CCH Axcess™ 2016 IRS Security Requirements
CCH Axcess™
Security Feature |
Pre 2016-1.0 |
Post 2016-1.0 |
Need to Prepare Prior |
User Experience |
Unique Username |
Users can share IDs. |
Each user must have their own unique username. |
Make sure each user has their own unique username.
|
Each user must login with their own credentials. |
Strong Password |
Passwords need to contain a combination of letters, numbers, or special characters. Not all three types are required. |
Strong passwords are required and must contain at least eight digits. Passwords must contain an upper-case letter, lower-case letter, number, and special character. Passwords with less than eight characters will be reset to eight. |
Notify all users that they will be prompted to create a new password with strong characteristics (minimum eight characters) with first login after 2016-1.0 is released. |
After 2016-1.0 is released, all users will be prompted to change their password to a strong password when logging in for the first time. |
90 Day Password Expiration |
You can configure passwords to expire from 30–180 days. |
You can configure passwords to expire after 30-45 or 60-90 days. If your current setting is 180 days, it will be reset to 90 days. |
Check your firm configuration. |
Depends on your firm configuration, could be no change at all. |
30 Minute Inactivity Session Timeout |
Inactivity timeout session exists today. It can be configured from 20 minutes to 8 hours. |
It will still be configurable for 20 or 30 minutes. If your current setting is higher than 30 minutes, it will be reset to 30 minutes. |
Educate end users. |
Same experience at current timeout, but may be a shorter inactivity window depending on your firm configuration. |
24 Hour Re-authentication |
No 24 hour re-authentication exists. |
Users will be prompted to re-authenticate with their credentials to continue working after 24 hours of continuous work. |
Educate end users. |
After being logged into the application for a period of 24 continuous hours, the user will be prompted to re-authenticate with their credentials to continue working. |
BOT Detection |
No secondary authentication happens. |
CAPTCHA for all logins. |
Notify users so they are prepared for new requirement when logging in. |
Challenge response at login for all users. |
CCH Axcess™ with Active Directory (AD)
Security Feature | Pre 2016-1.0 | Post 2016-1.0 Change Effective December 4, 2016 |
Need to Prepare Prior | User Experience |
30 Minute Inactivity Session Timeout | Does not apply. | No change. | N/A | No change. |
24 Hour Logout | Does not apply. | No change. | N/A | No change. |
BOT Detection | Does not apply. | No change. | N/A | No change. |
CCH Axcess™ – Session Timeout Experience (20 or 30 Minute)
Product |
Pre 2016-1.0 |
Post 2016-1.0 |
User Experience |
Tax |
Inactivity timeout session exists today. It can be configured from 20 minutes to 8 hours. |
Same experience at current timeout, but may be a shorter inactivity window depending on your firm configuration. |
The application and all windows close. Any unsaved work in a return has always been auto-saved and will continue to function this way. When reopening the return, you will be prompted to recover an auto-save file. For other administrative activities, the application will close and any unsaved work will be lost. |
Workstream |
Inactivity timeout session exists today. It can be configured from 20 minutes to 8 hours. |
Same experience at current timeout, but may be a shorter inactivity window depending on your firm configuration. |
Application and all windows close. Any unsaved work is lost. |
Document
(Does not apply to customers using Office Plug Ins or Document OP) |
Inactivity timeout session exists today. It can be configured from 20 minutes to 8 hours. User has a file open for direct edit, system will not time out as long as that file is open for direct edit |
Same experience at current timeout, but may be a shorter inactivity window depending on your firm configuration. The inactivity window will display when a file is open for direct edit. If you do not see the prompt, the file will not automatically be checked in. When you log in next time you will need to manually check in the file. |
Once you’ve been logged off after inactivity you will need to log back in and navigate back to where you were working. Once you’ve been logged off after inactivity you will need to log back in and manually check the file back in. |
Practice |
Inactivity timeout session exists today. It can be configured from 20 minutes to 8 hours. |
Same experience at current timeout, but may be a shorter inactivity window depending on your firm configuration. |
Application and all windows close. Any unsaved work is lost. |
Firm Management |
Inactivity timeout session exists today. It can be configured from 20 minutes to 8 hours. |
Same experience at current timeout, but may be a shorter inactivity window depending on your firm configuration. |
Application and all windows close. Any unsaved work is lost. |
CCH Axcess™ – 24 Hour Limit Experience
Product |
Pre 2016-1.0 |
Post 2016-1.0 |
User Experience |
Tax |
No 24 hour re-authentication exists. |
Users must be re-authenticated after 24 hours of continuous use even if they have been active the entire time. |
If you re-authenticate after the 24 hour limit you will be returned to your original session. No data is lost and processes continue to run. *session timeout still applies |
Workstream |
No 24 hour re-authentication exists. |
Users must be re-authenticated after 24 hours of continuous use even if they have been active the entire time. |
If you re-authenticate after 24 hour limit you will be returned to your original session. No data is lost and processes continue to run. *session timeout still applies |
Document |
No 24 hour re-authentication exists.
|
Users must be re-authenticated after 24 hours of continuous use even if they have been active the entire time. *Same experience today with Watcher service & Routing Q |
If you re-authenticate after 24 hour limit you will be returned to your original session. No data is lost and processes continue to run. *session timeout still applies |
Practice |
No 24 hour re-authentication exists. |
Users must be re-authenticated after 24 hours of continuous use even if they have been active the entire time. |
If you re-authenticate after 24 hour limit you will be returned to your original session. No data is lost and processes continue to run. *session timeout still applies |
Firm Management |
No 24 hour re-authentication exists. |
Users must be re-authenticated after 24 hours of continuous use even if they have been active the entire time. |
If you re-authenticate after 24 hour limit you will be returned to your original session. No data is lost and processes continue to run. *session timeout still applies |
Additional Information
Solution Id | 000151082/000053228 |
---|---|
Direct Link |