How two-step verification protects your IRS account
When you sign into an IRS Online Account, two-step verification (also called two-factor authentication or 2FA) requires a second confirmation after your password. That second step is usually:
- A one-time code sent by SMS or email,
- A code generated by an authenticator app (Google Authenticator, Microsoft Authenticator), or
- A hardware security key for advanced users.
This extra step blocks most automated or password-only attacks and lowers the chance of identity theft (IRS, Two-Step Verification and Account Help: https://www.irs.gov/help/ita/two-step-verification).
How account recovery works (step-by-step)
If you lose the device or method used for your second factor, follow this checklist:
- Try stored recovery options first — backup/one-time codes you printed or saved when you set up 2FA.
- Use an alternate verified contact (secondary email or phone) if you added one during setup.
- Reinstall or re-register an authenticator app using a saved QR key or secret (if you stored it securely).
- If you cannot use any backup, follow the IRS account recovery flow on the Online Account help pages — you will be asked to verify identity with documents and answers about your tax history (see IRS Online Account and Help Resources: https://www.irs.gov/payments/view-your-tax-account).
- If you suspect identity theft, visit IRS Identity Theft Central to report the issue and get instructions for the Identity Protection PIN or other protections (https://www.irs.gov/identity-theft-central).
The IRS may require photo ID, prior-year tax return details, or other documents to confirm your identity during recovery. Expect identity verification to take several business days depending on complexity.
Setup choices and pros/cons
- SMS codes: Convenient but vulnerable to SIM swapping and interception. Use only if you keep tight control of your phone carrier account.
- Authenticator apps: More secure and recommended. Codes are local to your device and not transmitted by cellular networks.
- Hardware security keys (FIDO2): Highest security; best for frequent users who manage many sensitive accounts.
Common problems and quick fixes
- Lost phone and no backup codes: Start the IRS recovery process; be ready to provide tax information and identity documents.
- SMS not arriving: Check carrier blocking, wireless signal, and that the IRS has your current number. Use an authenticator app as a backup.
- Repeated verification prompts: Clear browser cookies or register a trusted device to reduce frequency.
Practical tips from my practice
In my work with clients I see preventable lockouts. To avoid them:
- Set up at least two verification methods (authenticator app + backup phone or saved codes).
- Save backup codes in a password manager or locked physical safe — not as an unlocked text or email.
- Keep the recovery email and phone number current with the IRS account profile.
- Prefer authenticator apps or hardware keys over SMS when possible; treat SMS as the least secure option.
When to involve the IRS directly
Contact IRS help resources if you cannot regain access or if you suspect your identity was used fraudulently. For identity-theft cases the IRS provides dedicated guidance and steps to request an Identity Protection PIN or to clear fraudulent returns — see IRS Identity Theft Central (https://www.irs.gov/identity-theft-central).
Related guides on FinHelp
- Learn how IRS account issues show up in tax and recovery steps: How Identity Theft Affects Your IRS Account and Steps to Recover.
- Best practices to secure your records and manage online access: IRS Online Account Security: Protecting Your Tax Records and Personal Data.
- Use transcripts to detect fraud and support recovery: Using IRS Transcripts to Detect and Prove Identity Theft on Your Account.
Short FAQs
- Is two-step verification mandatory? No — it’s optional but strongly recommended by the IRS to reduce fraud.
- What if I’m a victim of tax-related identity theft? Follow the IRS Identity Theft Central steps; you may get an Identity Protection PIN and help restoring your account.
- Can the IRS lock me out permanently? The IRS will not permanently lock a verified taxpayer out without offering an identity-recovery path; keep documentation and follow the published recovery steps.
Sources and authority
Information summarized from IRS public pages on two-step verification and identity theft guidance (IRS.gov — Two-Step Verification; IRS Identity Theft Central; IRS Online Account pages). Always check the IRS site for the latest process changes and current links: https://www.irs.gov.
Disclaimer: This article is educational and not legal or tax advice. For individualized help, consult a tax professional or contact the IRS directly.
