In an age where malware, spyware and malicious attacks on information systems compromise or steal online data with increasing regularity, information security has never been more important. Cyber-attacks are even more damaging if the data contains personally identifying information (PII) of an individual. And because of the highly sensitive personal and financial information handled by the IRS, it is frequently targeted by cybercriminals. Cybercriminals are increasingly targeting tax professionals, stealing usernames and passwords, and putting taxpayer data at risk. To help manage these risks the IRS has been taking active measures to tighten security of its internal systems by changing how users access its systems to retrieve information.
In recent years, the IRS authenticated each e-Services user individually. Previously, when a user registered for e-Services, they were asked for their name, address, social security number, date of birth, adjusted gross income and filing status. That limited amount of information is no longer enough to meet federal information system standards. Starting December 10, 2017, the IRS implemented “Secure Access,” a two-factor authentication process to access any service on its online e-Services platform. This new process is mandatory for all users.
Secure Access is designed to:
- Strengthen the initial identity proofing process to make sure the person registering is who they say they are.
- Strengthen security through a two-factor authentication process for returning users to help prevent account takeover by cybercriminals. Two-factor authentication means you must have your credentials (username and password) plus a security code sent to your mobile phone or generated by your IRS2Go app each time you log in.
This is a one-time process. Once a user has authenticated their identity and established a Secure Access account for e-Services, no further action required.
One implication of this new two-factor authentication process is that it makes it much more difficult to automate the login process for accessing IRS e-Services, which the IRS explicitly prohibits. Any user wanting to use the IRS’s Interactive TIN Matching or the Bulk TIN Matching services would need to manually login to use those services. This is one way the IRS helps ensure that its services are being used by authorized persons and not misused for unintended purposes.
The IRS has also indicated that they will be implementing a new user agreement that e-Service users will be required to accept before accessing IRS e-Services. This user agreement prohibits users from storing their login credentials with third-parties. The IRS has not yet released further details; however, the implication is that users should directly access the IRS e-Service platforms, rather than through a third-party.
Any client that accesses the IRS e-Service platform directly for any services must ensure that their account is registered with the IRS using the new Secure Access process.
Any e-Services user who has not previously created a Secure Access account through Get Transcript Online, IP PIN tool, View Balance or by exception processing in recent days must validate their identity through this more rigorous process. This also includes all TIN Matching users and users who received Letter 5903 last December and authenticated by telephone.
IRS e-Service users can find more details about this new process using this link Secure Access: How to Register for Certain Online Self-Help Tools and learn what is needed to complete the process and how it will work. They should also review FAQs: e-Services and Secure Access.
Learn how ONESOURCE Tax Information Reporting manages and locks your data after TIN Matching to minimize any subsequent inadvertent changes. Contact us today.