Skip to content

The MFA Requirement for Tax Professionals: What the Rule Says, What the IRS Added, and the One Exception

Checked against the primary record: July 18, 2026Element adopted: December 9, 2021 (86 FR 70307); section last amended November 13, 2023 (88 FR 77508, breach notification)

Dolev Arama, Founder/Last updated July 19, 2026/Every figure primary-sourced

The short answer

Yes, multi-factor authentication is required. It is one of the FTC Safeguards Rule's named safeguards (16 CFR 314.4(c)(5)), binding on covered tax firms since June 9, 2023, and the IRS put its own weight behind it in August 2024. One narrow exception exists: your Qualified Individual can approve, in writing, reasonably equivalent or more secure controls.

This page explains the multi-factor authentication requirement in the FTC Safeguards Rule and the IRS guidance built on it. It is general information, not legal advice for your specific situation. For that, consult a qualified professional.

Multi-factor authentication is a binding requirement for tax practices, and it helps to know which of the two agencies talking about it actually holds the pen. The duty comes from the FTC: the Safeguards Rule applies to tax preparation firms as "financial institutions," and MFA sits fifth on the list of eight concrete safeguards inside the rule's element map. It has been enforceable for covered firms since June 9, 2023. The IRS, which does not write this rule, spent August 2024 making sure preparers noticed it: "All tax professionals are now required under the Federal Trade Commission's safeguards rule to use multi-factor authentication, or MFA, to protect clients' sensitive information" (IR-2024-201, August 6, 2024). Then-Commissioner Danny Werfel put it in one sentence: "Multi-factor authentication is now more than just a good idea for tax professionals; it's a requirement." Here is the requirement in the regulation's own words:

Primary record

16 CFR § 314.4(c)(5) · Elements

Implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls;
Prepared by Safeguards Monitor from 16 CFR 314.4 (eCFR), current as of July 2026.
86 FR 70307, Dec. 9, 2021 · Verified July 18, 2026

Read the sentence closely and it settles three questions the field keeps reopening. It applies to "any individual accessing any information system," which is wider than your tax software and wider than your staff, as the scope section below walks through. Its only exit runs through one named person, your Qualified Individual, and only in writing. And it does not say "two-factor" or "MFA where offered"; the rule defines multi-factor authentication precisely, which is where what counts gets decided.

What counts as multi-factor authentication?

The rule carries its own definition, so nobody has to guess. Multi-factor authentication means "authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3) Inherence factors, such as biometric characteristics" (16 CFR 314.2). The operative words are "types of": two factors drawn from the same category do not meet the definition, no matter how many of them you stack. IR-2024-201 restates the same three categories in plain English: something a user knows, something they have, and something unique to them.

The rule's three factor types, one setup that fails the definition, and one that fails the program
Factor typeWhat the rule gives as examplesIn a tax practice
Knowledge (something you know)A passwordPasswords, PINs, security questions. On their own, or in any combination with each other, these are one factor type.
Possession (something you have)A tokenA code texted to a phone, an authenticator app, a hardware key. Pub 5708's own template names text-message and app-based codes in its user access policy.
Inherence (something you are)Biometric characteristicsA fingerprint or face sign-in to the machine or software you are logging into. A biometric that only unlocks the phone holding your codes strengthens the possession factor; it is not a third factor type of the covered login.
Not MFA: one factor, repeatedTwo of the same typeA password plus a security question is two knowledge factors. It does not satisfy the definition.
Fails the program anyway: a shared loginShared credentialsA shared login can still verify two factor types, but IR-2024-201 is explicit that usernames should never be shared, and sharing breaks the audit trail MFA is meant to protect.
Prepared by Safeguards Monitor from the definitions at 16 CFR 314.2 (eCFR) and IR-2024-201, current as of July 2026.

This is also where the 2FA-versus-MFA question resolves. Two-factor authentication is simply multi-factor authentication with exactly two factors. A login that verifies two different factor types, a password plus an authenticator code, say, meets the rule's definition whichever label the vendor prints on it. The vocabulary in IRS materials has shifted over the years (the timeline below has the dates); the duty did not turn on the label at any point.

Which systems does the duty cover?

More than tax software. The requirement reaches "any information system," and the rule defines an information system as a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information containing customer information, "or connected to a system containing customer information" (16 CFR 314.2). That connected-to clause is the part the tax-software-only framing misses. The email account where client documents arrive, the cloud folder where returns are stored, the remote-desktop tool that reaches the office machine: each either contains client information or connects to a system that does. Even the FTC's own November 2022 press release compressed the duty to "any individual accessing customer information"; the regulation's operative text is broader than that summary, and the text is what binds.

Two clarifications save time here. First, "any individual" is not limited to your employees: the rule separately defines an authorized user to include "any employee, contractor, agent, customer, or other person" with access to your information systems, so a seasonal contractor or an outside bookkeeper logging in is inside the duty. Second, a caution about a page you may find while searching: irs.gov hosts a page titled "Multifactor authentication implementation," and it is written for government agencies handling federal tax information under Publication 1075, not for tax practices (its token and cryptography standards bind agencies; page last reviewed June 28, 2026, checked July 18, 2026). The preparer-facing records are the rule itself, IR-2024-201, and Publication 5708. And one forward note: when a cyber insurance application asks about MFA in writing, a firm that can answer from its written plan rather than from memory is in a stronger position on a second front.

How do you roll it out across the practice?

The honest version of this job is a sequence, not a switch. Work through the systems in the order client data actually flows, and record each step as you go:

  1. Tax software first. It holds the most concentrated client data, and IR-2024-201 is blunter here than anywhere else: "Opting out of using MFA in tax prep software is a violation of the FTC safeguards rules." Turn it on for every user account, and give each person their own login. Usernames are never shared.
  2. Email second. Client documents, transcripts, and identity data move through it, and it connects to everything else. Enable MFA on the mailbox itself, not just the computer it opens on.
  3. Cloud storage and client portals. Any folder or portal holding returns, source documents, or organizer data is an information system under the rule's definition. Apply the same two-factor-type standard there.
  4. Remote access. If anyone reaches the office network or machines from outside, that path needs MFA. The IRS's own template treats this as non-negotiable: Publication 5708's remote-access language allows remote access only with multi-factor authentication (Rev. 8-2024).
  5. e-Services and EFIN credentials. Your IRS accounts guard the keys to your filing identity, and why EFIN and e-Services credentials are a prime target is its own subject. Use an authenticator where offered, and monitor the account.
  6. Write it down. The rule asks for a written program, not a collection of good settings. Record where MFA is on, which factor types each system uses, and any exception your Qualified Individual has approved. That record is what turns the settings into a program.

What is the written exception, and when does it apply?

The clause highlighted in the plate above is the rule's only exit, and it is narrower than it first reads. Three limits are built into its words. The decision belongs to one person: your Qualified Individual, the person your program names as responsible for it, not a vendor, not the software's defaults, not the firm generally. The decision must exist in writing; an exception nobody wrote down is not the exception the rule describes. And the writing must approve "reasonably equivalent or more secure access controls," which means it approves a replacement control measured against MFA, never the absence of one.

What should the writing contain? The rule does not prescribe a format, so the cautious approach is to document what the clause itself turns on: the system covered, the alternative control in place, the reasoning that makes it reasonably equivalent to or more secure than multi-factor authentication, the date, and the Qualified Individual's signature. Be honest about the standard, though: "reasonably equivalent" is not defined anywhere in the rule. The phrase appears in Part 314 exactly once, in the exception you just read, and no definition of it appears in any of the part's six sections; we read the full part, 314.1 through 314.6, on July 18, 2026. Whether a given control clears that bar is a professional judgment the regulation leaves open, and this page will not pretend otherwise.

Whether an alternative control is reasonably equivalent to MFA is exactly the kind of judgment the rule leaves undefined. If your firm is considering the written exception, have a qualified professional review the alternative control and the written approval before you rely on either.

When did this become required?

The dates matter, because the field routinely misplaces them. The MFA element entered the rule on December 9, 2021, with publication of the FTC's revised Safeguards Rule (86 FR 70307). Compliance for a block of the new provisions, MFA among them, was originally due in December 2022; on November 15, 2022 the FTC extended that deadline six months, naming multi-factor authentication in the extended list. The duty has therefore bound covered firms since June 9, 2023. When IR-2024-201 said "now required" in August 2024, the IRS was amplifying a rule that had been in force for over a year, not announcing a new one; the same month's Publication 5708 revision (Rev. 8-2024) wrote the rule's own MFA formulation into the IRS template. A firm dating its duty from the IRS reminder starts fourteen months late.

The vocabulary trail runs alongside the legal one, and it explains most of the 2FA confusion. The IRS's 2019 Security Six campaign said "two-factor authentication" and framed it as a protection preparers "should use" (Tax Tip 2019-117, August 27, 2019). Its living checklist page still says "Opt for two-factor authentication when it's offered" (last reviewed October 8, 2025; we checked it on July 18, 2026). The 2024 materials switched to the rule's term and the rule's mandatory framing. The Security Six and where it stands is its own story; what matters here is the direction of travel: from a recommended extra layer, described loosely, to a defined term with a regulation behind it.

FAQ

Does the code my tax software texts me count as MFA?

Generally yes. A password is a knowledge factor and a code sent to your phone is a possession factor, so the combination verifies two different factor types and meets the rule's definition at 16 CFR 314.2. The rule does not rank factor strengths or prohibit text-message codes; Publication 5708's own template names text-message and authenticator-app codes in its user access policy. An authenticator app or hardware key is a stronger possession factor where your software offers one, but that is a hardening choice, not a requirement the rule imposes.

Is MFA required for a solo preparer with no staff?

Yes. The requirement covers "any individual accessing any information system," and a solo practice has at least one of each: you. A solo firm preparing returns for compensation is a covered financial institution (the coverage chain is its own section), and in a one-person firm the owner typically serves as the Qualified Individual too, which means the written-exception power and the duty it modifies sit in the same chair. Nothing in 314.4(c)(5) keys the duty to headcount.

Does the under-5,000 exemption waive MFA?

No. The small-firm exception at 16 CFR 314.6 lifts exactly four paragraphs: 314.4(b)(1), (d)(2), (h), and (i). The safeguards list at (c), where MFA sits at (c)(5), is not among them, so all eight concrete safeguards, multi-factor authentication included, bind a firm of any size that the rule covers. The exception removes four process items, not this control.

Can the Qualified Individual just approve skipping MFA?

No. The written exception only lets the Qualified Individual approve "reasonably equivalent or more secure access controls" in MFA's place. It is an authorization to substitute, not to waive: a writing that approves having no comparable control is outside what the clause permits. And because "reasonably equivalent" is undefined anywhere in Part 314 (the full-part check above, dated July 18, 2026), a firm using the exception should expect to defend that judgment on paper.

Where is this written?

The requirement is 16 CFR 314.4(c)(5), quoted in full above; the definition of multi-factor authentication is in 16 CFR 314.2; and the IRS amplification is IR-2024-201 (August 6, 2024). We verified the rule text against the live eCFR on July 18, 2026; if it changes, the dates on this page will say so.

The bottom line

MFA for a tax practice is a settled legal duty with precise edges: required by the FTC's rule since June 9, 2023, defined as two of three factor types, applied to every system that holds or touches client information, and excusable only by your Qualified Individual, in writing, for controls reasonably equivalent or more secure. The IRS did not create the duty in 2024; it turned up the volume on it. Turn it on across the stack, then put it in the plan.