Knowledge Base Solution - Tax Pro Community: Security Summit Authentication

Tax Pro Community: Security Summit Authentication

N/A

As a key step to preventing tax-related identity theft, the IRS and states worked with industry to establish minimum “Know Your Customer” requirements.
These standards are in line with requirements from the IRS Office of Safeguards and the Security Summit Strategic Threat Assessment & Response (STAR) working group.
These requirements will evolve as the National Institute of Standards and Technology (NIST) updates its national standards.
These are minimum standards only. Industry partners are encouraged to innovate and create more robust authentication protocols as well as to conduct their own analysis of trends.

The important purpose of these trusted customer requirements is to:

Follow nationally recognized standards for implementing “Knowing Your Customer” identity authentication
Ensure consistent minimum requirements are established for industry to efficiently support multiple tax agencies
Mitigate the potential for account takeovers
Reduce the opportunity for fraudulent return filing
Establish a process to verify identity in future interactions including but not limited to password changes
Enhance security / protection measures for taxpayer confidential and sensitive information
Increase the public confidence and trust in the tax filing system

Some tax software providers will offer multi-factor authentication protections for tax pro software accounts:
- 2-factor
- 3-factor
Multiple communication channels will encourage use of multi-factor authentication (i.e. Tax Forum presentations, publications and news releases)
Tax professional software packages will include the information included in Pub 5294 “Protect Your Clients; Protect Yourself - Data Security Tips for Tax Professionals” developed by the Security Summit working groups. The applicable portions of the messages are expected to be shown to administrators and end-users within the software at login and at other appropriate times.
Help prevent account takeovers that result in data loss

Minimum requirements affect both DIY and Tax Pro software. These protocols include:

Software Password Requirements
- NIST reviewed password standards last year
- Strong passwords of 8 digits that include upper and lower cause, alphanumeric and special characters.
- Passwords should be phrases that you can remember
Software Timeout Requirements
- Mandatory log out after 30-minutes of inactivity; users must re-enter username and password
24-Hour Reauthorization
- Users must re-enter credentials every 24-hours regardless of activity

Software supporting individual returns display trusted customer information fields:

Software supporting business returns, including Form 1120 and 1120s, also will have trusted customer information fields.

Questions include:

New “minimal security steps” developed to ensure consistent messaging by IRS, states and industry
Available on www.irs.gov/identitytheft
Pub 5294, “Protect Your Clients; Protect Yourself - Data Security Tips for Tax Professionals” – (New) printed for Tax Forums, requested for tax pro software
Pub 5293, Data Security Resource Guide for Tax Professionals, compilation of IRS.gov resources - (New) online only
Pub 4557, Safeguarding Taxpayer Data, being revised into more user friendly format, information on what security steps to take and how to take them. (Revised) online only
Communications Work Group planning a summer awareness campaign – Protect Your Clients; Protect Yourself: Tax Security 101.

Sign up for e-News for Tax Professionals, weekly digest of everything you need to know.
Sign up for Quick Alerts if you are a registered e-Services user.
www.irs.gov/identitytheft - main IDT page; see tax pro section
www.IRS.gov/protectyourclients - main page for tax pros looking for scam alerts and tips.
Note: If your client is a victim of the W2 phishing scheme, email dataloss@irs.gov and StateAlert@taxadmin.org