IRS Mandates Multi-Factor Authentication for Tax Pros
Tax professionals who access IRS practitioner portals will soon need to complete multi-factor authentication before they sign in. The change adds another layer of verification for accounts that handle federal tax information and sensitive client information. Officials aim to lower the risk of identity theft and safeguard confidential data for the 2025 filing season.
Beginning with the 2025 filing season, tax professionals must use multiple authentication methods when they sign in to protected practitioner systems. Instead of relying solely on a password, users will confirm their identity with additional authentication factors, such as a one-time code or device-based verification.
A common process involves entering login credentials and then providing a 6-digit code generated by an authentication application. These apps can be downloaded from the App Store or Google Play and typically use a QR code during setup to link the account to a code generator. The added verification step helps prevent criminals from accessing accounts even if passwords are stolen.
Cybersecurity experts say practitioner portals are attractive targets because they contain confidential data, such as tax transcripts, Form W-2 records, and other Federal Tax Information linked to a taxpayer’s Social Security Number. A compromised account can expose sensitive client information and increase the risk of identity theft.
Many professionals rely on web-based platforms that allow secure remote access to taxpayer records. These systems help practitioners manage filings, retrieve tax transcripts, and confirm reporting details for clients.
The e-Services platform acts as a central system for several practitioner tools. One of the most widely used features is the Transcript Delivery System, which allows authorized representatives to obtain tax transcripts for individual and business taxpayers.
These records often contain confidential data, including filing history and payment information tied to a taxpayer’s Social Security Number. Because these systems store federal tax information, security controls and authentication methods are essential to prevent security breaches and unauthorized access.
Tax Pro Account allows practitioners to manage client authorizations and access certain records connected to representation. The portal lets professionals submit or withdraw authorization requests and monitor authorization status electronically.
Two forms commonly used in these processes are Form 2848, which grants Power of Attorney authority, and Form 8821, which allows access to records through a Tax Information Authorization. Since these authorizations unlock access to taxpayer records, secure authentication is considered a key protection against identity theft.
Cybercriminals frequently attempt to obtain practitioner credentials through phishing and other methods that capture login information. When criminals gain access to these accounts, they may attempt to obtain tax transcripts or other records containing sensitive client information.
Multi-factor authentication helps reduce these risks by requiring multiple authentication factors. Authentication factors generally fall into three categories: knowledge factors, such as passwords; possession factors, such as hardware tokens or security keys; and biometric characteristics, such as fingerprint or facial recognition.
Some authentication systems also support biometric data through features such as facial recognition or face- or touch-based unlocking on mobile devices. These biometric characteristics help confirm that the person accessing the account is the authorized user.
Modern authentication systems increasingly rely on stronger identity verification technologies. These systems may include hardware tokens, smart card authentication, or security keys such as a U2F security key or NFC-enabled security key.
Certain environments also use trusted platform modules or public-key infrastructure to secure login processes. These technologies support passkey MFA, strengthening security and reducing the risk of credential theft.
Federal cybersecurity guidance often references standards developed by the National Institute of Standards and Technology. These standards include FIPS 140 and FIPS 201, which define requirements for cryptographic modules and identity verification systems used to protect sensitive government information.
Preparing for the new authentication requirement is largely an operational step for accounting firms and tax practices. Practitioners are encouraged to review authentication settings and confirm that their login methods work properly before the filing season workloads increase.
The IRS offers a variety of resources for practitioners, including the Data Security Resource Guide and Publication 4557, both of which were updated in June 2023. These documents outline safeguards to protect Federal Tax Information and prevent a Social Security number breach.
The Security Summit initiative and Publication 5293 provide additional cybersecurity guidance. These resources explain recommended practices under the Tax Information Security Guidelines and include procedures for reporting a data breach if confidential data may have been compromised.
The authentication requirement is part of a broader effort to strengthen cybersecurity protections across tax administration systems. Federal agencies continue to expand safeguards to protect confidential data handled by practitioners and government systems.
Organizations such as the Cybersecurity and Infrastructure Security Agency emphasize the importance of strong authentication practices to prevent identity theft and security breaches. These protections are especially important when systems allow remote access to taxpayer records and other sensitive information.
Security guidance is often discussed at events such as the Nationwide Tax Forum, where practitioners receive updates on cybersecurity practices and learn how to implement stronger protections for client data.
By William Mc Lee, Editor-in-Chief & Tax Expert—Get Tax Relief Now