top of page
Search

IRS Pushes Multi-Factor Authentication and IP PINs for Tax Professionals in 2025

Updated: Sep 28

The IRS just released IR-2025-83, calling on tax professionals and firms to take immediate steps to protect client data with stronger digital safeguards.


This includes using multi-factor authentication (MFA), setting up IRS Online Accounts, and activating Identity Protection PINs (IP PINs) for both preparers and taxpayers.


This push is part of the IRS’s broader effort under the Security Summit initiative, a public-private partnership aimed at reducing tax refund fraud and protecting sensitive taxpayer data across the ecosystem.


What’s New in IR-2025-83?

The announcement serves both as guidance and a warning. The IRS is now strongly encouraging (and may soon require) the following:

  • Multi-Factor Authentication (MFA):All tax software and online services used by preparers should require a second form of login verification—such as a phone code or authentication app.

  • IRS Online Accounts:CPAs and clients are encouraged to establish IRS.gov accounts to monitor filings, balances, and unauthorized activity in real time.

  • Identity Protection PINs (IP PINs):A 6-digit code issued annually by the IRS, used to prevent fraudulent tax return filing. Previously limited to identity theft victims, it’s now available to all taxpayers.


Why It Matters for Tax Professionals

1. Cyber Fraud Risks Are Escalating

The IRS has reported increasing attempts by cybercriminals to impersonate CPAs, steal PTIN credentials, and file false returns. MFA and IP PINs are first-line defenses.

2. Your Firm May Be the Target

Hackers are no longer just targeting individuals they’re infiltrating tax preparers’ systems, especially smaller firms with weaker infrastructure. If you handle sensitive client data, you’re already a high-value target.

3. Prevention is Cheaper Than Remediation

A single breach can trigger IRS investigations, client lawsuits, E&O insurance claims, and reputational damage. Implementing these tools costs far less than recovery.


Implementation Checklist for CPA Firms

Multi-Factor Authentication:

  • Ensure your practice management software, cloud file systems, and tax filing platforms have MFA enabled.


IRS Online Account Access:

  • Set up accounts for your firm and encourage clients to enroll.

  • Use them to monitor refund status, notices, and unauthorized activity.


IP PIN Enrollment:

  • Help clients apply for an IP PIN via their IRS online account or by submitting Form 15227.

  • Store and safeguard the PIN for use when filing federal returns.


What’s Next?

While the guidance is still framed as a recommendation, regulatory expectations are trending toward eventual enforcement especially for EFIN holders and professional firms filing high volumes of returns.


The IRS’s Security Summit is expected to expand public-private verification efforts heading into 2026, including third-party authentication services and AI-driven fraud detection models.


Final Thought

As tax practitioners, we are stewards of sensitive personal and financial data. In 2025, that duty now includes cybersecurity diligence. Don’t wait for a breach or a regulatory mandate to act.


Need help tracking evolving IRS security requirements or drafting firm-wide procedures?Bizora’s AI assistant can help you research compliance rules, build client education workflows, and ensure your practice stays ahead.


 
 
 

Comments

bottom of page