Multi-factor authentication now in play for tax practitioners

Last month, the ATO released its Operational Framework for Digital Service Providers (DSPs) as part of its response to the business risks and security implications presented by the growth of digital services across the digital economy.

In particular, for tax practitioners’ products, DSPs must implement multi-factor credentials within these products and services by 31 March 2018 and mandate their use by 30 June 2018.

For products and services where users potentially have access to large volumes of taxpayer or superannuation-related information (e.g. payroll) DSPs must implement multi-factor credentials by 30 June 2018 and mandate their use by 30 September 2018.

For all other products and services hosted by the DSP, DSPs must implement multi-factor credentials by 30 September 2018 and mandate their use by 31 December 2018.

“If you use cloud-based software there are changes to the way you need to authenticate,” said the ATO.

“Your digital service provider now needs to have multi-factor authentication. This means you may require additional security or password steps to access your practice management software.

“This does not affect how you access the portals.”

On top of multi-factor authentication, DSPs will have to meet relevant requirements including, authentication; encryption; supply chain visibility; certification; data hosting; personnel security; encryption key management; security monitoring practices.

According to the ATO, the framework is aimed at providing confidence to tax practitioners that they “have secure processes in place for the data you share through your practice management software”.