The Internal Revenue Service has turned up security another notch on its suite of e-Services tools. The new process validates the user’s identity through a two-step process, making fraudulent logons much harder to complete.
The upgrade in security took place December 10.
If an e-Services user hasn’t already created a Secure Access account through Get Transcript Online, the IP PIN tool, View Balance, or by exception processing in recent days will have to go through this new, more rigorous process to validate his or her identity. This includes all TIN Matching users and those who received Letter 5903 last December and authenticated their identity by telephone.
A news release outlining the e-Services changeover is not optional for online users—or the IRS itself.
“The IRS has been planning this move for more than a year and must make this change to meet federal information system standards. Additionally, cybercriminals increasingly are targeting tax professionals to steal e-Services usernames and passwords, putting taxpayer data at risk,” the news release states.
In the recent past, the IRS authenticated each e-Services user individually. Those registering for e-Services access were asked for their name, address, Social Security number, date of birth, adjusted gross income and filing status. Unfortunately, that limited amount of data is no longer enough to meet federal information system standards. Users will continue to be authenticated as individuals.
Here’s how Secure Access helps to do that:
- It strengthens the initial identity proofing process to make sure the person registering is who they say they are.
- It also strengthens security through a two-factor authentication process for returning users that helps prevent account takeover by cybercriminals. Two-factor authentication means you must have your credentials (username and password) plus a security code sent to your mobile phone or generated by your IRS2Go app each time you log in.
Once users have successfully authenticated their identity and established a Secure Access account for e-Services, no further action is required. It should be noted, however, that the Secure Access procedure will not allow users to script the login process.