Evette Davis: Welcome, and thank you for joining us for today's webinar, "Quick Security Tips from the IRS. Use Multi-Factor Authentication." My name is Evette Davis. And I'm here with my wonderful colleague, Karen Brehmer. We're both Senior Stakeholder Liaison in the Communications and Liaison Division. We work with tax professionals and small business owners. And we do outreach and education. And we also identify ways the agency can be more responsive to your needs. We'll cover a few things about this webinar system. And then, we'll move on to today's topic. In case, you experience a technology issue, this particular slide shows some helpful tips and reminders. We've posted a technical help document. You can download from the Materials section on the left side of your screen. Now, it provides the minimum system requirements for viewing this webinar, along with some best practices and quick solutions. If you have completed and passed your system check, and you are still having problems, try one of the following. The first option is to close the screen where you're viewing the webinar, and then re-launch it. The second option is to click on the setting on your browser viewing screen and select HLS. Closed captioning, it is available for today's presentation. If you're having trouble hearing the audio through your computer speakers, please click the closed captioning dropdown arrow located on the left side of your screen. This feature will be available throughout the webinar. If you have questions for us today, and we hope you do, please submit them by clicking the "Ask Question" dropdown arrow. And this is going to reveal the text box. Type your question in the text box.

And then click "Send." Folks, this is very important. So please, please do not enter any sensitive or taxpayer-specific information in that box. Okay, let's get started with today's topic, "Quick Security Tips from the IRS. Use Multi-Factor Authentication." This week, the IRS, state tax agencies and the tax industry, which is the partnership known as the Security Summit, are marking the National Tax Security Awareness Week with a series of activities to highlight security of your data and your identity. Now, there are several activities underway this week, including this webinar. This is our second in a series of weeklong webinars, simply to highlight ways to protect your data and your identity from theft. Let me go ahead and turn it over to my wonderful colleague, Karen. Karen Brehmer: Thank you, Evette. Davis: It's all yours, Karen.

Karen Brehmer: Well, thanks. So, everyone, in the past 5 years, thanks to the combined efforts of the Security Summit, we've seen a dramatic decline in the number of confirmed identity theft tax returns. We've seen a decline in the amount of stolen refunds and in the number of people who are reporting as identity theft victim. So that's good, but there's still more work to do. And we really can't continue this progress without your help. We need everyone, individuals, businesses and tax professionals to take the necessary security steps to protect their information and data. One of the critical steps you can take is to better protect your online account. And you can do that by creating strong passwords, by protecting those passwords using a password manager, and finally, doubling that protection by using multi-factor authentication. And we did touch on some of this in yesterday's webinar. But we want to take a deeper dive today. Let's talk about passwords for a minute. You should all be familiar with passwords. You probably have a bunch of them. But just what makes a strong password has been evolving. There's a government bureau called National Institute of Standards and Technology, and the acronym for that is NIST.

And a couple of years ago, NIST rewrote its password guidance. And what the current guidance is, is that people should use passphrases, not passwords. So their guidance says to create passphrases that are easy for you to remember, instead of creating passwords that are maybe just kind of gibberish with lot of random letters, characters and numbers. So one suggestion for creating a passphrase is you could sit in your living room and you could look at 4 objects that you see. So here's an example, you see vase, red, wall, table. So your passphrase could be vase red wall table. Another suggestion is that passphrases should be as lengthy as allowed by the account. So some account, some places you shop online or things you access online would allow different lengths for the characters you can use. NIST suggests using 16 to 64 characters. Of course, experts recommend using unique passwords or passphrases for each account. And the reason for that is if a cyber thief steals your password from 1 account, then that gives him access to many accounts, if you use that same password repeatedly. I'll turn it over to you Evette to continue. Evette Davis: Thanks, Karen. And I sure hope my mom's on the line listening to this, because she uses, well, anyway. So most of us do have several online accounts, right.

So we're creating a very long passphrase for each of our online accounts. That's a lot. And we're going to have a lot of information or a lot of stuff to remember. That's where this handy-dandy tool the password manager comes in. The Department of Homeland Security called password managers, "The most secure way to store all your unique passwords." With a password manager, you have only one master password for the manager itself. And that manager can generate and retrieve passwords for every account you have. Some web browsers now offer password managers, great. And there are also standalone apps that you can actually use. And you can find reputable media outlets such as PC Magazine, or CNET, that's CNET.com, or Wirecutter at the New York Times that reviews and ranks password manager application. Also so if you use strong and unique passphrases or passwords for each online account, and if you use a password manager, help you store and retrieve these passwords. There's one more step that can double your protection.

And that's called multi-factor authentication. Today, the Security Summit has actually already issued a news release as a part of the National Tax Security Awareness Week, it simply highlights the availability of stronger multi-factor authentication features on all online tax prep products. You may also see it labeled as two-factor authentication or two-step verification, but it all means the same thing. It goes by several different names. But don't worry, the protection is still the same. On the next slide, Karen's going to explain more about what this means. Karen, over to you? Karen Brehmer: Okay. Let's talk more about multi-factor authentication. For most of your online accounts, you have a username and a password, and those are called credentials, and those credentials verify your identity. You enter your credentials, your username and your password to verify your identity and you're allowed to access your account. Multi-factor authentication requires you to use an additional step to verify your identity. For example, you might be sent a security code as a text message to your mobile phone.

And then you need to enter that security code to complete your login process. Most tax software providers have offered multi-factor authentication for some time. But for 2021 providers agreed to meet certain higher standards set by NIST and so multi-factor authentication will be offered on all online tax prep products for both taxpayers and tax professionals. The only tax prep products that are not yet covered by this are going to be those purchased over the counter, the hard disk products. But we really recommend that you use as multi-factor authentication whether you're a taxpayer doing your own tax return, or a tax return preparer with 1 client or 1,000 clients, everyone should use this feature. Multi-factor authentication is an easy free way to really step up protection of your account. The use of multi-factor authentication is especially important for tax professionals, who continue to be prime targets of identity thieves. We've gotten a lot of reports of data theft that has happened to tax professionals this year. And we have found that most of those data theft could have been avoided if the practitioner had used multi-factor authentication to protect their tax software accounts. Because really no matter how long or how strong your password is, or your passphrase, a breach is always possible, and all it takes is for just one of your accounts to be hacked. And your personal information and your other accounts can become accessible to cyber criminals. But with multi-factor authentication, it's very unlikely that the cyber thieves will have stolen your phone. So the cyber thief is not going to receive that necessary security code to access the account. I'll turn it over to Evette.

Evette Davis: Thank you, Karen. Okay, folks, so there are multiple options for multi-factor authentication, you can have a security code, as Karen just mentioned, sent to your mobile phone or see your e-mail account. Now initially, these codes were only sent to telephones right to your phones. But then they added this as a feature because, believe it or not folks, there are some folks still do not have or may not have access to a mobile phone. So now, these codes can be sent to your e-mail accounts as well. But there are even more secure options for you to consider. For example, taxpayers and tax practitioners can now download an authentication app to their mobile device. In these apps are readily available through Google Play, or Apple's app store, once properly configured, these particular apps will generate a temporary single-use security code, which the user must enter in their tax software to complete authentication. Use a search engine for authentication apps to learn more about the options that you have to choose from. Now, while no product is foolproof, multi-factor authentication does dramatically reduce the likelihood that taxpayers or even tax practitioners will become victims of identity theft.

Multi-factor authentication should be used wherever it is offered, for example, financial accounts, social media accounts, cloud storage accounts, and popular e-mail providers all offer multi-factor authentication options. If it's available, folks, please take advantage of using the multi-factor authentication. Again, you will generally find the multi-factor authentication option under your account security feature. Now, let's just take a moment to do a brief recap on how you can protect your online account. First, use strong, long and unique passphrases to protect your online account. Next, use a password manager to store and retrieve your password.

And then, finally, use multi-factor authentication option for your tax-prep product, if you do your own taxes, and use it also for all your online accounts when it is offered, especially financial, e-mail, and social media account. Okay, Karen, let me turn it over to you to bring us on home. Karen Brehmer: Okay, thanks, Evette. So this brings us to the end of our second webinar, but we are going to answer the questions that you've asked, so don't leave us just yet. And if you haven't had a chance to enter your questions, please feel free to use the "Questions" tab and enter your question and send it to us. We are, like I said, we are going to get to those questions in a minute. But before we get there, we want you to know what's on tap for the rest of the week. Please join us tomorrow, when we will talk about the Identity Protection PIN. We'll tell you what it is and how you can get one. On Thursday, we have some tips for small businesses, who are frequent targets of cyber criminals and will give small business owners some steps to protect themselves in their business. And then, on Friday, we're going to review some of the latest scams that we're seeing that are targeting taxpayers and tax-preparers, especially during the pandemic. So we are going to take some of your questions now. And, Evette, I see one here that I would like to have you answer if you would. The question is, "Is it mandatory to use multi-factor authentication?" Evette Davis: Okay. So that's a great, great question, Karen. So, the multi-factor authentication option is actually voluntary. Of course, the IRS and its partners urge both taxpayers and tax professionals to use it. Remember, multi-factor authentication can reduce, greatly reduce the likelihood of identity theft. And it just simply makes it more difficult for thieves to get access to sensitive accounts. Now, while using multi-factor authentication is voluntary, for those tax professionals on the line, remember safeguarding taxpayer data is the law. So it is your duty to make sure that you do what you can within your power to protect that data for individuals. For you, it's imperative that you protect your personal information as well. And multi-factor authentication, while again voluntary, is definitely something that you should implement, protect your data to prevent in as much as possible any type of identity theft. All right, so for practitioners, let me just give them this resource. Publication 4557 is a great tool. It talks about safeguarding taxpayer data. For individuals and tax practitioners, we can go to, you can go to IRS.gov. We actually have Identity Theft Central. That's got a ton of information there for folks to view. Okay, go ahead, Karen.

Let's see. Actually, Karen, let me ask you a question. Karen Brehmer: Okay. Evette Davis: I see one here that I want you to answer. This person talks about, okay, "Do you have a recommended or IRS-approved password manager company and/or companies that offer two-factor authentication for tax-preparers to offer their clients?" Karen Brehmer: The answer is yes and no. There's not an IRS-approved password manager. The IRS doesn't want to say this company is the best or this password manager is the best. But if you remember earlier in the presentation today, we mentioned 3 sources that you could go to, to learn more about password managers and pick one out. The 3 places we referred to is PC Magazine. That's on the slide, in case you aren't catching it as you're hearing it.

Another source is CNET.com. And the third source is Wirecutter, which is part of New York Times.

Wirecutter is like a column in the New York Times. I just did a search for password manager using Google. And I came up with an article on PC Magazine, an article on CNET.com, an article on Wirecutter. And what those articles will do is they'll help you, first of all, say, "All right, tell me more. What is a password manager? How does this work exactly?" And then, these websites, they'll say here are 4 different companies that offer a password manager service. And here's the pros and cons to each one or here's which one, how much they cost or et cetera. So, we can't say to you today, "Use this one, it's the best." But we hope that those resources will help you learn more about password managers and help you pick out one that's good for you. I have more to say about password managers. But I'm going to save that to a little bit later and let's go to a question for you Evette, okay? Evette Davis: All right, let's do it. Karen Brehmer: Well, here's kind of a fluff question, if you don't mind taking it. "People want to know if they will be able to access the video of this webinar or the webinars, we're doing this week. Can you tell people how they can access them later or tell others about them in case they missed them?" Evette Davis: Yeah, you know what, and this been, it's actually a great thing. If you want to view this webinar or any of the other in the future or in the past that we've actually posted, you will be able to view these on IRS.gov. Just go to our website, IRS.gov. And you can either do a search of webinars or you can do a search specifically for National Tax Security Awareness Week. And you will be able to view these webinars and others about identity theft, because we've had a ton of webinars about this particular topic in the past. Karen Brehmer: Yeah, and let's just toss out one more resource for people. You can go to IRS.gov to find recordings of these webinars, but another way is to go to IRS Video Portal. And I will actually give you Evette Davis: IRSVideos.gov, yeah, IRSVideos.gov.

Karen Brehmer: Yeah, oops, we're both talking. Evette Davis: Sorry, sorry. Karen Brehmer: Okay, you say it one more time. I'll shut up. All right. Evette Davis: I just said, IRSvideos.gov, but www.IRSvideos.gov.

Yes. Karen Brehmer: Okay. Thank you. Let me get you another one here, Evette. So, you were saying earlier about that people can see where it makes sense for a tax professional to do a multi-factor authentication. But it does seem like a lot of additional steps for an individual.

So is it really worthwhile for an individual to take all these steps? Evette Davis: Yeah. So Karen Brehmer: Yeah. I don't know. Did you kind of already answered that or do you want to talk about it or?

Evette Davis: Yeah, I did talk about it just a little bit in another response. But no worries, that's fine. So the bottom-line folks, if there is no foolproof product, right? You can only do the best that you possibly can in multi-factor authentication is one of the tools or one of the best tools that you can use to dramatically reduce the likelihood that you as a taxpayer will become a victim of identity theft, right. For example, I'll just talk about one of the things that that I use multi-factor authentication, and that's for financial accounts, right? All of us probably use our phones to access our bank information, right? If you don't have a two-step authentication process in place, and someone actually, it could gain access to your account, my bank, specifically send me a code. And if I don't enter that code, and I'm not able to go any further in accessing my account, right? If someone just like, I think, Karen mentioned earlier, is very, very unlikely that someone will hack into your account, whatever it might be, and then have access also to your phone. If I get that if I have a code with my cell phone, then that's going to be the key to accessing my account, right? So is it mandatory? No. Is it definitely helpful and necessary? In my personal opinion, yes, in order to safeguard your information in as much as possible, I would suggest you look into multi-factor authentication. And someone else asked another question, Karen, if you don't mind about the authentication app, and where they can go to find it, and what can do to actually get the right one while the IRS again, we don't have our own multi-factor authentication product itself. We just suggest that you go online and do a Google search, okay, of different types of apps that you can actually download to your phone.

Those apps, they will give you instructions that one-step, two step, to as to how to actually gain access, how to use these apps on your mobile phones. Okay. So hopefully, that makes some sense. Karen? Karen Brehmer: Yeah. I wanted to say more about password manager I'm sorry, there's a question in here about passphrases. Let's take that one first. So earlier in the presentation today, we said you should use passphrases. And the person says, I've heard that hackers use words from the dictionary to test passwords. If that's the case, a passphrase may be easily identified by a hacker. And you're right, if you use a passphrase, the example we gave earlier was red vase wall table or something like that. A suggestion is to put at some numbers in between those words or some special characters in between those words. Or another suggestion I've heard is, if you have the word wall as part of your passphrase, instead of doing wall and then a special character at the end of the word wall, you put a special character in between you put W, A, and then a special character and L, L. So using a passphrase by itself isn't a foolproof ticket. And even a complicated passphrase isn't a foolproof ticket to avoid getting hacked, which is again kind of comes back to why we're saying multi-factor authentication, no matter how long or how complicated your passphrase or your password using the multi-factor authentication means that the bad guy or bad girl, the hacker who's trying to do this, wouldn't be able to get the code that sent to your cell phone or sent to you as a text or as an e-mail to that you need in order to get into your account, so that's why the multi-factor authentication, another reason why it's a great idea to use it whenever you can. You have some questions in here, Evette, that you are seeing coming in, that you'd like to tackle? Evette Davis: Yeah, actually, I do. Someone mentioned, someone asked a question. They say, the reason why I don't use multi-factor is in case of a technical phone or text problem, they said they will get locked out of their account, any suggestions around the technical phone problems? Well, with multi-factor authentication, remember, there are multiple ways you can actually get that. That second code, if you will. It's not just through your telephone. You can also set it up online to where you can request it or get that through e-mail. So it's not just your phone, that where you can send the code, you can also use an e-mail as an option to actually get the code so that you can move forward. So again, the two-factor or the multi-factor authentication process is still going to be your best bet in securing or ensuring that your information is protected. Okay. So you've got a couple of options there that you can actually use, not just the cell phone, you can also request an e-mail to get that secure code. Karen Brehmer: Yeah. Evette Davis: Yeah. Yeah. Karen Brehmer: So actually go ahead.

Evette Davis: Well, I was going to ask you a question here. They've got one in here. I thought it's kind of similar to, you talk about the mobile device as well, it says, well, let's see what it says, in implementing the well, we already talked about that. Okay. This first one Karen Brehmer: There is one here about password managers. Evette Davis: Password managers. Yeah. Karen Brehmer: Should I take that one?

Evette Davis: Yeah, it says, I'm leery of password managers and/or program, because if that is hacked, now a person can access all passwords from within? Karen Brehmer: And that is actually, I will tackle that one. And that is not true. I do use a password manager in my personal life, my husband and I have a password manager. And again, I can't tell you which one it is, because that would be recommending a product, but we like it. And that company, that is the password manager company, they don't store all of my passwords for Amazon and everything else that I sign into. So if the hacker gets into the password manager company or the password manager program, they will not get to my password. I'm not technical enough to explain why that's the case. But that's what their website tells me. And I guess, I believe them that that if a password manager company is hacked, if I suppose anything is possible, that the hacker is not getting access to my account, my passwords and everything. So when you're trying to pick a password manager company or program, check into that. Ask that company, how do you protect all of my passwords that that I'm putting in your hands or I'm untrusting to you, it's a good question to ask. So if you I don't know if you know the answer to this event, and if you do, you're brilliant. This person asked, if we use multi-factor authentication for our professional tax software, will we still be logged out after 30 minutes if not working on the software? You know the answer? Evette Davis: You know what, Karen, I just happened to know. Karen Brehmer: You see, that's why I asked you. Evette Davis: Okay. So this particular question, it actually has nothing to do with multi-factor authentication. But the timing does set up on your software itself. And you can actually change that to log you out after an hour or 30 minutes or 15 minutes, or whatever, when that particular software is standing, and note, there's no activity, right? Just like on our business computers, if after a certain amount of time of inactivity, it'll log you out, or it'll go to a safe screen. So that has less to do with multi-factor authentication. So while, no, it won't prevent you from logging from timing you out, because they do that because, again, that's another opportunity for your information to be protected, if you will. It's kind of like a security or a safeguard, if you will. So while that has nothing to do with multi-factor authentication, you can change the length of time that it logs you out for inactivity, if you will, okay. So you have to go into your actually into your security settings, and actually make changes to extend the time you're logged out if you'd like to do that. But if you're like we are, if your computer is left standing with no activity, yeah, it's going to shut. It's going to log you out. And that's just a security feature that's there. That's the bottom line. Karen Brehmer: Okay. Evette Davis: So, yeah, all right. Okay. So, Karen, I have a question that I want to ask you, they want to ask you, why and I don't know if you know this, "Why do the Social Security Administration and other government agencies not require complicated passwords?" Karen Brehmer: You know, I saw that question. And this is my answer for that one. I think your password can be as complicated as you can make it. So let's just say you were dealing with a company, a government or otherwise, that said, "You can't put in more than 12 characters." We just said earlier the recommended is like 16 to 64 characters, but I have a couple places I do business with that have me do only 12 characters. Well, I can make that password as complicated as I want to. And if I was writing it down on a piece of paper, I could write it down. And that's where available to me or if I have a password manager, I could store that password manager store that password in the password manager. So I know that sometimes places will say, "Well, you can use these special characters, but not those special characters." But just take what you're given and make the password as complicated as you can be and it can be.

One more question. I'll toss this one your way, Evette. The person asks, "How often do you recommend changing a password?" Evette Davis: Okay, so now you're asking me Karen Brehmer: Or do you want to take it or do you want to take some other question that you see here that you'd like to take for our last question today? Evette Davis: Not well, let's see. No, that's fine. So you're and we can we got about another minute, so we might be able to throw another one in there. So when it comes to, "How often you change your password?" usually there's going to you're going to have a recommended time, right, to change your password. Some passwords are changed every 6 months.

Some are recommended that recommend that you change the password every 90 days or every 60 days. So actually, it just depends on you and your system. And the system you're using may actually give you a recommended timeframe to change the password or may give you a recommended or a required timeframe to change your password. Okay. So for each individual it's going to probably be a different answer, a different response. For me, I've got several different passwords and they just like I just said, have different timeframes, where they recommend that I change it 90 days, 6 months. And it gives you a prompt to let you know, "Okay, hey, you've got 2 weeks before it's time to change your password. You've got 3 days before it's time to change your password or you will be locked out of the system." Okay. Does that make sense? Karen, what do you think? Karen Brehmer: Yeah, that makes sense. That makes sense. Thank you, Evette. Evette Davis: Okay. All right. Okay. Well, folks, I'm sorry to say, it looks like we are at the end of our Q&A. Let's see. Do we have time for one more question? Well, no, it looks like we are totally Karen Brehmer: Totally out of time. Evette Davis: All right. Okay. No worries. So that's all the time we have for questions. And, folks, please, we would appreciate it if you would just take a few minutes to complete a short evaluation before you exit. If you'd like to have more sessions like this one, just let us know that. If you have thoughts on how we can make them better, let us know that as well. If you have any requests for future webinar topics or pertinent information that you would like to see in an IRS Factsheet or Tax Tip or an FAQ on IRS.gov, then please include your suggestions in the comment section of the survey. Click the survey button on your screen to begin.

If it doesn't come up, check to make sure you disable your pop-up blocker. Folks, it's been a pleasure to be here with you. And Karen and I and the Internal Revenue Service would like to thank you for attending today's webinar. You may exit the webinar at this time.