MFA for Tax Software: Why It's Required and How to Set It Up

MFA for Tax Software: IRS-Required Security Every Tax Professional Needs

Multi-factor authentication (MFA) for tax software is a mandatory compliance requirement under both the IRS Security Six framework and the FTC Safeguards Rule (16 CFR Part 314) — not an optional best practice. Tax professionals who handle taxpayer data must implement MFA across all systems or face real regulatory consequences, including PTIN suspension, e-filing privilege revocation, and civil penalties up to $250,000 per incident.

The reason tax firms are targeted so aggressively is straightforward: Drake Tax, Lacerte, ProSeries, UltraTax CS, and similar platforms hold Social Security numbers, financial records, and personally identifiable information (PII) for hundreds or thousands of clients. That concentration of sensitive data makes a single compromised login extraordinarily valuable to attackers. According to the 2025 Verizon Data Breach Investigations Report, stolen or weak credentials remain the leading cause of hacking-related breaches — and MFA directly neutralizes that attack vector by making stolen passwords alone insufficient for account access.

This guide covers what the IRS and FTC actually require, how to configure MFA on the major tax software platforms, how to document compliance in your Written Information Security Plan (WISP), and how to manage rollout without disrupting tax season workflows.

What the IRS and FTC Actually Require

Two separate federal regulatory frameworks govern MFA requirements for tax professionals, and both carry enforcement authority. Understanding which rules apply — and where they overlap — is the foundation of a compliant security posture.

IRS Security Six and Publication 4557

The IRS Security Six is a set of baseline cybersecurity actions required of all tax professionals. MFA is listed explicitly as one of the six. IRS Publication 4557, the Data Security Resource Guide for Tax Professionals, specifies in Section 3.4 that MFA must be enabled on all systems that access, store, or transmit taxpayer information — not just tax preparation software, but also email, cloud storage, and client portals. The technical requirements align with NIST SP 800-63B Digital Identity Guidelines, targeting Authenticator Assurance Level 2 (AAL2), which requires two distinct authentication factors from separate categories.

Non-compliance puts your Preparer Tax Identification Number (PTIN) at risk. The IRS has signaled increasing enforcement of cybersecurity requirements, and failure to implement MFA can result in e-filing privilege suspension — effectively shutting down your practice during filing season. Learn how IRS Publication 4557 shapes your security obligations and review the full PTIN compliance requirements for your firm.

FTC Safeguards Rule (16 CFR Part 314)

The Gramm-Leach-Bliley Act (GLBA), enacted in the late 1990s, established the legal foundation for protecting consumer financial data by defining "financial institutions" broadly — a definition that explicitly includes tax preparation services. The FTC updated its implementing Safeguards Rule in 2021, with MFA provisions taking full effect in June 2023. Under 16 CFR § 314.4(c), tax preparers must implement access controls that include MFA for any individual accessing customer information systems.

The rule permits a narrow exception: firms may document why MFA is not technically feasible for a specific system. In practice, this exception rarely applies — and convenience is not a valid justification. The FTC has pursued enforcement actions against firms of all sizes, with penalties documented at over $100,000 plus personal liability risk for firm principals. Enforcement from both the IRS and FTC means tax professionals face dual regulatory exposure for non-compliance. Review our detailed breakdown of the FTC Safeguards Rule for tax preparers to understand your full obligations.

Understanding MFA Types: Which One Should Tax Firms Use?

Multi-factor authentication (MFA) — sometimes called two-factor authentication (2FA) — requires users to verify their identity using at least two factors from distinct categories: something you know (password or PIN), something you have (phone, hardware token, or smart card), or something you are (fingerprint or facial recognition). Combining factors from different categories is what makes MFA for tax software effective — if an attacker steals a password, they still cannot access the system without the physical device or biometric tied to that account.

For tax software specifically, five authentication methods are in common use, and they are not all equal:

• Authenticator Apps (Recommended) — Microsoft Authenticator, Google Authenticator, or Duo Mobile generate time-based one-time passwords (TOTP) that rotate every 30 seconds. This method satisfies NIST SP 800-63B AAL2 requirements, is the IRS's preferred approach, works offline, costs nothing, and is not vulnerable to SIM-swapping attacks.
• SMS Text Message Codes — A verification code sent to a registered mobile number. Convenient, but NIST guidelines classify SMS as a reduced-security option due to SIM-swapping and SS7 protocol vulnerabilities. Acceptable for baseline compliance but not recommended as the primary method for accounts with access to all client data.
• Hardware Tokens — Physical devices like YubiKey or RSA SecurID generate or store authentication credentials independently of a smartphone. These provide the strongest security posture and are worth considering for practice owners and administrators with broad access to client records.
• Push Notifications — Mobile app notifications (common in Duo Security and Microsoft Authenticator) that require an explicit tap to approve. Fast, user-friendly, and substantially more secure than SMS.
• Biometric Authentication — Fingerprint or facial recognition, typically layered on top of a password as the second factor. Widely available on modern smartphones and laptops, and increasingly integrated into tax software login flows.

The practical recommendation for most tax firms: deploy authenticator apps as the standard MFA method across all platforms. Apps like Microsoft Authenticator support multiple accounts simultaneously, so staff can manage MFA codes for tax software, email, cloud storage, and client portals from a single application. This reduces friction and makes adoption sustainable beyond the initial rollout.

Step-by-Step MFA Setup for Major Tax Software Platforms

Each major tax software platform has its own MFA configuration path. Setup is straightforward across all of them, typically taking under 10 minutes per user account. The steps below cover the four most widely used platforms.

Drake Tax MFA Configuration

Drake Tax supports authenticator apps (recommended), SMS verification, and email-based backup codes. MFA applies to both the desktop application login and Drake Portal online services. To enable MFA, log into your Drake Tax account at drakesoftware.com, navigate to Account Settings, and select Two-Factor Authentication. Follow the prompts to scan the QR code with your authenticator app or enter your mobile number for SMS. Drake recommends enabling MFA on the practice owner account first, then rolling out to all staff before configuring portal access for clients.

ProSeries and Lacerte (Intuit Account)

ProSeries and Lacerte share a unified authentication system through the Intuit Account platform. Log into accounts.intuit.com, navigate to Sign In & Security, and select Two-step verification. Intuit supports authenticator apps, SMS, and voice call verification — select the authenticator app option and scan the QR code with Microsoft Authenticator, Google Authenticator, or Authy.

One useful feature of Intuit's implementation: a single MFA setup covers the entire Intuit ecosystem. Tax professionals using ProSeries Tax Online or Lacerte Tax Online benefit from unified MFA that protects both desktop and cloud environments simultaneously. Firm administrators can access the Team Management section to audit MFA compliance status across all staff accounts — verify that every team member has MFA active well before January.

UltraTax CS and CS Professional Suite (Thomson Reuters)

Thomson Reuters provides MFA setup through the CS Professional Suite Portal. Administrators navigate to Security Settings > Multi-Factor Authentication to enable firm-wide policies. UltraTax CS supports role-based authentication policies, allowing practice administrators to configure different MFA requirements by user role and access level — a useful control for larger firms with tiered staff permissions.

For enterprise practices, UltraTax CS integrates with SAML-based single sign-on (SSO) providers including Microsoft Azure AD, Okta, and OneLogin, centralizing authentication management across all business systems. If your firm already uses one of these identity providers, configure UltraTax CS to authenticate through your existing SSO rather than maintaining a separate credential set. This reduces administrative overhead while strengthening your overall access control posture.

Tax-Specific Considerations for Cloud-Based Platforms

Cloud-based tax software — including TaxSlayer Pro, Drake Tax Online, and web-based Lacerte — adds one layer of complexity: browser sessions. Configure session timeout policies appropriate for tax season workflows, typically 30 to 60 minutes of inactivity, and use the "remember this device" feature selectively for trusted, firm-owned workstations only. Never enable device trust on shared computers or personal laptops used outside the office.

WISP Documentation Requirements for MFA

IRS Publication 4557 frames MFA as one component of a broader security strategy — not a standalone fix. Section 3.4 is explicit: MFA must be implemented on all in-scope systems, and tax professionals must document their implementation as part of their Written Information Security Plan (WISP). Without that documentation, your MFA deployment is invisible to regulators reviewing your compliance posture.

That documentation requirement serves two purposes. First, it demonstrates compliance if you are ever subject to an IRS audit, PTIN review, or FTC inquiry. Second, it provides operational continuity guidance so staff know exactly what to do when a device is lost, an account is locked, or a new employee needs onboarding. A WISP that references MFA in general terms without specifics does not satisfy the requirement under Publication 4557.

Your WISP's MFA section should include a complete inventory of all systems where MFA is enabled, the authentication method used for each system, device registration and replacement procedures, emergency access and backup authentication protocols, staff training records with completion dates, and annual review dates with the staff member responsible for MFA policy maintenance. Use our WISP template for tax preparers to build a compliant document from scratch, or review the WISP checklist for CPA firms to identify gaps in an existing plan. For a ready-to-use example, see our IRS WISP example with pre-filled MFA documentation sections.

Overcoming Common MFA Implementation Challenges

Tax practices encounter predictable obstacles when deploying MFA for tax software and related systems. Most are solvable with planning — and implementation is substantially easier when it happens during the off-season rather than in January under filing deadline pressure.

Managing Multiple Software Platforms

Firms using both Drake for individual returns and UltraTax CS for business returns face the practical problem of managing multiple MFA setups across different vendor systems. The solution is standardizing on a single authenticator app across all platforms. Microsoft Authenticator and Google Authenticator both support unlimited accounts, so staff can manage every platform's MFA codes from one app rather than juggling separate authentication tools for each system. This single-app approach also makes staff training straightforward — learn the process once, apply it everywhere.

Seasonal Workflow Pressure

Any additional login step creates friction during peak filing season, and staff will resist changes that slow them down under deadline pressure. Address this proactively: implement MFA between May and August, configure "remember this device" policies for trusted, firm-owned office workstations, and set session timeout policies appropriate for tax season workflows — typically 30 to 60 minutes of inactivity rather than aggressive 10-minute lockouts that frustrate staff in the middle of complex return preparation. Before January 1st, verify that all staff have backup codes saved and know how to use them.

Solo and Small Practice Constraints

Solo and small practices often assume MFA requires significant technology investment. It does not. Authenticator apps are free, every major tax software platform includes MFA at no additional charge, and setup takes less than 10 minutes per user. For practices without in-house IT support, a specialized accounting firm cybersecurity provider can handle deployment, staff training, and WISP documentation — typically for far less than the cost of a single data breach incident response engagement.

Remote and Mobile Access

Practices with remote staff or field preparers need MFA configured at multiple layers: at the VPN for network access, at the workstation login for device access, and at the tax software level for application access. This defense-in-depth approach ensures that bypassing one authentication layer still leaves additional controls in place. Establish clear procedures for how remote staff handle MFA when working from areas with limited cell coverage — hardware tokens work without a network connection and are a reliable backup in these scenarios. See our guide on selecting the right VPN for your tax practice for additional remote access security guidance.

MFA Beyond Tax Software: Securing Your Entire Practice

Implementing MFA for tax software satisfies the most visible compliance requirement — but both the IRS Security Six and the FTC Safeguards Rule apply to your entire technology environment. Any system that accesses, stores, or transmits taxpayer information is in scope. A compromised email account, for example, can expose every client document attachment and communication thread your firm has ever sent or received — months of sensitive data made accessible through a single weak password.

The full list of systems requiring MFA in a typical tax practice extends well beyond your preparation software:

• Email (Microsoft 365, Google Workspace) — Email is the primary vector for phishing attacks targeting tax professionals. Enable MFA on all firm email accounts without exception. Email breaches are particularly damaging because attackers can use compromised inboxes to reset passwords on every other platform.
• Cloud Storage (ShareFile, Dropbox Business, OneDrive) — Any platform used to store or share tax documents requires MFA for all users with access. Review the full requirements for secure tax software and cloud storage to ensure your document handling meets regulatory standards.
• Client Portals — Secure portals used for document collection must implement MFA for staff access and strongly encourage or require it for clients submitting sensitive documents.
• Practice Management Software (Canopy, TaxDome, Karbon) — These platforms contain client records, case notes, billing data, and communication histories. They are explicitly in scope under Publication 4557 and the Safeguards Rule.
• Remote Access Systems — VPNs and remote desktop gateways must require MFA before granting network access. Unauthenticated remote access is one of the leading ransomware entry points for tax practices, and a compromised remote access credential can give an attacker persistent access to your entire network.
• Accounting and Billing Software (QuickBooks Online, Bill.com) — These systems contain sensitive firm financial data and are increasingly targeted by attackers who establish a foothold in a network through tax software before pivoting to financial systems.

The practical approach is building your MFA deployment around a single authenticator app that covers all platforms. Once staff are comfortable using it for tax software, adding accounts for email and cloud storage takes seconds. Running a security awareness training program reinforces why these controls matter and reduces resistance to adoption — staff who understand the threat are far more likely to follow MFA procedures consistently. For a broader view of attack methods your firm should understand, review our guide to social engineering tactics that target professional services firms.

Why Tax Preparers Are Classified as Financial Institutions

Many tax professionals are surprised to learn they are classified as financial institutions under federal law — and that this classification directly creates their MFA obligation. The Gramm-Leach-Bliley Act (GLBA), enacted in the late 1990s, defined financial institutions broadly to include any business that provides financial products or services to consumers. Tax preparation falls squarely within that definition, which subjects tax preparers to the FTC's Safeguards Rule regardless of firm size, revenue, or number of returns filed annually.

The practical consequence is that the MFA requirement has two independent legal sources. Even if the IRS were to modify its Security Six guidance, the FTC Safeguards Rule would still independently require MFA for any individual accessing customer information systems. Non-compliance exposes tax professionals to enforcement from two separate federal agencies — a dual liability that makes the compliance calculus straightforward.

The reputational consequences of a breach extend beyond regulatory penalties. Tax professionals who experience a data breach face client loss, potential professional liability claims, and in severe cases, business closure. Given that MFA implementation costs nothing for most platforms and takes minutes to configure, the risk profile for non-compliance is difficult to justify. For a complete picture of your compliance obligations, review our guide to PTIN and WISP requirements and our overview of how cyberattacks target tax firms specifically.

If you haven't yet built your WISP or need to update an existing one to include formal MFA documentation, the free 2026 WISP template from Bellator Cyber Guard includes pre-built sections for MFA policy, system inventory, and incident response procedures aligned with IRS Publication 4557 and 16 CFR Part 314.

Staying Current as MFA Requirements Evolve

The regulatory environment around MFA for tax software is tightening, not stabilizing. The FTC has signaled ongoing review of its Safeguards Rule technical requirements as authentication technology evolves, and the IRS has increased its focus on cybersecurity enforcement as part of broader efforts to combat tax-related identity theft. The National Association of Tax Professionals (NATP) and IRS Stakeholder Liaison teams regularly publish updated guidance on security requirements — following these channels keeps your firm ahead of changes rather than scrambling to catch up.

The direction of travel is toward stronger authentication methods. SMS-based MFA, while currently acceptable for baseline compliance, faces increasing scrutiny from NIST and the FTC as SIM-swapping attacks become more common. Firms that adopt authenticator apps or hardware tokens now will be positioned for future regulatory updates without needing to re-deploy their entire authentication infrastructure.

Annual review of your MFA implementation — documented in your WISP — satisfies the review requirements under both IRS Publication 4557 and the FTC Safeguards Rule. That review should include verifying that every in-scope system still has MFA enabled, confirming that new staff have completed MFA setup and training, updating the system inventory if new platforms were added during the year, and testing backup and recovery procedures to confirm they work when needed. If any staff members left the firm during the year, verify that their MFA-enrolled devices have been removed from all platforms.

For firms that want structured guidance through the annual review process, the all-in-one compliance package from Bellator Cyber Guard includes a guided annual WISP review, MFA compliance audit, and updated documentation aligned with the current year's IRS and FTC requirements.