Evette Davis: Welcome, and thank you for joining us for today's webinar, "Quick Security Tips from
the IRS. Use Multi-Factor Authentication." My name is Evette Davis. And I'm here with my
wonderful colleague, Karen Brehmer. We're both Senior Stakeholder Liaison in the Communications
and Liaison Division. We work with tax professionals and small business owners. And we do
outreach and education. And we also identify ways the agency can be more responsive to your
needs. We'll cover a few things about this webinar system. And then, we'll move on to today's
topic. In case, you experience a technology issue, this particular slide shows some helpful tips
and reminders. We've posted a technical help document. You can download from the Materials
section on the left side of your screen. Now, it provides the minimum system requirements for
viewing this webinar, along with some best practices and quick solutions. If you have completed
and passed your system check, and you are still having problems, try one of the following. The
first option is to close the screen where you're viewing the webinar, and then re-launch it. The
second option is to click on the setting on your browser viewing screen and select HLS. Closed
captioning, it is available for today's presentation. If you're having trouble hearing the audio
through your computer speakers, please click the closed captioning dropdown arrow located on the
left side of your screen. This feature will be available throughout the webinar. If you have
questions for us today, and we hope you do, please submit them by clicking the "Ask Question"
dropdown arrow. And this is going to reveal the text box. Type your question in the text box.
And then click "Send." Folks, this is very important. So please, please do not enter any
sensitive or taxpayer-specific information in that box. Okay, let's get started with today's
topic, "Quick Security Tips from the IRS. Use Multi-Factor Authentication." This week, the IRS,
state tax agencies and the tax industry, which is the partnership known as the Security Summit,
are marking the National Tax Security Awareness Week with a series of activities to highlight
security of your data and your identity. Now, there are several activities underway this week,
including this webinar. This is our second in a series of weeklong webinars, simply to highlight
ways to protect your data and your identity from theft. Let me go ahead and turn it over to my
wonderful colleague, Karen. Karen Brehmer: Thank you, Evette. Davis: It's all yours, Karen.
Karen Brehmer: Well, thanks. So, everyone, in the past 5 years, thanks to the combined efforts of the
Security Summit, we've seen a dramatic decline in the number of confirmed identity theft tax
returns. We've seen a decline in the amount of stolen refunds and in the number of people who are
reporting as identity theft victim. So that's good, but there's still more work to do. And we
really can't continue this progress without your help. We need everyone, individuals, businesses
and tax professionals to take the necessary security steps to protect their information and
data. One of the critical steps you can take is to better protect your online account. And you
can do that by creating strong passwords, by protecting those passwords using a password
manager, and finally, doubling that protection by using multi-factor authentication. And we did
touch on some of this in yesterday's webinar. But we want to take a deeper dive today. Let's talk
about passwords for a minute. You should all be familiar with passwords. You probably have a
bunch of them. But just what makes a strong password has been evolving. There's a government
bureau called National Institute of Standards and Technology, and the acronym for that is NIST.
And a couple of years ago, NIST rewrote its password guidance. And what the current guidance is,
is that people should use passphrases, not passwords. So their guidance says to create
passphrases that are easy for you to remember, instead of creating passwords that are maybe just
kind of gibberish with lot of random letters, characters and numbers. So one suggestion for
creating a passphrase is you could sit in your living room and you could look at 4 objects that
you see. So here's an example, you see vase, red, wall, table. So your passphrase could be vase
red wall table. Another suggestion is that passphrases should be as lengthy as allowed by the
account. So some account, some places you shop online or things you access online would allow
different lengths for the characters you can use. NIST suggests using 16 to 64 characters. Of
course, experts recommend using unique passwords or passphrases for each account. And the reason
for that is if a cyber thief steals your password from 1 account, then that gives him access to
many accounts, if you use that same password repeatedly. I'll turn it over to you Evette to
continue. Evette Davis: Thanks, Karen. And I sure hope my mom's on the line listening to this, because
she uses, well, anyway. So most of us do have several online accounts, right.
So we're creating a very long passphrase for each of our online accounts. That's a lot. And
we're going to have a lot of information or a lot of stuff to remember. That's where this
handy-dandy tool the password manager comes in. The Department of Homeland Security called
password managers, "The most secure way to store all your unique passwords." With a password
manager, you have only one master password for the manager itself. And that manager can generate
and retrieve passwords for every account you have. Some web browsers now offer password
managers, great. And there are also standalone apps that you can actually use. And you can find
reputable media outlets such as PC Magazine, or CNET, that's CNET.com, or Wirecutter at the New
York Times that reviews and ranks password manager application. Also so if you use strong and
unique passphrases or passwords for each online account, and if you use a password manager, help
you store and retrieve these passwords. There's one more step that can double your protection.
And that's called multi-factor authentication. Today, the Security Summit has actually already
issued a news release as a part of the National Tax Security Awareness Week, it simply
highlights the availability of stronger multi-factor authentication features on all online tax
prep products. You may also see it labeled as two-factor authentication or two-step
verification, but it all means the same thing. It goes by several different names. But don't
worry, the protection is still the same. On the next slide, Karen's going to explain more about
what this means. Karen, over to you? Karen Brehmer: Okay. Let's talk more about multi-factor
authentication. For most of your online accounts, you have a username and a password, and those
are called credentials, and those credentials verify your identity. You enter your credentials,
your username and your password to verify your identity and you're allowed to access your
account. Multi-factor authentication requires you to use an additional step to verify your
identity. For example, you might be sent a security code as a text message to your mobile phone.
And then you need to enter that security code to complete your login process. Most tax software
providers have offered multi-factor authentication for some time. But for 2021 providers agreed
to meet certain higher standards set by NIST and so multi-factor authentication will be offered
on all online tax prep products for both taxpayers and tax professionals. The only tax prep
products that are not yet covered by this are going to be those purchased over the counter, the
hard disk products. But we really recommend that you use as multi-factor authentication whether
you're a taxpayer doing your own tax return, or a tax return preparer with 1 client or 1,000
clients, everyone should use this feature. Multi-factor authentication is an easy free way to
really step up protection of your account. The use of multi-factor authentication is especially
important for tax professionals, who continue to be prime targets of identity thieves. We've
gotten a lot of reports of data theft that has happened to tax professionals this year. And we
have found that most of those data theft could have been avoided if the practitioner had used
multi-factor authentication to protect their tax software accounts. Because really no matter how
long or how strong your password is, or your passphrase, a breach is always possible, and all it
takes is for just one of your accounts to be hacked. And your personal information and your
other accounts can become accessible to cyber criminals. But with multi-factor authentication,
it's very unlikely that the cyber thieves will have stolen your phone. So the cyber thief is not
going to receive that necessary security code to access the account. I'll turn it over to Evette.
Evette Davis: Thank you, Karen. Okay, folks, so there are multiple options for multi-factor
authentication, you can have a security code, as Karen just mentioned, sent to your mobile phone
or see your e-mail account. Now initially, these codes were only sent to telephones right to
your phones. But then they added this as a feature because, believe it or not folks, there are
some folks still do not have or may not have access to a mobile phone. So now, these codes can
be sent to your e-mail accounts as well. But there are even more secure options for you to
consider. For example, taxpayers and tax practitioners can now download an authentication app to
their mobile device. In these apps are readily available through Google Play, or Apple's app
store, once properly configured, these particular apps will generate a temporary single-use
security code, which the user must enter in their tax software to complete authentication. Use a
search engine for authentication apps to learn more about the options that you have to choose
from. Now, while no product is foolproof, multi-factor authentication does dramatically reduce
the likelihood that taxpayers or even tax practitioners will become victims of identity theft.
Multi-factor authentication should be used wherever it is offered, for example, financial
accounts, social media accounts, cloud storage accounts, and popular e-mail providers all offer
multi-factor authentication options. If it's available, folks, please take advantage of using the
multi-factor authentication. Again, you will generally find the multi-factor authentication
option under your account security feature. Now, let's just take a moment to do a brief recap on
how you can protect your online account. First, use strong, long and unique passphrases to
protect your online account. Next, use a password manager to store and retrieve your password.
And then, finally, use multi-factor authentication option for your tax-prep product, if you do
your own taxes, and use it also for all your online accounts when it is offered, especially
financial, e-mail, and social media account. Okay, Karen, let me turn it over to you to bring us
on home. Karen Brehmer: Okay, thanks, Evette. So this brings us to the end of our second webinar, but
we are going to answer the questions that you've asked, so don't leave us just yet. And if you
haven't had a chance to enter your questions, please feel free to use the "Questions" tab and
enter your question and send it to us. We are, like I said, we are going to get to those questions
in a minute. But before we get there, we want you to know what's on tap for the rest of the
week. Please join us tomorrow, when we will talk about the Identity Protection PIN. We'll tell
you what it is and how you can get one. On Thursday, we have some tips for small businesses, who
are frequent targets of cyber criminals and will give small business owners some steps to
protect themselves in their business. And then, on Friday, we're going to review some of the
latest scams that we're seeing that are targeting taxpayers and tax-preparers, especially during
the pandemic. So we are going to take some of your questions now. And, Evette, I see one here
that I would like to have you answer if you would. The question is, "Is it mandatory to use
multi-factor authentication?" Evette Davis: Okay. So that's a great, great question, Karen. So, the
multi-factor authentication option is actually voluntary. Of course, the IRS and its partners
urge both taxpayers and tax professionals to use it. Remember, multi-factor authentication can
reduce, greatly reduce the likelihood of identity theft. And it just simply makes it more
difficult for thieves to get access to sensitive accounts. Now, while using multi-factor
authentication is voluntary, for those tax professionals on the line, remember safeguarding
taxpayer data is the law. So it is your duty to make sure that you do what you can within your
power to protect that data for individuals. For you, it's imperative that you protect your
personal information as well. And multi-factor authentication, while again voluntary, is
definitely something that you should implement, protect your data to prevent in as much as
possible any type of identity theft. All right, so for practitioners, let me just give them this
resource. Publication 4557 is a great tool. It talks about safeguarding taxpayer data. For
individuals and tax practitioners, we can go to, you can go to IRS.gov. We actually have Identity
Theft Central. That's got a ton of information there for folks to view. Okay, go ahead, Karen.
Let's see. Actually, Karen, let me ask you a question. Karen Brehmer: Okay. Evette Davis: I see one here that I
want you to answer. This person talks about, okay, "Do you have a recommended or IRS-approved
password manager company and/or companies that offer two-factor authentication for tax-preparers
to offer their clients?" Karen Brehmer: The answer is yes and no. There's not an IRS-approved password
manager. The IRS doesn't want to say this company is the best or this password manager is the
best. But if you remember earlier in the presentation today, we mentioned 3 sources that you
could go to, to learn more about password managers and pick one out. The 3 places we referred to
is PC Magazine. That's on the slide, in case you aren't catching it as you're hearing it.
Another source is CNET.com. And the third source is Wirecutter, which is part of New York Times.
Wirecutter is like a column in the New York Times. I just did a search for password manager using
Google. And I came up with an article on PC Magazine, an article on CNET.com, an article on
Wirecutter. And what those articles will do is they'll help you, first of all, say, "All right,
tell me more. What is a password manager? How does this work exactly?" And then, these websites,
they'll say here are 4 different companies that offer a password manager service. And here's the
pros and cons to each one or here's which one, how much they cost or et cetera. So, we can't say
to you today, "Use this one, it's the best." But we hope that those resources will help you learn
more about password managers and help you pick out one that's good for you. I have more to say
about password managers. But I'm going to save that to a little bit later and let's go to a
question for you Evette, okay? Evette Davis: All right, let's do it. Karen Brehmer: Well, here's kind of a
fluff question, if you don't mind taking it. "People want to know if they will be able to access
the video of this webinar or the webinars, we're doing this week. Can you tell people how they
can access them later or tell others about them in case they missed them?" Evette Davis: Yeah, you know
what, and this been, it's actually a great thing. If you want to view this webinar or any of the
other in the future or in the past that we've actually posted, you will be able to view these on
IRS.gov. Just go to our website, IRS.gov. And you can either do a search of webinars or you can
do a search specifically for National Tax Security Awareness Week. And you will be able to view
these webinars and others about identity theft, because we've had a ton of webinars about this
particular topic in the past. Karen Brehmer: Yeah, and let's just toss out one more resource for
people. You can go to IRS.gov to find recordings of these webinars, but another way is to go to
IRS Video Portal. And I will actually give you Evette Davis: IRSVideos.gov, yeah, IRSVideos.gov.
Karen Brehmer: Yeah, oops, we're both talking. Evette Davis: Sorry, sorry. Karen Brehmer: Okay, you say it
one more time. I'll shut up. All right. Evette Davis: I just said, IRSvideos.gov, but www.IRSvideos.gov.
Yes. Karen Brehmer: Okay. Thank you. Let me get you another one here, Evette. So, you were saying
earlier about that people can see where it makes sense for a tax professional to do a
multi-factor authentication. But it does seem like a lot of additional steps for an individual.
So is it really worthwhile for an individual to take all these steps? Evette Davis: Yeah. So Karen Brehmer:
Yeah. I don't know. Did you kind of already answered that or do you want to talk about it or?
Evette Davis: Yeah, I did talk about it just a little bit in another response. But no worries, that's
fine. So the bottom-line folks, if there is no foolproof product, right? You can only do the best
that you possibly can in multi-factor authentication is one of the tools or one of the best
tools that you can use to dramatically reduce the likelihood that you as a taxpayer will become
a victim of identity theft, right. For example, I'll just talk about one of the things that that
I use multi-factor authentication, and that's for financial accounts, right? All of us probably
use our phones to access our bank information, right? If you don't have a two-step authentication
process in place, and someone actually, it could gain access to your account, my bank,
specifically send me a code. And if I don't enter that code, and I'm not able to go any further
in accessing my account, right? If someone just like, I think, Karen mentioned earlier, is very,
very unlikely that someone will hack into your account, whatever it might be, and then have
access also to your phone. If I get that if I have a code with my cell phone, then that's going
to be the key to accessing my account, right? So is it mandatory? No. Is it definitely helpful
and necessary? In my personal opinion, yes, in order to safeguard your information in as much
as possible, I would suggest you look into multi-factor authentication. And someone else asked
another question, Karen, if you don't mind about the authentication app, and where they can go
to find it, and what can do to actually get the right one while the IRS again, we don't have our
own multi-factor authentication product itself. We just suggest that you go online and do a
Google search, okay, of different types of apps that you can actually download to your phone.
Those apps, they will give you instructions that one-step, two step, to as to how to actually
gain access, how to use these apps on your mobile phones. Okay. So hopefully, that makes some
sense. Karen? Karen Brehmer: Yeah. I wanted to say more about password manager I'm sorry, there's a
question in here about passphrases. Let's take that one first. So earlier in the presentation
today, we said you should use passphrases. And the person says, I've heard that hackers use
words from the dictionary to test passwords. If that's the case, a passphrase may be easily
identified by a hacker. And you're right, if you use a passphrase, the example we gave earlier
was red vase wall table or something like that. A suggestion is to put at some numbers in between
those words or some special characters in between those words. Or another suggestion I've heard
is, if you have the word wall as part of your passphrase, instead of doing wall and then a
special character at the end of the word wall, you put a special character in between you put W,
A, and then a special character and L, L. So using a passphrase by itself isn't a foolproof
ticket. And even a complicated passphrase isn't a foolproof ticket to avoid getting hacked, which
is again kind of comes back to why we're saying multi-factor authentication, no matter how long
or how complicated your passphrase or your password using the multi-factor authentication means
that the bad guy or bad girl, the hacker who's trying to do this, wouldn't be able to get the
code that sent to your cell phone or sent to you as a text or as an e-mail to that you need in
order to get into your account, so that's why the multi-factor authentication, another reason why
it's a great idea to use it whenever you can. You have some questions in here, Evette, that you
are seeing coming in, that you'd like to tackle? Evette Davis: Yeah, actually, I do. Someone mentioned,
someone asked a question. They say, the reason why I don't use multi-factor is in case of a
technical phone or text problem, they said they will get locked out of their account, any
suggestions around the technical phone problems? Well, with multi-factor authentication,
remember, there are multiple ways you can actually get that. That second code, if you will. It's
not just through your telephone. You can also set it up online to where you can request it or get
that through e-mail. So it's not just your phone, that where you can send the code, you can also
use an e-mail as an option to actually get the code so that you can move forward. So again, the
two-factor or the multi-factor authentication process is still going to be your best bet in
securing or ensuring that your information is protected. Okay. So you've got a couple of
options there that you can actually use, not just the cell phone, you can also request an e-mail
to get that secure code. Karen Brehmer: Yeah. Evette Davis: Yeah. Yeah. Karen Brehmer: So actually go ahead.
Evette Davis: Well, I was going to ask you a question here. They've got one in here. I thought it's kind
of similar to, you talk about the mobile device as well, it says, well, let's see what it says,
in implementing the well, we already talked about that. Okay. This first one Karen Brehmer: There is
one here about password managers. Evette Davis: Password managers. Yeah. Karen Brehmer: Should I take that one?
Evette Davis: Yeah, it says, I'm leery of password managers and/or program, because if that is hacked,
now a person can access all passwords from within? Karen Brehmer: And that is actually, I will tackle
that one. And that is not true. I do use a password manager in my personal life, my husband and
I have a password manager. And again, I can't tell you which one it is, because that would be
recommending a product, but we like it. And that company, that is the password manager company,
they don't store all of my passwords for Amazon and everything else that I sign into. So if the
hacker gets into the password manager company or the password manager program, they will not get
to my password. I'm not technical enough to explain why that's the case. But that's what their
website tells me. And I guess, I believe them that that if a password manager company is hacked,
if I suppose anything is possible, that the hacker is not getting access to my account, my
passwords and everything. So when you're trying to pick a password manager company or program,
check into that. Ask that company, how do you protect all of my passwords that that I'm putting
in your hands or I'm untrusting to you, it's a good question to ask. So if you I don't know if
you know the answer to this event, and if you do, you're brilliant. This person asked, if we use
multi-factor authentication for our professional tax software, will we still be logged out after
30 minutes if not working on the software? You know the answer? Evette Davis: You know what, Karen, I
just happened to know. Karen Brehmer: You see, that's why I asked you. Evette Davis: Okay. So this particular
question, it actually has nothing to do with multi-factor authentication. But the timing does set
up on your software itself. And you can actually change that to log you out after an hour or 30
minutes or 15 minutes, or whatever, when that particular software is standing, and note, there's
no activity, right? Just like on our business computers, if after a certain amount of time of
inactivity, it'll log you out, or it'll go to a safe screen. So that has less to do with
multi-factor authentication. So while, no, it won't prevent you from logging from timing you
out, because they do that because, again, that's another opportunity for your information to
be protected, if you will. It's kind of like a security or a safeguard, if you will. So while
that has nothing to do with multi-factor authentication, you can change the length of time that
it logs you out for inactivity, if you will, okay. So you have to go into your actually into
your security settings, and actually make changes to extend the time you're logged out if you'd
like to do that. But if you're like we are, if your computer is left standing with no activity,
yeah, it's going to shut. It's going to log you out. And that's just a security feature that's
there. That's the bottom line. Karen Brehmer: Okay. Evette Davis: So, yeah, all right. Okay. So, Karen, I have
a question that I want to ask you, they want to ask you, why and I don't know if you know
this, "Why do the Social Security Administration and other government agencies not require
complicated passwords?" Karen Brehmer: You know, I saw that question. And this is my answer for that
one. I think your password can be as complicated as you can make it. So let's just say you were
dealing with a company, a government or otherwise, that said, "You can't put in more than 12
characters." We just said earlier the recommended is like 16 to 64 characters, but I have a
couple places I do business with that have me do only 12 characters. Well, I can make that
password as complicated as I want to. And if I was writing it down on a piece of paper, I could
write it down. And that's where available to me or if I have a password manager, I could store
that password manager store that password in the password manager. So I know that sometimes
places will say, "Well, you can use these special characters, but not those special characters."
But just take what you're given and make the password as complicated as you can be and it can be.
One more question. I'll toss this one your way, Evette. The person asks, "How often do you
recommend changing a password?" Evette Davis: Okay, so now you're asking me Karen Brehmer: Or do you want to
take it or do you want to take some other question that you see here that you'd like to take
for our last question today? Evette Davis: Not well, let's see. No, that's fine. So you're and we
can we got about another minute, so we might be able to throw another one in there. So when it
comes to, "How often you change your password?" usually there's going to you're going to have a
recommended time, right, to change your password. Some passwords are changed every 6 months.
Some are recommended that recommend that you change the password every 90 days or every 60
days. So actually, it just depends on you and your system. And the system you're using may
actually give you a recommended timeframe to change the password or may give you a recommended or
a required timeframe to change your password. Okay. So for each individual it's going to
probably be a different answer, a different response. For me, I've got several different
passwords and they just like I just said, have different timeframes, where they recommend that I
change it 90 days, 6 months. And it gives you a prompt to let you know, "Okay, hey, you've got 2
weeks before it's time to change your password. You've got 3 days before it's time to change your
password or you will be locked out of the system." Okay. Does that make sense? Karen, what do
you think? Karen Brehmer: Yeah, that makes sense. That makes sense. Thank you, Evette. Evette Davis: Okay. All
right. Okay. Well, folks, I'm sorry to say, it looks like we are at the end of our Q&A. Let's
see. Do we have time for one more question? Well, no, it looks like we are totally Karen Brehmer:
Totally out of time. Evette Davis: All right. Okay. No worries. So that's all the time we have for
questions. And, folks, please, we would appreciate it if you would just take a few minutes to
complete a short evaluation before you exit. If you'd like to have more sessions like this one,
just let us know that. If you have thoughts on how we can make them better, let us know that as
well. If you have any requests for future webinar topics or pertinent information that you would
like to see in an IRS Factsheet or Tax Tip or an FAQ on IRS.gov, then please include your
suggestions in the comment section of the survey. Click the survey button on your screen to begin.
If it doesn't come up, check to make sure you disable your pop-up blocker. Folks, it's been a
pleasure to be here with you. And Karen and I and the Internal Revenue Service would like to
thank you for attending today's webinar. You may exit the webinar at this time.