Only Accounts Established Using Detailed Secure Access Methods Will Now Have Access to e-Services Accounts
The IRS announced on their website page “e-Services - Online Tools for Tax Professionals” [1] that all access to e-Services beginning on December 10, 2017 requires the use of an account that was established using the IRS’s Secure Access authentication. If a professional has not established an e-Services account by going through the more detailed process, the professional will be required to sign up again using the more detailed (and difficult to complete) process.
Secure Access is meant to make it more difficult for an individual to impersonate a taxpayer or professional. As the IRS describes the program in their announcement made on December 8 [2] :
Secure Access helps protect online tools in two ways: it has a more rigorous identity-proofing process which helps ensure the users are who they say they are, and it requires returning users to use a two-factor access process by entering their credentials (username and password) plus a security code sent as a text message to their mobile phone or a security code generated by the new IRS2Go app feature. This two-factor authentication process meets required federal standards for protecting information.
The IRS is technically correct that both methods are currently allowed under the National Institute of Science and Technology (NIST) standards, the use of SMS as the two-factor vehicle is less secure and the NIST has stated it is being deprecated and may no longer be acceptable at some point in the future. [3] The NIST issued this statement over a year ago.
Thus, for long-term purposes, professionals may wish to consider the IRS’s IRS2Go authentication system that uses a username and key entered into the application. The IRS does not indicate if this system is compatible with the widely available authentication system first made popular by Google Authenticator or if it is an IRS only system. If the latter, advisers will need to load this program onto their phones along with more traditional authenticator programs. As well, the system (at least on Android phones) appears to require entering the code rather than using the simpler to use scan of a code displayed on screen.
The IRS2Go application can be downloaded from the Android Play Store (for Android phones and tablets) or Apple App Store (for iPhones and iPads).
[1] https://www.irs.gov/tax-professionals/e-services-online-tools-for-tax-professionals
[2] A copy of this PDF was posted by Tax Analysts for their Tax Notes service, 2017 TNT 236-43, 12/11/17.
[3] http://www.zdnet.com/article/nist-blog-clarifies-sms-deprecation-in-wake-of-media-tailspin/, July 29, 2016