Beginning October 19, 2023, US taxpayers must use multifactor authentication (MFA) in order to access the Electronic Federal Tax Payment System (EFTPS), which primarily facilitates the payment of federal taxes, including income, employment, and excise taxes, by both individuals and businesses. This change supports Executive Order 14028, “Improving the Nation’s Cybersecurity,” which aims to provide additional layers of security to protect taxpayers from threats of unauthorized access.
Why was this change implemented?
Executive Order 14028, titled "Improving the Nation's Cybersecurity," was signed by President Biden on May 12, 2021. The order addresses various aspects of cybersecurity and outlines several key initiatives and priorities, including cybersecurity standards, zero trust architecture, incident response plans, and more. Primarily, the order was signed by President Biden to combat escalating cyber threats, including ransomware attacks, state-sponsored cyberattacks, and cybercriminal activities that targeted critical infrastructure, government agencies, and private sector organizations. These threats posed a significant risk to national security, economic stability, and public safety.
Overall, Executive Order 14028 focuses on enhancing the cybersecurity of federal agencies and their contractors, with a particular emphasis on improving incident detection and response, securing software supply chains, and promoting information sharing. It sets a framework for enhancing the nation's overall cybersecurity posture. Since the EFTPS is an electronic payment system established by the United States Department of Treasury, which handles taxpayer Personal Identifiable Information (PII), it must adhere to the stricter security standards outlined by Executive Order 14028.
What are the options for MFA?
Upon logging into EFTPS, you will be prompted to register and/or authenticate with either Login.gov or ID.me prior to the normal process of inputting your EIN or SSN, PIN, and password.
Currently, there are two ways in which you can authenticate your identity through the EFTPS portal. These include:
ID.me
ID.me is a third-party identity verification service. To validate your identity through ID.me, users typically need to provide a range of personal information, such as Social Security number, date of birth, and contact information. ID.me uses various methods, including document verification, biometrics, and other data sources to confirm the information provided matches the user's identity.
Additionally, it requires users to set up two-factor authentication (2FA) to enhance security through a one-time code via SMS, email, or authenticator app.
Login.gov
In response to criticism over using a third-party app which collects biometric data, the government recently released its own authentication service to facilitate secure access to various government websites and online services. It simplifies the process of accessing government services while enhancing security. After creating an account, you verify your identity through personally identifiable information (PII), such as your Social Security number or photo ID.
Like ID.me, Login.gov requires users to set up two-factor authentication (2FA). This can involve receiving a one-time code through SMS, email, or an authenticator app, or using a hardware token for added security. Once their identity is verified and 2FA is set up, users can use their Login.gov credentials to access various government services and websites.
We’re here to help
Multifactor authentication requirements are highly beneficial for cybersecurity, adding an additional layer of security beyond traditional passwords to make it significantly harder for unauthorized users to gain access to accounts or systems. By necessitating two or more authentication factors, such as something you know (password), something you have (smartphone or token), or something you are (fingerprint or facial recognition), MFA substantially reduces the risk of unauthorized access and helps protect sensitive data.
However, the implementation of multifactor authentication can pose challenges. If you have any questions about this process or what it means for you as a taxpayer, reach out to your M&S partner today.