Why SMS-Based 2FA is Not Secure and How You Can Protect Your Data with TaxDome

Accounting firms continue to face increasing threats from cybercriminals using phishing attempts, malware, and data theft to steal confidential client information and financial data.

Unfortunately, most small and medium-sized firms lack the sophisticated defense infrastructure of larger firms, making them more vulnerable to cyber-attacks.

With heightened threats due to COVID-19, tax professionals have been called upon to safeguard taxpayer data by implementing an extra layer of security with two-factor authentication (2FA) options. Requiring that extra step for users to prove their identity reduces a bad actor’s chances of gaining access to confidential data.

In this article, we’re going to look at:

  • What is 2FA and why it’s important
  • Why SMS based 2FA is bad (what others who claim they have 2FA often use)
  • Why security is so important

What is 2FA and why it’s important

Two-factor authentication adds an extra layer of protection for the username and password used by users. It offers an easy and free way to step up the protection of client data. In fact, starting in 2021, the IRS mandates multi-factor authentication for all tax prep systems as part of a broader effort to protect taxpayers, tax professionals, and the larger tax community.

Why 2FA is important:

  • Protect your firm software account and client accounts
  • Take control of your own security
  • Protect your devices and identity
  • Increase cybersecurity threat protection for your practice management
  • Easy to use and more secure than passwords
  • Prevent cascading failure in case you’re compromised on some level

According to the IRS, most of the data thefts reported to them this year could have been avoided had the practitioners used 2FA to protect tax software accounts. The two main types of 2FA used today:

  • SMS-based 2FA that sends an SMS code to the cell phone that should be entered to access the account
  • App-based 2FA that uses an authentication app to generate a security code to gain access to an account

While both work well, app-based 2FA is more secure than SMS-based one-time codes or telephone-based authentication. Which is why TaxDome offers a reliable app-based 2FA for both team members and clients.

Why SMS-based 2FA is bad

Many firms have adopted SMS-based two-factor authentication as a security authentication process. An SMS with a one-time code is often sent to the user’s phone to ensure secure app access. While many firms believe this solution makes account or app access more secure, it’s putting them and their clients at risk of emerging cybersecurity threats like SIM swapping or porting.

Chances are one or several of the platforms or service providers you use today utilize SMS-based 2FA - from Google to Facebook. The idea behind this extra layer of security is that, even if someone accesses your username and password, they won’t log in without access to your SMS messages. That’s great, but it opens up other vulnerabilities that hackers are exploiting with success - the SIM port/swap exploit.

How does SIM swapping or porting work?

Cybercriminals play on human error of customer service operators at telecommunication providers. They use pressure, charm, financial rewards, and other persuasion techniques to persuade operators to ‘switch’ a target’s phone number from the SIM in their phone to a SIM in a new device that’s in their possession or under control of the hacker.

That’s what happened when Twitter’s CEO Twitter account was recently hacked. In some cases, hackers will even sway operators to think they’re the victims or use other smart techniques, achieving astonishingly great success. With increasing reports of hackers using this exploit successfully, SMS-based 2FA is no longer secure for your practice management.

What’s the solution for tax firms?

The best solution for tax firms is to adopt app-based 2FA solutions that require you and your clients to install an authentication app, like Google Authenticator or Microsoft Authenticator on the smartphone, which then provides a security code for account access. This is a more secure option than SMS-based 2FA and should be a priority for improving cyberthreat protection.

TaxDome, an all-in-one integrated solution for tax firms, provides this level of two-factor authentication for your practice management. With the additional step of authenticating a user’s identity, it’s much harder for cybercriminals to access data, even when private credentials are compromised. TaxDome provides app-based 2FA for all users across your firm.

Unlike SMS 2FA, which is still used by some practice management software and applications, TaxDome’s app-based 2FA solution offers increased protection in the client portal - a pin or biometric authentication to ensure secure access and peace of mind. In addition to tax software accounts, you should also use this secure 2FA option when accessing other products like emails and cloud storage.

TaxDome’s Firm portal is protected with app-based 2FA; and Client Portal - with a pin or biometric authentication.

Why security is so important for your practice management

There’s no doubt that security is a top priority for tax professionals today. Data thefts at tax firms are on the rise, and identity thieves are becoming more sophisticated as they try to get more taxpayer data to file fraudulent tax returns. Whether you’re a sole practitioner, a large tax firm, or an authorized IRS e-File Provider, you’re required to protect taxpayer data by the law.

You must create and enact security plans to protect client data. Failure to do so may result in FTC investigations. Data security is so crucial for your practice management as it protects your business and your clients. By implementing the right steps, you can prevent the loss of clients, money, and reputation due to a data breach and the ensuing legal cases.

Engage data security experts for help and also check with your professional liability provider about data theft coverage. Manage your tax practice workflow, billing, time tracking, client portal, and more with TaxDome’s automated and secure workflow management portal.

Join demo