TAXguide 01/26: Options for setting up multi-factor authentication for HMRC online services

HMRC intends to activate MFA on firms’ HMRC agent services accounts (ASA) and online services accounts (OSA) from a date yet to be confirmed. An earlier article explains how agents can prepare for MFA.

Once MFA is introduced, the agent will need to enter a one-time access code, in addition to their Government Gateway ID and password, in order to access their ASA and OSA. Firms can choose how they receive the code. The options are to:

• receive a code by text message (SMS) or voice call; or
• use an authenticator app.

An existing MFA option may already be set up on the account. HMRC recommends that firms take action before MFA is activated to ensure that any existing MFA options are correct. Out of date access code settings should be removed to avoid potentially being locked out. Administrators can do this on behalf of users.

Where a user is on long term leave and MFA will be or has been activated by HMRC before their return, the firm’s administrator may want to remove the user’s existing MFA preferences in case MFA preferences and contact details are out of date. The user can then reset their MFA preference on their return.

The best option for the firm will depend on the circumstances. In choosing between the options, firms should consider:

• the level of security provided;
• familiarity and ease of use for staff;
• how the firm is set-up and operates; and
• ongoing issues to control access, such as how to deal with leavers, joiners and changes in role.

A user can set up a primary and up to two back-up methods for MFA. HMRC recommends that an authenticator app is used as the primary method and that the user sets up at least one back-up option.

Having separate credentials for each employee is the most secure approach for most firms as access can be removed when a person leaves. However, setting up individual logins may be challenging for some firms in time for 1 June 2026. While HMRC recommends setting up individual accounts for each member of staff, this is not mandated.

Where firms have existing ways of working that are contrary to this recommendation, client privacy and the firm’s infrastructure may make setting up individual accounts difficult to adopt in the short term.

Furthermore, some firms – particularly larger firms – will have existing ways of managing access. These methods mean that individual staff members are unaware of the firm’s HMRC login credentials, but the firm is able to control what staff members can access, and manage the risk of ongoing access when staff members leave.

Authenticator apps can be downloaded from an app store. The user will need to check that the app offers the functionality they need. The app displays a QR code and a back-up security key. Where an authenticator app is used, the user will have between 30 and 60 seconds to enter a six-digit code (known as a time-based one-time password (TOTP)) in order to access the firm’s HMRC’s account(s).

How the app is used depends on whether staff members have separate credentials. If they don’t have separate credentials, the administrator will need to follow the set-up instructions below and then share the unique QR code or secret key with each staff member that requires access to the firm’s HMRC account(s). This can be done ahead of HMRC activating MFA on the account. HMRC does not limit the number of devices that can share the secret key. Where staff members have separate credentials, each staff member will need to follow the set-up instructions.

To set up authenticator app MFA, the user should:

• install an authenticator app on their phone, tablet or computer;
• sign in to their HMRC account;
• choose ‘authenticator app’ as their access-code method;
• either:
• use the app to scan the QR code shown on the screen; or
• use the secret key shown on the screen; and
• enter the code from their app to confirm setup.

HMRC recommends that administrators set up their authenticator app and create a code for each of their HMRC services account credentials (ie, ASA and OSA). HMRC says that they can be manually set up on the app and named something recognisable by the user.

In addition to not requiring that staff members have separate credentials, an advantage of the authenticator app is that codes work without mobile signal or internet access. Furthermore, as authenticator apps can be used on a computer, this means that staff will not need to use their own devices for work and/or the firm will not have to issue staff with secondary devices.

Governance and control over access to client details and HMRC systems remains the responsibility of the firm. To prevent unauthorised access where separate staff login credentials are not used, the firm should generate and share new QR codes/secret keys after a staff member leaves the organisation.

This option will need to be set up for each credential (ie, ASA and OSA).

To set up text message, you (or your staff member where they have individual access) will need to:

• sign in to the HMRC account;
• choose text message as the access-code method;
• enter a mobile number; and
• enter the code sent by HMRC to confirm setup.

To use text message MFA going forward, staff members will:

• enter sign-in credentials as normal;
• HMRC will send a text message once the password has been entered; and
• key-in the six-digit code sent to them by HMRC.

Text messages will be received from 60551 (in the UK). Codes last for 15 minutes and can only be used by one user.

Text messages can provide strong protection where each user has their own credentials and unique code, and is relatively simple to set-up and understand for staff members. If credentials are shared, then all staff members will need to be able to access the mobile device that receives the code.

However, the challenges of having separate credentials (as noted above) should not be overlooked. Further, there could be issues with:

• mobile coverage;
• the availability of phones for staff; and
• staff working overseas. HMRC does not offer SMS for all countries.

Under this option, each staff member will need to have their own credentials.

To set up voice call MFA, each staff member will need to:

• sign in to their HMRC account;
• choose voice call as their access-code method;
• enter their UK mobile or landline number for voice call; and
• enter the code sent to them by voice call to confirm setup.

To use voice call MFA going forward, the staff member will:

• enter their sign-in credentials as normal;
• HMRC will make the automated call once the password has been entered; and
• key-in the six-digit code sent to them by HMRC.

Phone calls are from 01749 608007. Codes last for 15 minutes and can only be used by one user. Voice calls are not suitable for firms that use switchboards.

Voice call MFA provides strong protection, as each user has their own credentials and unique code, and is relatively simple to set-up and understand for staff members.

However, the challenges of having separate credentials (as noted above) should not be overlooked. Further, there could be issues with the availability of phones for staff and call forwarding could result in codes reaching the wrong person.

Firms with central IT administration may already manage staff access via other routes and these routes may still be possible following the introduction of MFA. Firms will need to check whether any adjustments are required.

The routes include:

• using browser extensions to generate and insert TOTP codes, that are reliant on secure central password managers or authenticator apps;
• using password managers to enable staff to access TOTP keys within set parameters; or
• management tools and custom software that the firm uses to inject login details into the HMRC sign-in journey.

Administrators can:

• send user IDs;
• reset passwords and MFA for standard users; and
• see all standard users’ security settings within the service account and remove any existing MFA preferences if they have previously been set and are now outdated.

Administrators cannot set new MFA preferences on behalf of users.

Standard users can update their own MFA preferences but cannot remove their MFA settings altogether (only an administrator can do that).

• HMRC’s tax agent’s handbook
• HMRC’s recorded webinar on Agent services account – access groups