Rublon

Secure Remote Access

By

Last updated on March 27, 2024

Last week, we talked about MFA for Accounting Firms/Tax Professionals. In this follow-up article, we check what are the mandatory Internal Revenue Service (IRS) requirements on MFA, as described in Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Multi-factor Authentication Implementation. Read on to learn what to look for in a security service provider offering a Multi-Factor Authentication (MFA) solution.

General MFA Requirements

The general IRS requirements on MFA are as follows:

  • The security system must be able to uniquely identify and authenticate agency users.
  • The security system must implement Multi-Factor Authentication (MFA) that combines at least two authentication factors out of these three: something you know, something you have, something you are. Doubled factors (e.g., two passwords) are counted as one.
  • The security system must allow the implementation of Multi-Factor Authentication (MFA) for all remote network access to privileged and non-privileged accounts.
  • The security system must allow the implementation of MFA such that one of the authentication factors is provided by a device separate from the system gaining access.

Something You Know Requirements

The Knowledge Factor based on something you know is one of the three authentication factors that an MFA system may use to uniquely identify and authenticate users. Passwords and PINs are the most popular forms of something you know.

To comply with Pub. 1075, passwords must meet the following requirements:

  • At least 8 characters long
  • At least one numeric and one special character
  • At least one uppercase letter and one lowercase letter

In addition to that, the following password policies must be enforced:

  • Password minimum lifetime restriction must be at least one day
  • Non-privileged account passwords must be changed at least every 90 days
  • Privileged account passwords must be changed at least every 60 days
  • Passwords cannot be reused for at least 24 generations

Something You Have Requirements

The Possession Factor based on something you have is one of the three authentication factors that an MFA system may use to uniquely identify and authenticate users. Smartphones, SIM cards, and WebAuthn/U2F Security Key are forms of something you have.

The IRS takes its Possession Factor requirements from the NIST Electronic Authentication Guidelines, and therefore divides the Possession Factor into two categories: software tokens and hardware tokens. In NIST SP 800-63-3, the word “token” was replaced with the word “authenticator” to avoid confusion with tokens in assertion technologies. Still, the core requirements regarding authenticators remain the same.

An authenticator is a piece of software or hardware that contains a secret (e.g. a private key) that can be used to prove the user is in possession of the authenticator or the device the authenticator is installed on.

Software Authenticator Requirements

A software authenticator is a piece of software installed on a computer or a mobile device that can be used to authenticate the user.

Rublon Authenticator is an example of a software authenticator, as it is a mobile app that users can install on their smartphone and use to verify their identity using several authentication methods, such as Mobile Push, Mobile Passcode (TOTP), and QR Code.

The following software authenticator requirements must be met:

  • Authenticator must be activated using another authentication factor, e.g., password or biometric
  • Activation of the authenticator must occur during each MFA, and the authenticator cannot be activated without manual user input (e.g., providing the password during primary authentication)
  • Authenticator must prevent the possibility of exporting the private encryption keys stored in a local key repository
  • Authenticator must never store unencrypted keys in a plain text form, as it makes it easy for malicious actors to copy the keys
  • Authenticator must distribute the seed only through a confidential channel of communication to avoid duplication attacks
  • Challenges, one-time passwords, and other authentication requests must be active for no more than 2 minutes to prevent sharing, theft, or tampering with the current state of the token.
  • One-time passwords must comply with Pub. 1075, guidelines regarding standard passwords.
  • Audit logs must be captured for both successful and unsuccessful login attempts, including attempts to undergo both primary and secondary authentication; attempts to gain unauthorized access must be recorded
  • Cryptographic modules must meet FIPS 140-2 Level 1, namely require production-grade equipment such as a personal computer and at least one encryption algorithm that has been authorized to use.

In addition to the preceding software authenticator requirements regarding MFA, the latest version of malware prevention software must be used to meet the IRS requirements.

Hardware Authenticator Requirements

A hardware authenticator is a physical token that can be used to authenticate the user.

WebAuthn/U2F security keys (e.g., YubiKey Bio) are an example of hardware authenticators, as they are hardware dongles users plug in to the USB port of their computer to authenticate. Hardware OTP keys are yet another example of a hardware authenticator, although these have been largely pushed out by software authenticators that use the Mobile Passcode (TOTP) method. 

The following hardware authenticators are eligible:

  • Look-Up Secret  – a physical or electronic record, often in the form of a table, that stores a set of secrets a user can use to authenticate. During authentication, the user might be asked to provide a specific value from a subset of the table. Look-Up Secrets are often used as recovery keys.
  • Out-of-Band Secret – an out-of-bound secret sent over a distinct communication channel and then validated using the primary communication channel, e.g., SMS Passcode
  • One-Time Password Device – a hardware device that generates a one-time password every time the user pushes a button located on the dongle. One-Time Password Devices can also be based on time, in which case the new password is generated, for example, every 30 seconds. The cryptographic module that performs authentication must be FIPS 140-2 validated. A FIPS-approved block cipher or hash function must be used to combine a symmetric key stored on a personal hardware device with a nonce. The One-Time Password must have a limited lifetime.
  • Cryptographic Device – a hardware device that physically stores keys and performs all cryptographic operations within the dongle, e.g., FIPS-201 smart card or WebAuthn/U2F Security Key like YubiKey.

Something You Are Requirements

The Inherence Factor based on something you are is one of the three authentication factors that an MFA system may use to uniquely identify and authenticate users.

Fingerprint, iris scan, Face ID, and other biometric data constitute something you are and are therefore allowed as a separate factor to meet the IRS requirements on MFA.

Rublon Can Protect Your Financial Data

Rublon enables a cutting-edge Multi-Factor Authentication (MFA) solution for cloud apps, VPNs, custom SDKs, and more. Rublon is a good choice for any financial service, accounting firm, and tax professional looking for a modern and user-friendly authentication system.

Check Rublon for yourself and start a Free 30-Day Trial Today.