A login mechanism that requires two or more independent factors, such as a password plus a code from an authenticator app or hardware key.
Multi-factor authentication (MFA) requires two or more independent verification factors to log in: something you know (password), something you have (phone or hardware key), or something you are (biometric). The FTC Safeguards Rule requires MFA for any individual accessing customer information (16 CFR 314.4(c)(5)). Acceptable forms include authenticator apps (TOTP), push notifications, and hardware security keys (FIDO2). SMS-based MFA is allowed but discouraged because of SIM swap risk.
MFA blocks roughly 99 percent of automated account takeover attempts. It is the single most effective control your firm can deploy, and it is the one the FTC and cyber insurers ask about first. Firms that lack MFA on email, tax software, or remote access are typically denied insurance coverage outright. MFA fatigue and adversary-in-the-middle attacks have made authenticator apps and hardware keys preferable to SMS or push prompts.
The 58-Control Register module handles this for your firm, personalized to your software, team size, and state requirements.
See plans and pricingTechnical and administrative measures that limit who can access which systems and data, based on the principle of least privilege.
A federal regulation requiring financial institutions, including tax preparers, to develop and maintain a comprehensive information security program.
A structured list of all security controls your firm should have in place, mapped to regulatory requirements, with testing status and evidence.
Buy the WISP yourself if you need the document.
Talk to us if you want the platform.
We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy