Two-Factor Authentication: Why Your Tax Practice Needs it

The current threat landscape for an accounting and tax professional is showing a growing trend of malicious actors attacking remote access points to their offices. If the office only requires a username and password to authenticate a remote user, firms are ripe for becoming a target and, potentially, a victim of a remote attacker.

The combination of username and password, while a common standard, is the weakest link in the chain of online security. With data breaches in the past 12 months of nearly a billion distinct username and password combinations, it is a distinct possibility that you or your employees’ credentials have been compromised.

Malicious actors use these lists, along with information gleaned from public resources and social media, to narrow down the credentials that are potentially useful when attacking an accountant’s network.

Currently, one of the best defenses against this remote compromise is two-factor authentication (2FA) to access your office remotely. The term “two factors” refers to the number of steps involved in authenticating the user’s credentials, and according to Wikipedia, is a subset of multi-factor authentication in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have) and inherence (something they are).

2FA requires that you not only have legitimate credentials in order to authenticate, but that you also have another factor, such as a personal identification number that is generated on demand, physical token, fingerprint or a USB-based security key, in order to complete your login.

2FA helps to prevent the malicious actor from using stolen credentials to access your office remotely, as they will be challenged to enter the second factor and unable to access the code, token or other needed factor to complete their authentication.

There are a few companies offering 2FA systems that are free to use, including Google Authenticator, available for Android– and iOS-based smartphones.

Please work with your IT specialist to find out if your current method of remote access supports 2FA and what options are available for your office to employ.

Editor’s note: Want more information on security and how to help prevent fraud? Sign up for the Intuit® ProConnect™ “Safeguarding Taxpayer Data” webinar.