Security Six • Protection #3

Multi-Factor Authentication for Tax Preparers

Name: Bellator Cyber Guard
Address: US
Telephone: (800) 492-6076
Price range: $$

Security Six requirement #3: A password alone is no longer enough. MFA is mandatory on every system that accesses client tax data — including email, tax software, and cloud storage.

Talk With an Expert Call (800) 492-6076

99%

Of account attacks blocked by MFA

80%

Of breaches involve stolen credentials

Cost for authenticator apps

<5 min

Setup time per account

Why MFA is non-negotiable

Stolen passwords are the #1 way attackers access tax preparer systems. Phishing emails, credential stuffing, and data breaches from other sites all expose your passwords. MFA adds a second verification step — even if your password is compromised, attackers can’t get in without the second factor.

Both the IRS (Publication 4557) and FTC (Safeguards Rule) mandate MFA on all systems that access customer financial data. This includes your tax preparation software, email accounts, cloud storage, remote desktop access, and any practice management tools.

Types of MFA (strongest to weakest)

1. Hardware security keys (YubiKey, FIDO2) — Physical device, phishing-resistant, strongest option

2. Authenticator apps (Google, Microsoft, Authy) — Time-based codes, free, very strong

3. Push notifications (Duo, Microsoft) — Tap to approve, convenient, strong

4. SMS text codes — Better than nothing, but vulnerable to SIM swapping. Use only as a last resort.

Where to enable MFA in your tax practice

Tax preparation software

Drake, Lacerte, ProConnect, UltraTax — all major platforms support MFA. Enable it for every user account.

Email accounts

Email is the #1 phishing vector. Every email account that sends or receives client data must have MFA enabled.

Cloud storage & portals

ShareFile, SmartVault, Dropbox, Google Drive — any cloud service storing client files needs MFA on every user.

Remote access tools

RDP, VPN, TeamViewer, AnyDesk — if you access your office network remotely, MFA is mandatory on the connection.

MFA for tax preparers — FAQ

SMS-based MFA is technically acceptable but not recommended. SMS codes are vulnerable to SIM-swapping attacks where criminals port your phone number to their device. The IRS and cybersecurity experts recommend authenticator apps or hardware security keys instead. If SMS is your only option, it’s still far better than no MFA at all.

Yes. Every user account that accesses client data must have its own MFA enrollment. Sharing accounts or MFA tokens between employees defeats the purpose and violates the access control requirements of both the IRS and FTC. Each employee should have a unique login with their own authenticator app or security key.

All major tax software platforms now support MFA. If yours doesn’t, that’s a serious red flag — consider switching to a platform that does. In the meantime, you can add a layer of protection by requiring VPN access to reach the software, which adds network-level authentication on top of the application login.

Protect Your Tax Practice Today

Schedule a free consultation with our cybersecurity experts. We'll review your current security posture and help you achieve full IRS compliance.

Schedule Free Consultation Call Us Now

Protect your tax practice from cyber threats

Schedule a free consultation to assess your firm's security posture.

Book a Free Consultation Get Your Free WISP