Third Party MFA (Google Authenticator, Authy etc,.)

Software. Marketing. Training. Running your business.
#1
irc162  
Account Deactivated
Posts:
384
Joined:
5-Jan-2015 5:34pm
Drake is starting to roll out the use of MFA. However, they are not using an internatlly created MFA program. Instead, clients are supposed to use a privately acquired service such as Google Authenticator, Authy and the like.

Generally, those options seem to center around an app to be installed on a cell phone. Personally, I think linking a security app to a cell phone----especially one that gets carried around (where it can be lost or stolen) and used for multiple other purposes----is more than a little risky (just Google on "gaining remote accerss to a cell phone"). While it won't necessarily eliminate the issues, I would probably want to tie my app to a phone that is not carried around or used for other purposes.

We are now coming around to the idea that using SMS (ie a phone call or text) for MFA is not all that secure. I wonder if these authenticator apps will ulitmately have a similar problem.

For now, as an alternative, I know that Google Authenticator has started to offer a USB key/token/FOB in lieu of the app.

If you have had experience with any of these authenticator apps and expecially if you have used an FOB, in connection with tax software, I would appreciate hearing about your experience.
 

#2
ATSMAN  
Posts:
2094
Joined:
31-May-2014 8:34pm
Location:
MA
MFA is not mandatory for 2019 filing season. It is optional with Drake!
 

#3
irc162  
Account Deactivated
Posts:
384
Joined:
5-Jan-2015 5:34pm
Yes....but I am thinking ahead. If there is a chance it will be mandatory next year, I would rather figure this out this year....so I have time to do the research and work through any issues.

I have done a fair amout of reading about the security of software tokens (generated on a cellphone) used for MFA and it is not altogether encouraging. Based on what I have read, this starts to seem like one of those things that is designed to give the illusion of heightened security as opposed to actually providing it. There are lots of online articles on how a cellphone app designed to generate software tokens can be compromised. Yes, i get that it is better that nothing but what I want to know is whether there is a better choice. Maybe hardware tokes are a better option or maybe not. They have their onw issues. If UT is using hardware tokens, I would like to know how this is working.
 

#4
ATSMAN  
Posts:
2094
Joined:
31-May-2014 8:34pm
Location:
MA
I would not worry too much until the dust settles later in 2019. I remember the confusion when IRS first announced PTIN requirement and mandatory e-file back in the day :roll:
 

#5
makbo  
Posts:
6840
Joined:
23-Apr-2014 3:44pm
Location:
In The Counting House
irc162 wrote:Generally, those options seem to center around an app to be installed on a cell phone. Personally, I think linking a security app to a cell phone----especially one that gets carried around (where it can be lost or stolen) and used for multiple other purposes----is more than a little risky

The app could also be installed on a cheap tablet and not regularly carried around, but then you'd have to remember to bring it along if working remotely.

Here is the link for the UltraTax token card device:

https://www.formscs.com/mfa-card
 

#6
makbo  
Posts:
6840
Joined:
23-Apr-2014 3:44pm
Location:
In The Counting House
I saw your comments on the other current thread, maybe you should post a link to steer that one over here.

Remember, the MFA device does not make anything any worse. It alone does not allow access to anything, so losing your device with the app is only an inconvenience to you, not a security risk. You still have to keep an individual, secret password meeting a certain minimum complexity and mandated to change every so often. Plus, if your device is lost, first thing you do is change your password, right?

Last May, UltraTax made MFA mandatory for transmitting efile returns, not for logging in to the software, so not all staff members need MFA (but once MFA is turned on for a user, it applies to all logins for that user).

Much wailing and gnashing of teeth in the community forums, but it's mostly died down now. Some threatened to switch to other software, I imagine some did. My main complaint was that they only supported the app for Android (Google) and Apple, not Windows.

The admin user can generate a temporary code for other users. If the admin user is locked out, they can call support and go through an onerous process to get a temp code.

What no one here can say, but what I like to think, is that the IRS knows the return I transmit from UT has gone through more rigorous identity validation and authorization than most of the others it receives (for now), and that they don't treat it as suspiciously. YMMV.
 

#7
irc162  
Account Deactivated
Posts:
384
Joined:
5-Jan-2015 5:34pm
makbo wrote:I saw your comments on the other current thread, maybe you should post a link to steer that one over here.

Remember, the MFA device does not make anything any worse. It alone does not allow access to anything, so losing your device with the app is only an inconvenience to you, not a security risk. You still have to keep an individual, secret password meeting a certain minimum complexity and mandated to change every so often. Plus, if your device is lost, first thing you do is change your password, right?

Last May, UltraTax made MFA mandatory for transmitting efile returns, not for logging in to the software, so not all staff members need MFA (but once MFA is turned on for a user, it applies to all logins for that user).

Much wailing and gnashing of teeth in the community forums, but it's mostly died down now. Some threatened to switch to other software, I imagine some did. My main complaint was that they only supported the app for Android (Google) and Apple, not Windows.

The admin user can generate a temporary code for other users. If the admin user is locked out, they can call support and go through an onerous process to get a temp code.

What no one here can say, but what I like to think, is that the IRS knows the return I transmit from UT has gone through more rigorous identity validation and authorization than most of the others it receives (for now), and that they don't treat it as suspiciously. YMMV.


Thanks....this is helpful. I like your tablet idea too. I don't work remotely, so portability is not a problem. It makes a lot of sense to me to require MFA to transmit returns but not to just log in. Unfortuantely, with a one person operation, that probably means I will have to get a token each time I log in. I wonder if a usb token would streamline that a bit. I spend enought time typing in numbers as is!
 

#8
makbo  
Posts:
6840
Joined:
23-Apr-2014 3:44pm
Location:
In The Counting House
irc162 wrote:I spend enought time typing in numbers as is!

With an authenticator app, you don't have to type anything more than your password. Within a second or two of login, the app pops up a dialog where you just tap "yes" or "no" with your finger, it's very fast and simple. But if you got the card device, then yes you would have to type in a code.
 

#9
Posts:
2887
Joined:
21-May-2018 7:50am
Location:
Northern MI and Coastal SC
These authentication apps are so easy to use, and I do not view them as adding any risk beyond inconvenience.

All of my MFAs are TouchID enabled, hardly a difficult process. I have it set up on my primary phone and iPad--one is always available to me. If you use UT and do not like the idea of TPAs, you can order their credit card sized one that generates a six digit code. Since I do work remotely and travel a lot, I prefer the app route. Options do exist, at least with the software vendors that are more sophisticated. Using TR's app, all I do is unlock my phone, and keep my finger on TouchID to approve the log-in.
 

#10
irc162  
Account Deactivated
Posts:
384
Joined:
5-Jan-2015 5:34pm
makbo wrote:
irc162 wrote:I spend enought time typing in numbers as is!

With an authenticator app, you don't have to type anything more than your password. Within a second or two of login, the app pops up a dialog where you just tap "yes" or "no" with your finger, it's very fast and simple. But if you got the card device, then yes you would have to type in a code.



Yes...I saw that UT has the touch to athenticate feature (nice). Unfortunately, the apps Drake wants us to use (Google, Authy etc.) all seem to be reliant on entering codes in 30 seconds or less.
 

#11
smtcpa  
Posts:
515
Joined:
28-Jul-2014 5:16am
Location:
Richmond, VA
I don't understand the feeling that having it on your phone is risky. The chance of someone stealing your phone AND having the password to your tax software has to be extremely remote.

On the flip side, if you have the MFA on a device you leave in the office, the security is worse than if it is on your phone and you have your phone with you when you are not in the office (unless of course you lock it up before you leave the office). I could see a circumstance where someone breaks in, logs into your tax software and the MFA code pops up on the device sitting next to your monitor. That's as bad as leaving your password on a sticky note taped to your monitor and defeats the purpose of MFA.

UltraTax has required MFA for access into the software and again when we e-file for the last year. The authenticator app is extraordinarily easy to use and it happens within a second of logging in.
 

#12
irc162  
Account Deactivated
Posts:
384
Joined:
5-Jan-2015 5:34pm
CornerstoneCPA wrote:These authentication apps are so easy to use, and I do not view them as adding any risk beyond inconvenience.

All of my MFAs are TouchID enabled, hardly a difficult process. I have it set up on my primary phone and iPad--one is always available to me. If you use UT and do not like the idea of TPAs, you can order their credit card sized one that generates a six digit code. Since I do work remotely and travel a lot, I prefer the app route. Options do exist, at least with the software vendors that are more sophisticated. Using TR's app, all I do is unlock my phone, and keep my finger on TouchID to approve the log-in.


You mentioned that all of your MFA are touchID enabled. Are you using any non tax MFA's like Google Authenticator or Authy? I loooked at some of the documentation for those apps and got the impression that they all required the entry of numbers rather than touch to authenticate. I would be very happy to learn I am wrong about that. Since Drake will be using a third party app I would be happy to find one that allows for touchID.
 

#13
makbo  
Posts:
6840
Joined:
23-Apr-2014 3:44pm
Location:
In The Counting House
smtcpa wrote:On the flip side, if you have the MFA on a device you leave in the office, the security is worse than if it is on your phone and you have your phone with you when you are not in the office (unless of course you lock it up before you leave the office). I could see a circumstance where someone breaks in, logs into your tax software and the MFA code pops up on the device sitting next to your monitor. That's as bad as leaving your password on a sticky note taped to your monitor and defeats the purpose of MFA.

UltraTax has required MFA for access into the software and again when we e-file for the last year. The authenticator app is extraordinarily easy to use and it happens within a second of logging in.

I don't regularly use any smartphone or tablet, but don't they all have their own security, including a requirement to log in to the device after a brief period of inactivity? So in your scenario, the thief would not only need to physically break in (which should trigger an alarm of some kind), but would also need your Windows password, your tax software password, AND your MFA device password. Seems like a pretty high bar to me.

Also, UT only requires a user who transmits efiles to use MFA, someone who only needs to use the software for other purposes does not need MFA.
 

#14
smtcpa  
Posts:
515
Joined:
28-Jul-2014 5:16am
Location:
Richmond, VA
I use UT and MFA was a requirement to do both.

makbo wrote:
smtcpa wrote:Also, UT only requires a user who transmits efiles to use MFA, someone who only needs to use the software for other purposes does not need MFA.
 

#15
smtcpa  
Posts:
515
Joined:
28-Jul-2014 5:16am
Location:
Richmond, VA
Exactly!

makbo wrote:
smtcpa wrote:So in your scenario, the thief would not only need to physically break in (which should trigger an alarm of some kind), but would also need your Windows password, your tax software password, AND your MFA device password. Seems like a pretty high bar to me.
 

#16
makbo  
Posts:
6840
Joined:
23-Apr-2014 3:44pm
Location:
In The Counting House
smtcpa wrote:I use UT and MFA was a requirement to do both.

No, it is not. "It is recommended that all staff enable multi-factor authentication, but is not required if staff members will not be transmitting electronic files from UltraTax CS." (Thomson Reuters web site)

As I stated earlier, once a user is set to use MFA, it must be used for all logins by that user. But users are not required to be set to use MFA.
 

#17
Posts:
2887
Joined:
21-May-2018 7:50am
Location:
Northern MI and Coastal SC
irc162 wrote:
You mentioned that all of your MFA are touchID enabled. Are you using any non tax MFA's like Google Authenticator or Authy? I loooked at some of the documentation for those apps and got the impression that they all required the entry of numbers rather than touch to authenticate. I would be very happy to learn I am wrong about that. Since Drake will be using a third party app I would be happy to find one that allows for touchID.


You are correct, Google Authenticator, for example, requires entering a six digit code. Still very easy, it resides on your phone or other device and can be readily identified as to which platform the code applies.
 

#18
smtcpa  
Posts:
515
Joined:
28-Jul-2014 5:16am
Location:
Richmond, VA
Now that you say that, you are correct. We just elected to have all users set up for MFA.

makbo wrote:No, it is not. "It is recommended that all staff enable multi-factor authentication, but is not required if staff members will not be transmitting electronic files from UltraTax CS." (Thomson Reuters web site)
 

#19
irc162  
Account Deactivated
Posts:
384
Joined:
5-Jan-2015 5:34pm
Getting back to the idea of physical keys or FOBs, I just ran across a post (Krebs on Security) in which the author claims that even Google employees don't use the Google Authenticator app for 2FA. Instead, they use physical keys. Interesting....maybe this is where we are headed. It sounds like UT is already part way there.

Here is a link to the article:

https://krebsonsecurity.com/2018/07/goo ... -phishing/
 

#20
Posts:
728
Joined:
28-May-2014 12:04pm
Location:
Arkansas
makbo wrote:I saw your comments on the other current thread, maybe you should post a link to steer that one over here.

Remember, the MFA device does not make anything any worse. It alone does not allow access to anything, so losing your device with the app is only an inconvenience to you, not a security risk. You still have to keep an individual, secret password meeting a certain minimum complexity and mandated to change every so often. Plus, if your device is lost, first thing you do is change your password, right?

Last May, UltraTax made MFA mandatory for transmitting efile returns, not for logging in to the software, so not all staff members need MFA (but once MFA is turned on for a user, it applies to all logins for that user).

Much wailing and gnashing of teeth in the community forums, but it's mostly died down now. Some threatened to switch to other software, I imagine some did. My main complaint was that they only supported the app for Android (Google) and Apple, not Windows.

The admin user can generate a temporary code for other users. If the admin user is locked out, they can call support and go through an onerous process to get a temp code.

What no one here can say, but what I like to think, is that the IRS knows the return I transmit from UT has gone through more rigorous identity validation and authorization than most of the others it receives (for now), and that they don't treat it as suspiciously. YMMV.


I wailed and gnashed some teeth. It’s grown on me (using MFA thru UT). It was a bit buggy at first and then again on the 1041 deadline, but otherwise it’s fast and effective. And it keeps my partner from filing unrevirwed returns since he refuses to enroll in MFA.

Someone has to get into my office or remote into my PC, get through the PC log in, the UT log-in, have possession of my phone, and break into my phone’s login. If they have all that capability I can’t think of another level of protection.
 

Next

Return to Business Operations and Development



Who is online

Users browsing this forum: No registered users and 39 guests