What is two-factor authentication?
Two-factor authentication (2FA) is one of the most effective measures to ensure security, especially when it comes to accounts related to Internal Revenue Service dealings. It requires two forms of identification to access an account or system. This adds a layer of extra protection beyond just a password. The two factors are:
- Something you know: Typically, a password or PIN that’s personal to the user.
- Something you have: A physical device such as a smartphone, which receives a time-sensitive code or verification prompt.
Additionally, 2FA is a critical step in the protection of taxpayer information due to the sensitive nature of data such as Social Security numbers (SSNs), Employer Identification Numbers (EINs), and financial records.
Therefore, before using any e-service or any other online IRS tool, such as the Modernized e-File [MeF] system, ensure that it has 2FA.
How Two-Factor Authentication Works
Let’s take an example of the IRS platforms to understand the 2FA mechanism.
- Login Attempt: A user enters their username and password on an IRS portal (e.g., e-Services or Online Account).
- Second Factor Prompt: The system requests additional verification.
- Code Delivery: A one-time code is sent to the user’s registered phone (via SMS), email, or authenticator app (e.g., Google Authenticator for ID.me users).
- Code Entry: The user inputs the code, which expires after a short period (e.g., 10 minutes).
- Access Granted: Successful entry of both factors grants access to tax records or filing tools.
IRS Security Standards and 2FA
The IRS mandates robust security for anyone handling taxpayer data, as outlined in Publication 4557:
- Safeguarding Requirement: Tax preparers and software providers must protect PII under IRC Section 7216, with 2FA as a recommended control.
- Encryption Complement: 2FA pairs with 256-bit encryption for data at rest and in transit, a standard for IRS e-file systems.
- Annual Security Reviews: The IRS encourages annual assessments, including verifying 2FA implementation.
For e-file providers, the IRS requires compliance with NIST Special Publication 800-63 standards, which endorse 2FA as a baseline for authentication.
Benefits of 2FA in IRS Taxation
2FA offers specific advantages in the tax ecosystem:
- Protection Against Identity Theft: Prevents fraudulent access to taxpayer accounts, critical given the 1.4 million identity theft cases reported to the IRS in 2023.
- Secure Filing: Ensures only authorized users submit returns or information returns (e.g., Forms 1099, W-2), reducing fraud risk.
- Compliance Assurance: Aligns with IRS Publication 1345 requirements for e-file providers, enhancing trust in electronic submissions.
- Data Breach Mitigation: Protects against phishing and credential stuffing, common threats to tax professionals managing client data.
For taxpayers and preparers, 2FA provides peace of mind when interacting with IRS systems or third-party tools like Tax1099.
Setting Up 2FA for IRS-Related Access
The setup process varies by IRS platform:
IRS Online Account (via ID.me):
- Visit irs.gov and select “Sign in to Your Account.”
- Create or log into an ID.me account with a password.
- Enable 2FA by choosing SMS, email, or an authenticator app.
- Verify identity with a government-issued ID and phone number.
- Receive and enter a test code to activate.
e-Services:
- Register or log in at the e-Services portal.
- Update secure access by linking a mobile number or email.
- Confirm 2FA setup with a received code.
- Third-Party E-File Providers: Follow provider-specific instructions (e.g., Tax1099’s SMS-based 2FA setup), often requiring a phone number linked to the account.
The IRS provides step-by-step guides and support via its helpline (1-800-829-1040) for setup issues.