Understanding The Limitation of IRS' "Get Transcript" Multi-Step Authentication

The multi-step authentication system used to secure the IRS "Get Transcript" application required several pieces of information that only the taxpayers could have known. But it wasn't strong enough.

  1. Blog


The multi-step authentication system used to secure the IRS "Get Transcript" application required several pieces of data that only the taxpayers could have known. But even that wasn't strong enough to prevent the recent data breach. That's because the system had one serious limitation.

Brief background of the breach

You probably already know by now how the IRS data breach was carried out. Attackers first gathered several pieces of taxpayers' personal information from outside sources. They then used those information to clear a multi-step authentication process that protected the IRS' "Get Transcript" application. The result? Over 330,000 taxpayer accounts, compromised.

How the "Get Transcript" authentication worked

The authentication system employed for the IRS' "Get Transcript" application was not totally weak. It actually consisted of multiple verification steps that required the user (presumably a legitimate taxpayer) to enter several pieces of information known only (in principle) to the user.

These information included the usual stuff like the taxpayer's name, date of birth, address, tax filing status, and Social Security Number. In addition, the "Get Transcript" authentication system also employed challenge questions similar to "What is your mother's maiden name", "What was your high school mascot?" or "What was your first car?". Sounds like a pretty tough exam, doesn't it?

Unfortunately, a lot of information like names, addresses, SSNs, etc., aren't really confidential anymore. After all those data breaches throughout the years, this type of information has likely already been aggregated and shared (or sold) in hacker forums and other dark corners of the Web.

How about those challenge questions? While the answers to many of those questions used to be impossible to find online, many of them are now easily seen in or inferable from posts, comments, likes, and shares on social media sites like Facebook, Twitter, Instagram, and others.

Understanding the limitation and how to counter it

The main problem with the "Get Transcript" authentication system was that it simply employed a single "factor" of authentication, i.e., it was purely knowledge-based. As mentioned earlier, it only required things that the user "knew". That's the limitation. As we've explained in the previous section, a lot of supposedly confidential information is already scattered in the dark corners of the Internet.

But aren't all authentication systems knowledge-based? Not really.

While we're all used to submitting passwords and other pieces of information to authenticate, some authentication systems can actually require something that:

  • the user has - like a token, card, phone, client certificate or private key or
  • the user is - like the user's thumbprint or retinal scan

When either of these factors of authentication (or both) are combined with knowledge-based authentication (what the user knows), the authentication process becomes much harder to crack.

An attacker can probably acquire hundreds of thousands of user passwords and other verification data. But what are the chances of the attacker also having say even just a hundred phones owned by those same users? Not likely, right?


Of course, adding even just one more factor of authentication can be difficult to implement and less user-friendly. Still, if the authentication process is used to secure a resource, system, or infrastructure that's as critical as, say, taxpayer's personal information, it's probably worth the hassle.

Recommended posts

Several large enterprises now employ 2-factor authentication methods. Would you like to know more about some of those methods? Click these links if you do.

What Is Client Certificate Authentication?

What Is An SFTP Key?

Recommended Download

JSAPE MFT Server is a highly secure managed file transfer server that supports 2-factor authentication and other security functions. We're currently offering a free, fully functional edition. If you want to try it out, download a copy now.

Download JSCAPE MFT Server Trial