Multi-factor authentication (MFA) sounds technical, but it’s really just adding one more lock to your digital front door. It’s now a legal requirement for tax professionals under the Federal Trade Commission’s (FTC) safeguards rule, and it’s one of the simplest, most effective ways to stop cybercriminals in their tracks.

If you prepare returns, store client documents, or access sensitive data in the cloud, you must have MFA turned on, no matter the size of your business. Skipping it isn’t just risky, it’s against the law.

Think of MFA as the easiest security upgrade you’ll ever make. Most tax software, email services and cloud platforms already have it built in; you just need to flip the switch. The payoff? Both peace of mind and better protection for your clients and practice.

What exactly is MFA?

MFA means you confirm your identity with at least two different types of credentials before logging in. These factors generally fall into three categories:

• Something you know: your password, PIN or the answer to a security question
• Something you have: a code from an authenticator app, a text message or a physical security token
• Something you are: biometric identifiers like a fingerprint or facial scan

Requiring more than one factor makes it much harder for hackers to break in, even if they’ve managed to steal your password. Think of it like having a key and an alarm code; you need both to get inside.

Why MFA matters for tax professionals

The FTC Safeguards Rule makes MFA mandatory for businesses handling sensitive financial data. That includes sole practitioners, small firms and large practices alike. Here’s why it’s more than just a compliance checkbox:

• It’s proven protection. MFA stops many phishing, social engineering and password-cracking attempts.
• It’s cost-effective. Many MFA tools are free or included in your existing services.
• It builds client trust. Clients want to know you’re serious about protecting their personal and financial information.

Tax professionals are prime targets for cybercriminals because of the high-value data they hold. A compromised account can often lead to fraudulent returns, stolen refunds and IRS scrutiny, all of which create headaches no one wants.

How to set up MFA without the tech headaches

You don’t need to be an IT expert to get started. Here’s a simple plan:

1. Identify your accounts. List all systems and applications where client information is stored or accessed, including tax prep software, email, cloud storage and bookkeeping tools.
2. Turn on MFA. Most providers have MFA settings under “Security” or “Account Settings.” Look for step-by-step guides or vendor support pages.
3. Pick your preferred method. Authenticator apps are considered more secure than text messages, but as discussed below, SMS codes, hardware tokens and biometrics are also valid.
4. Roll it out firmwide. Ensure every staff member has MFA enabled for every applicable account.
5. Review annually. Technology changes fast. Set a calendar reminder to check for new MFA options or updated security features from your providers.

Types of MFA and how they work

• Authenticator apps: Generate time-sensitive codes that refresh every 30 seconds. Examples include Microsoft Authenticator and Google Authenticator.
• Hardware tokens: Small devices plug into your computer or display a one-time code.
• Biometric verification: Uses your unique physical characteristics, such as a fingerprint or face scan.
• SMS codes: Text messages with verification codes. While widely used, they’re more vulnerable than other methods, so pair with another security layer when possible.

Keep your MFA strong and up to date

Keen tax preparers must know that cybersecurity isn’t “set it and forget it.” Once MFA is in place:

• Update passwords regularly and use a password manager to keep them unique and strong.
• Train staff to recognize phishing attempts. MFA can’t stop someone from voluntarily giving away their login information.
• Monitor logins for unusual activity and investigate any alerts from your providers.

Build layers of protection

MFA is powerful, but it’s even more effective alongside other safeguards:

• Antivirus software with automatic updates
• Firewalls on all devices and networks
• Encrypted data backups stored securely
• Regular security awareness training
• Incident response plan so you can act fast if something goes wrong

The IRS offers two publications that provide excellent step-by-step security recommendations tailored to tax professionals:

• Publication 4557, Safeguarding Taxpayer Data: A Guide for Your Business
• Publication 5293, Protect Your Clients; Protect Yourself - Data Security Resource Guide for Tax Professionals

Bottom line

MFA isn’t just about checking a compliance box; it’s a simple, high-impact way to protect your business. With most tools already available in your existing software, setting it up can take less than 10 minutes. For such a small investment of time, you get one of the strongest defenses available against today’s cyberthreats.

Stay ahead of threats, stay compliant and give your clients confidence in your services.

Stay connected with NATP

At NATP, we’re committed to helping tax professionals navigate evolving security requirements and safeguard their practices. Follow us for updates, tips and tools that keep you compliant and confident.

Follow NATP on LinkedIn, Facebook or Instagram for the latest industry news and guidance.