Tax-refund fraud in 2016 reached about $21 billion, up from just $6.5 billion in 2014, according to the IRS. With recent rises in tax-related identity theft and phishing attacks, thieves can take over the credentials of firm staff or their clients to gain access to confidential financial data including tax returns, financial statements and more. Simple passwords – or even complex passwords requiring various combinations of letters, numbers and special characters – may not be enough to protect sensitive firm and client data.
It’s easier than you might think for someone to steal your password.
Here are several common actions that create a risk of password theft for you or your clients:
- Using the same password on multiple websites
- Using the same password for email and websites
- Not resetting passwords regularly
- Downloading software from the Internet
- Clicking on links in email messages
- Writing down your password
- Sharing your password with others, even “trusted” friends or co-workers
2-Step Verification (sometimes referred to as multi-factor authentication) is one way to combat stolen passwords. Multi-factor authentication systems rely on verification of 2 or more factors from the following three groups:
- First: Something you know, such as your user ID and password
- Second: Something you have, such as your mobile device
- Third: Something you are, such as your fingerprint or other biometrics
The password is a single factor in the authentication process that verifies a users’ identity. 2-Step Verification requires a second factor in addition to the password as part of the authentication process. This requirement adds another layer of protection against hacking and fraud attempts. If a bad guy hacks through your password layer, he’ll still need your phone or access to your email account to get into your Portal account.
How to Enable 2-Step Verification in CCH Axcess Portal and Client Axcess
2-Step Verification is optional – but we highly recommend it. The firm administrator must explicitly enable this feature. Once enabled, 2-Step Verification cannot be disabled because it could leave users without a way to reset their passwords. To enable 2-Step Verification, the Firm Administrator user should log into the Client Axcess web interface from a desktop computer, the click on the new Cog (gear) icon and then select 2-Step Verification. On the next screen, check the box indicating you understand that once enabled, 2-Step Verification cannot be disabled. Then click the Enable button. You will see one more prompt to confirm that you understand. Call us overly cautious, but we wanted to make sure no one accidentally enables this feature. Click Yes to enable or click No to keep things just the way they are.
Enabling 2-Step Verification affects firm staff and client users. All users will need to verify their identity the first time they log in after the firm enables 2-Step Verification.
How does it work?
After enabling 2-Step Verification, new users will receive only one email notification (instead of the 3 they receive today) with a link to verify their account. When they click on the link they are asked to verify their identity. Depending on whether your firm has stored telephone numbers for its staff and clients, users will elect to receive a one-time passcode via e-mail or SMS text or users will receive a voice message and must follow the prompts.
To verify their identity, the user must provide the correct one-time passcode. The code expires after 5 minutes for added security. If the code expires, the user will need to request a new code. This process may be familiar to you or your clients as many banks and financial institutions, and email providers like Gmail and Hotmail have also implemented 2-Step Verification or Multi-Factor Authentication solutions in their online products.
Next, new users will be prompted to create their complex password (8+ characters, at least one uppercase and lowercase letter, at least one number and at least one special character). Note that enabling 2-Step Verification eliminates the need for security questions and answers.
Existing users who have already provided their password will go directly to the user’s home page. Their device is registered, and they they don’t need to repeat the process on that device/browser for 90 days. Deleting the browser’s cache will require re-verification. We’ve created a 2-1/2 minute video that shows what the experience will be like for staff and clients:
Keeping your clients and your firm safe
2-Step Verification will be available in late July 2017 for customers using the “Standalone” version of CCH Axcess Portal and CCH Client Axcess. For customers using CCH Axcess Portal integrated with either CCH Axcess Document or ProSystem fx Document, 2-Step Verification will be available starting in November 2017.
The accounting profession is a cyber-thief’s dream due to the sensitive information available and processed through most firms. At Wolters Kluwer, we understand that cyber-security is of the utmost importance in protecting the personal information of your clients and the reputation of the firm. That’s why we’re constantly evolving our security standards, practices and product features. Together with the IRS, we are continuing to make strides in protecting tax professionals and their clients against threats by cyber criminals or internal attacks. We are committed to fighting and preventing tax return fraud and identity theft with the latest security advancements.