I wanted to raise a concern regarding the use of email as a two-factor authentication (2FA) method within your platform.

From both an IRS and broader federal cybersecurity standpoint, email is not considered a secure authentication factor and should not be relied upon for 2FA.

The IRS explicitly maintains restrictive policies on email usage due to security and privacy risks, noting that email is only permitted in limited circumstances and that more secure alternatives are preferred:

Additionally, IRS guidance on multi-factor authentication defines acceptable factors as:

Something you know (e.g., password)

Something you have (e.g., device, authenticator app, token)

Something you are (e.g., biometrics)

Email does not meet the criteria of a secure “possession factor,” as it is:

Frequently compromised via phishing attacks

Accessible across multiple devices and sessions

Dependent on the security of the underlying email account (which itself requires MFA)

The IRS further reinforces this position in Publication 4557, recommending that email accounts themselves be protected with MFA, underscoring that email is not a strong authentication mechanism.

In practice, IRS systems and IRS-aligned platforms (such as Login.gov) utilize stronger 2FA methods, including:

Authenticator apps

Hardware security keys

SMS/voice (as a lower-tier option)

They do not use email as a second authentication factor.

Given the sensitivity of financial and taxpayer data handled in our workflows, we strongly recommend aligning with IRS and federal security standards by supporting more secure 2FA options such as authenticator apps or hardware keys, and avoiding email-based authentication entirely.

Please let me know if there are plans to support stronger MFA methods or if this can be escalated for review.