA and discuss its importance, staff adoption increases measurably. Security awareness training that explains why these controls exist converts skeptics faster than policy enforcement alone.

Legacy System Integration

Many tax practices operate heterogeneous environments that include legacy applications lacking native 2FA support. Document management systems, older tax software versions, and custom applications frequently use proprietary authentication protocols that cannot integrate with modern identity providers without significant rework.

Authentication proxy solutions resolve this without modifying application code. Products like Azure Application Proxy, identity provider Access Gateway, or zero-trust network access (ZTNA) solutions insert 2FA requirements before legacy systems at the network or proxy layer. For systems requiring direct network access, enforce 2FA at the VPN layer so authentication occurs before any legacy system connectivity. When evaluating new tax software or document management platforms going forward, treat native 2FA support as a mandatory purchase requirement—platforms that cannot support modern authentication standards represent unacceptable risk for practices handling taxpayer data in 2026.

Mobile Device Management and BYOD

Many tax professionals use personal smartphones for authenticator apps, creating security and support challenges. When staff leave, change phone numbers, or lose devices, authentication recovery becomes complicated. Personal devices may also lack the security controls that firm data warrants.

Implement mobile device management (MDM) or mobile application management (MAM) solutions that enforce security policies on devices running authenticator apps—requiring device passcodes, enabling remote wipe capabilities, and verifying current operating system versions. For practices with strict data handling requirements, hardware security keys eliminate BYOD complexity entirely. At $25–30 per user, hardware tokens provide stronger security than smartphone-based apps while removing phone dependence from the authentication workflow.

Client Portal and Third-Party Integration

Tax practices use numerous third-party platforms—client portals, e-signature services, document sharing, and payment processors—each implementing 2FA differently. Some platforms may not support it at all, creating gaps in an otherwise protected environment.

Implement single sign-on (SSO) through an identity provider like Microsoft Entra ID, Google Workspace, or Okta. SSO lets users authenticate once with 2FA and access all connected applications without repeated prompts, centralizing security control while providing audit logging across all platforms. For third-party services that lack SSO support, evaluate alternative vendors—platforms handling taxpayer data must support SAML, OAuth 2.0, or OIDC as minimum requirements for continued use in your technology stack.

Building Security Beyond Two-Factor Authentication

Two-factor authentication is the single most effective control for preventing credential-based attacks—but it addresses only one attack vector. Tax practices must implement all six Security Six controls to create the layered protection that IRS Publication 4557 requires and that modern threat actors demand you have.

The Full Security Six Framework

The six controls work together to address different threat categories, each filling gaps the others cannot:

• Multi-factor authentication — Prevents unauthorized access even when passwords are compromised
• Endpoint Detection and Response (EDR) — Detects and blocks malware, ransomware, and advanced persistent threats on workstations and servers
• Firewall protection — Controls network traffic and prevents unauthorized access to internal systems
• Encrypted data backups — Enables recovery from ransomware attacks and catastrophic system failures
• Drive encryption — Protects client data on lost or stolen devices through full-disk encryption
• VPN security — Encrypts data transmission and secures remote access over public networks

Attackers use multiple vectors simultaneously. 2FA prevents credential theft, EDR blocks malware execution, backups enable recovery, and encryption protects data at rest. Firms implementing only 2FA remain exposed to malware delivered through phishing emails and malicious downloads that bypass authentication entirely—a threat thoroughly documented in research on endpoint threats facing tax professionals.

WISP Requirements for 2FA Documentation

IRS Publication 4557 requires all tax preparers to maintain a Written Information Security Plan (WISP) documenting security policies and procedures. Your WISP must specifically address multi-factor authentication requirements for all users accessing taxpayer data, approved and prohibited authentication methods, account recovery procedures for lost or compromised devices, authentication log review frequency and assigned responsibilities, and user training requirements with completion documentation.

During IRS audits or PTIN renewal reviews, you must demonstrate not just that 2FA exists, but that it is properly configured, actively monitored, and universally enforced across your practice. Regulators look for documented evidence of active management—not a one-time setup that was never revisited. The IRS WISP requirements for tax professionals are specific about what documentation auditors expect to find.

Supplementary Controls That Strengthen Your Security Posture

Beyond Security Six, mature practices implement security awareness training to reduce phishing susceptibility, patch management to eliminate known software vulnerabilities, privileged access management to control and monitor administrative access, and incident response planning to establish rapid containment procedures when security events occur. These supplementary controls address the full range of threats facing tax practices—not just the credential attacks that 2FA directly prevents. When all layers work together, a failure in any single control does not result in a breach.