CCH Axcess™ 2016 IRS Security Requirements

The following tables contain information about the upcoming changes to Security requirements in CCH Axcess™. It shows what is currently available in the program as of the 2015-5.0 release, and what will be required after 2016-1.0 is released.

CCH Axcess™

Security Feature

Pre 2016-1.0

Post 2016-1.0
Change Effective
December 4, 2016

Need to Prepare Prior
to
December 4, 2016

User Experience

Unique Username

Users can share IDs.

Each user must have their own unique username.

Make sure each user has their own unique username.

Each user must login with their own credentials.

Strong Password

Passwords need to contain a combination of letters, numbers, or special characters. Not all three types are required.

Strong passwords are required and must contain at least eight digits. 

Passwords must contain an upper-case letter, lower-case letter, number, and special character.

Passwords with less than eight characters will be reset to eight.

Notify all users that they will be prompted to create a new password with strong characteristics (minimum eight characters) with first login after 2016-1.0 is released.

After 2016-1.0 is released, all users will be prompted to change their password to a strong password when logging in for the first time.

90 Day Password Expiration

You can configure passwords to expire from 30–180 days.

You can configure passwords to expire after 30-45 or 60-90 days.

If your current setting is 180 days, it will be reset to 90 days.

Check your firm configuration.

Depends on your firm configuration, could be no change at all.

30 Minute Inactivity Session Timeout

Inactivity timeout session exists today. It can be configured from 20 minutes to 8 hours.

It will still be configurable for 20 or 30 minutes. 

If your current setting is higher than 30 minutes, it will be reset to 30 minutes.

Educate end users.

Same experience at current timeout, but may be a shorter inactivity window depending on your firm configuration.

24 Hour Re-authentication

No 24 hour re-authentication exists.

Users will be prompted to re-authenticate with their credentials to continue working after 24 hours of continuous work.

Educate end users.

After being logged into the application for a period of 24 continuous hours, the user will be prompted to re-authenticate with their credentials to continue working.

BOT Detection

No secondary authentication happens.

CAPTCHA for all logins.

Notify users so they are prepared for new requirement when logging in.

Challenge response at login for all users.



CCH Axcess™ with Active Directory (AD)

Security FeaturePre 2016-1.0Post 2016-1.0
Change Effective
December 4, 2016

Need to Prepare Prior
to
December 4, 2016

User Experience
30 Minute Inactivity Session TimeoutDoes not apply.No change.N/ANo change.
24 Hour LogoutDoes not apply.No change.N/ANo change.
BOT DetectionDoes not apply.No change.N/ANo change.



CCH Axcess™ – Session Timeout Experience (20 or 30 Minute)

Product

Pre 2016-1.0

Post 2016-1.0
Change Effective
December 4, 2016

User Experience

Tax

Inactivity timeout session exists today. It can be configured from 20 minutes to 8 hours.

Same experience at current timeout, but may be a shorter inactivity window depending on your firm configuration.

The application and all windows close. Any unsaved work in a return has always been auto-saved and will continue to function this way.

When reopening the return, you will be prompted to recover an auto-save file.

For other administrative activities, the application will close and any unsaved work will be lost.

Workstream

Inactivity timeout session exists today. It can be configured from 20 minutes to 8 hours.

Same experience at current timeout, but may be a shorter inactivity window depending on your firm configuration.

Application and all windows close.  Any unsaved work is lost.

Document

 

(Does not apply to customers using Office Plug Ins or Document OP)

Inactivity timeout session exists today. It can be configured from 20 minutes to 8 hours.

User has a file open for direct edit, system will not time out as long as that file is open for direct edit

Same experience at current timeout, but may be a shorter inactivity window depending on your firm configuration.

The inactivity window will display when a file is open for direct edit. If you do not see the prompt, the file will not automatically be checked in. When you log in next time you will need to manually check in the file.

Once you’ve been logged off after inactivity you will need to log back in and navigate back to where you were working. 

Once you’ve been logged off after inactivity you will need to log back in and manually check the file back in. 

Practice

Inactivity timeout session exists today. It can be configured from 20 minutes to 8 hours.

Same experience at current timeout, but may be a shorter inactivity window depending on your firm configuration.

Application and all windows close.  Any unsaved work is lost.

Firm Management

Inactivity timeout session exists today. It can be configured from 20 minutes to 8 hours.

Same experience at current timeout, but may be a shorter inactivity window depending on your firm configuration.

Application and all windows close.  Any unsaved work is lost.


CCH Axcess™ – 24 Hour Limit Experience

Product

Pre 2016-1.0

Post 2016-1.0
Change Effective
December 4, 2016

User Experience

Tax

No 24 hour re-authentication exists.

Users must be re-authenticated after 24 hours of continuous use even if they have been active the entire time.

If you re-authenticate after the 24 hour limit you will be returned to your original session.

No data is lost and processes continue to run.

*session timeout still applies

Workstream

No 24 hour re-authentication exists.

Users must be re-authenticated after 24 hours of continuous use even if they have been active the entire time.

If you re-authenticate after 24 hour limit you will be returned to your original session.

No data is lost and processes continue to run.

*session timeout still applies

Document

No 24 hour re-authentication exists.

 

Users must be re-authenticated after 24 hours of continuous use even if they have been active the entire time.

*Same experience today with Watcher service & Routing Q

If you re-authenticate after 24 hour limit you will be returned to your original session.

No data is lost and processes continue to run.

*session timeout still applies

Practice

No 24 hour re-authentication exists.

Users must be re-authenticated after 24 hours of continuous use even if they have been active the entire time.

If you re-authenticate after 24 hour limit you will be returned to your original session.

No data is lost and processes continue to run.

*session timeout still applies

Firm Management

No 24 hour re-authentication exists.

Users must be re-authenticated after 24 hours of continuous use even if they have been active the entire time.

If you re-authenticate after 24 hour limit you will be returned to your original session.

No data is lost and processes continue to run.

*session timeout still applies


Additional Information

  Solution Tools
  Attachments
 Solution Id 000053228/000053228
 Direct Link
To provide feedback on this solution, please login.

Your feedback about this article will help us make it better. Thank you!