Tag: Multi-Factor Authentication

Below are items that will trigger the need for a user at their production site to authenticate as we know them today:

• The first time a user logs in to a unique device
• When a user’s authentication has expired
• When a computer is re-imaged
• Three failed login attempts
• When the “Forgot Password” feature is initiated
• (Updated Addition) Logging in with a different browser on the same computer (i.e. logging in with Chrome and then opening Internet Explorer and logging in)

Blog Posted 09/06/2017

Q1:  Does MFA apply to the Practice Lab?

A1:  No, MFA is only applicable to your production site

Q2:  I am a desktop user…does MFA impact my site?

A2:  MFA is not applicable to the software itself, however, you will have to authenticate to login to your My Account page to retrieve your Vendor Control Number.  There are other security requirements that will be applicable to the desktop application.

Q3:  Can the site coordinator complete the MFA verification process for all of the users at their site?

A3:  The purpose of MFA is to authenticate the user that is logging into the system to prepare the returns.  There is no indication in the email or text message that indicates the username that the code is for.

Q4:  If the user is going to verify their MFA information the first time they login and can update it, can we, as Admins, just leave that info blank when we create a new user?

A4:  The admin will still be required to enter an email address in when creating new users, but they can leave the cell phone blank.

Q5:  If a user is a multi-site user, do we need to check that box for each site they are setup on?

A5:  No, the selection for allowing the email address to be used by multiple users, only has to be selected one time.

Q6:  Why is TaxSlayer turning on MFA this early, when the majority of the volunteers will not be logging in to their production sites until December or January?

A6:  There are a couple of reasons:  (1) We want to give the site admins the extra time to review their user list and make any necessary changes prior to the majority of the volunteers logging in.  (2) This allows the site admin to experience the process and setup procedures that can be followed during the season. (3) Allows us to gather feedback from our year round sites so we can build FAQs and put out additional educational information.

Each time a user is required to authenticate, they will be displayed the Account Verification page.  This allows the user to select a delivery option.  They will have up to two options (1) via email and/or (2) via text if a cell phone number is on file.

Choose the appropriate method of receiving the authentication code and select Send Code

Enter the code in the Verification Code box (Do not close this window until you enter the code)

Click Verify

The application will validate the authorization code.  Once the code is validated, the user will be taken to the Welcome Page.

Blog Posted 09/06/2017

We are currently scheduled to roll out a “soft launch” of MFA on Thursday, September 7th.  The first step in the roll out is verifying and updating the preparer information we have on file for our users.  Once the updates are deployed to the system, the following will occur:

(1) Launch the application as normal

(2) Enter your Username, Password and Security Code

(3) Complete the following Account Update page

• Username must be changed if less than six characters
• Enter the cell phone number twice.   This must be a unique number unless otherwise designated for multiple use by the site administrator
• Enter the email address twice.  This must be a unique email address unless otherwise designated for multiple use by the site administrator
• Enter your password twice (same one you entered on the login screen)

(4) Click Update

(5) The information entered on this page, automatically updates the information for the username in the site’s Preparer(s) menu.

Note:  This does not trigger MFA when completing the Account Update page.  Multi Factor Authentication will be triggered for the user in seven (7) days from updating the account page or when they access the site via a separate browser or computer.

We will be changing the look of the Login page, as well as some wording prior to the tax season.  We will be using the verbiage “Access Code” instead of “Security Code”

Old Look:

New Look:

Change in Unsuccessful Login Attempts Procedures:

Three (3) unsuccessful login attempts will trigger the Multi-Factor Authentication process.  Please refer to Question 2 from the blog post titled MFA:  Timing Questions (Series 1, Part 3) posted on Monday, August 21st.

Blog Posted 08/23/2017

Q1:  Once I receive the authentication code via email or text, how long is it valid for?

A1:  It is valid until you close the browser session or request another authentication code.

Q2: A previous question (Part 2, Question 5) asked about locking the account if the authentication code was entered incorrectly.  Will there be a limitation on the times a user can attempt to login with their username, password and access code (formerly Security code) before they will prompted for MFA? (Updated 10/5)

A2:  Yes.  Once a user has attempted to login three (3) times unsuccessfully because they do not know their password they will be required to re-authenticate via MFA on the fourth attempt   The purpose is to prevent cyber criminals from making automated attempts of randomizing and finding your password.  Cyber Criminals can crack strong 16-character passwords in less an hour.

Q1:  Can one cell phone number be used for more than one volunteer? (Updated 10/5)

A1:  Multiple usernames can be attached to one cell phone number.  We understand that preparer volunteers are at multiple sites and/or have multiple usernames.

Q2:  Does the authorization code reference the user that it is for?

A2:  No, the code for both Text and email notifications indicate it is a code for TaxSlayer (No URL) and a 6 digit code.

Q3:  What is your target delivery time for the authorization code?

A3:  Text is going to be the fastest delivery method and is delivered with seconds.  Email delivery is fast as well, but it could get delayed by email services by the email provider.

 Q4:  Once a code is used, does it immediately become cancelled, or can it potentially be used more than once?

A4:  The authorization code is a one-time use code.  It becomes invalid immediately after entered and submitted.  It also becomes invalid if the user request the code to be sent again.

Q5:  Is there a number of times the user can attempt to enter the code before the application locks?

A5:  We do not lock the application based on attempts to enter the authentication code

Q6:  Is there a limit for how many requests can be made for a specific user name?

A6:  No, not at this time.

This is part of a series of educational posts about Multi-Factor Authentication (MFA).  As we receive questions, we will begin posting those that apply to all sites, along with answers.

Q1:  Once a user authenticates on a specific computer, how long before they will have to authenticate again on that specific computer?

A1:  The site administrator will have the ability to set the parameters from the minimum (1 day) to the maximum (still being determined by the IRS Security Working Group) for each preparer depending on the needs of the site.  When we turn the feature on, it will be defaulted to the IRS Security Working Groups recommendation.  As we receive the details, we will update the answer.

Q2: Would a TaxSlayer update wipe out the MFA Authentication?

A2:  No, we do not anticipate this happening.

Q3:  Would a computer or browser update wipe out the MFA Authentication?

A3:  We have not experienced this with our other software applications currently using MFA.  If the host site performs some type of maintenance on the computers on a nightly basis (such as wiping them and applying a fresh profile), the users will have to authenticate each day regardless of the range set by the site administrator because it will be like logging into a new device.