Tax Tips Logo ImageISSUE

As a follow-up to last week’s “Tax Tips,” let’s look closer at one of the safeguards that the IRS and “Security Summit” noted in their reports.  Part 2 of the Security Summit Tips for Tax Professionals is entitled, “Use Multi-Factor Authentication to Protect Accounts.”


Troas Bible College (TBC) is a private college exempt under Internal Revenue Code section 501(c)(3) and 170(b)(1)(A)(ii).  They are required to file Form 990 annually.

As we are doing the virtual fieldwork for TBC’s June 30, 2020 audit, we’ve been looking at cybersecurity issues with them.  TBC has appointed a point person and done an assessment of cybersecurity risks.  In addition, TBC has documented the safeguards put in place in response to identified risks.  After reading “Tax Tips” last week, they are interested in multi-factor authentication.

We inform them that this process involves linking specified users’ cell phones to various software processes as a safeguard.  A multi-factor or two-factor authentication offers an extra layer of protection for the username and password used by approved users. It often involves a security code sent via text. When approved users login to the multi-factor-protected application, a code is sent to their cell phone.  Generally, the user will have a choice of sending a one-touch signal back to the software from their phone or physically entering the code (e.g. 803-047) into the second-level login of the software.

Multi-factor authentication apps may be downloaded from the “App Stores” or purchased from various vendors.  Entering “Authentication apps” into your search engine of choice should provide ample information about which product may work best for you.


From IR-2020-170, July 28, 2020:

Using multi-factor authentication is the second in a five-part series called Working Virtually: Protecting Tax Data at Home and at Work. The public awareness initiative by the IRS, state tax agencies and the private-sector tax industry – working together as the Security Summit – spotlights basic security steps for all practitioners, but especially those working remotely or social distancing in response to COVID-19.

“Cybercriminals continue to find new ways to try accessing tax professional and taxpayer data. The multi-factor authentication option is an easy, free way to really step up protection of client data,” said IRS Commissioner Chuck Rettig.

[Institutions] can download to their mobile phones readily available authentication apps offered through Google Play or the Apple Store. These apps will generate a security code. Codes also may be sent to practitioner’s email or text but those are not as secure as the authentication apps. Use a search engine for “Authentication apps” to learn more.


  • Every institution should have a trained “Cybersecurity Point Person.”
  • Your Cybersecurity “quiver” should contain resources, training, and apps.
  • The IRS has mandated that tax software solution providers must employ multi-factor authentication beginning with the 2021 tax season.
  • Do a little homework to discern whether this safeguard is a viable resource for your institution.

Specific questions? Email Dave Moja

The information provided herein presents general information and should not be relied on as accounting, tax, or legal advice when analyzing and resolving a specific tax issue. If you have specific questions regarding a particular fact situation, please consult with competent accounting, tax, and/or legal counsel about the facts and laws that apply.

© 2020 Moja & Company, LLC