IRS Multi-Factor Authentication Use Expands in 2025
Taxpayers are completing more tax-related tasks online during the 2025 filing season, including checking balances, retrieving tax transcripts, and setting up payment plans. As digital activity grows, the IRS is increasingly implementing multi-factor authentication to safeguard taxpayer accounts, Social Security Numbers, and other sensitive information from identity theft and unauthorized access.
The Internal Revenue Service and its Security Summit partners are encouraging taxpayers and tax professionals to strengthen data security when they sign in to IRS Online Accounts. The push reflects concerns about identity theft, security breaches, and the protection of federal tax information stored in online systems used to manage tax returns.
IRS cybersecurity guidance and the Tax Information Security Guidelines explain that multi-factor authentication requires two or more authentication factors during the login process. These authentication factors can include knowledge factors, such as passwords; possession factors, such as security keys or software tokens; and biometric factors, such as facial recognition.
Authentication methods may include entering a 6-digit code sent via text message, using an authentication application installed from the App Store or Google Play, or confirming identity with hardware tokens and security keys such as a Yubikey™ 5 NFC or an NFC-enabled security key. These technologies rely on cryptographic modules and public-key infrastructure designed to protect confidential data and reduce unauthorized remote access.
The Security Summit, which includes the Federation of Tax Administrators and major tax software providers, continues warning about identity theft risks linked to compromised credentials. Criminals sometimes obtain taxpayer records through a data breach or a Social Security number breach and then attempt fraudulent filings during the filing season.
IRS guidance, such as Publication 4557 and the Data Security Resource Guide, highlights the importance of protecting client information and federal tax information from cyber threats. These resources reference standards from the National Institute of Standards and Technology and safeguards described in Pub. 1075.
Officials say multi-factor authentication adds a critical layer of data security by forcing attackers to bypass multiple authentication factors rather than relying solely on stolen passwords.
The increasing use of digital IRS services is one reason multi-factor authentication adoption is rising. Millions of taxpayers now use the IRS Individual Online Account to review balances, track payments, and manage information connected to a tax return.
People also widely use online tools to obtain tax transcripts. These records can help verify income, confirm adjusted gross income, or support financial applications that require proof of filing.
The IRS uses ID.me to support verifying your identity across several online services, including IRS Online Account and Get Transcript. These services allow taxpayers to access records tied to their Social Security information and other sensitive data.
During verification, users may be asked to confirm their identity using several authentication methods. These may include entering a 6-digit code sent to a phone number, approving a push notification in an authentication app such as the ID.me Authenticator app, or scanning a QR code with a mobile device.
Some users may complete additional steps, such as a video call, facial recognition verification, or face or touch unlock, on a mobile device. These procedures help protect records that may include Form W-2 information, Identity Protection PINs, and other tax account data.
Tax professionals and cybersecurity officials recommend enabling the strongest available authentication methods to help prevent identity theft and security breaches. Adding backup codes, using security keys, and monitoring accounts for suspicious activity can reduce risks associated with online financial accounts.
Federal agencies, including the Cybersecurity and Infrastructure Security Agency, encourage taxpayers to report suspected fraud or security breaches. Individuals whose personal information may have been compromised can also report identity theft to the Federal Trade Commission.
The IRS advises taxpayers not to click suspicious links or attachments in messages claiming to represent the agency. Fraudulent emails often include error messages or links designed to mimic legitimate websites to capture login credentials.
Potential phishing attempts should be forwarded to phishing@irs.gov so investigators can review the message and help prevent further fraud.
By William Mc Lee, Editor-in-Chief & Tax Expert—Get Tax Relief Now