Six steps agents can take to get ready for Multi-Factor Authentication

7 May 2026

Last updated: 8 May 2026

Susan Cattell
Head of Tax Technical Policy, ICAS

The start date is still to be confirmed, but the rollout of Multi-Factor Authentication for agents could begin as soon as June. Let's take a look at HMRC’s latest guidance on how to prepare.

Earlier this year, HMRC confirmed that it would be introducing Multi-Factor Authentication (MFA) for agents later in 2026.

Once implemented, MFA will add an extra step to the agent sign in process. After entering your Government Gateway user ID and password, you will be asked to enter a one-time access code. HMRC has expanded the MFA guidance in its Tax Agent’s Handbook. It now includes six steps you can take in advance of the rollout, to avoid disruption to your access to HMRC online services.

Summary of HMRC’s suggested six steps

1. Set up individual accounts for each member of staff

Each member of staff who requires access to the agent services account and the HMRC online services for agents account must have their own individual sign-in credentials.

2. Set up at least two administrators

Organisations with multiple staff members should have more than one administrator on their account. This means that agents can:

Manage MFA resets internally
Avoid the need to contact HMRC for routine access issues
Maintain continuity if an administrator is unavailable

3. Remove access where it is no longer required

To help keep your account secure, you should remove access for any staff who leave your organisation or no longer need access to HMRC online services. This reduces the risk of unauthorised access and helps to ensure account information remains protected.

Find guidance on how to add standard users, administrators and remove staff access at how to give staff access to your HMRC online tax agent accounts.

4. Consider how access codes will be received

HMRC recommends you prepare for the introduction of MFA by:

Agreeing and communicating your approach to the introduction of MFA in advance, to ensure all employees are prepared.
Using an authenticator app as the primary method for receiving codes.
Setting up one additional authentication method as a backup.

There is more information about using an authenticator app and the additional methods (text message or voice calls) in the Tax Agent’s Handbook.

5. Check and update existing MFA settings

An MFA option may already be set on your account; for example, if someone in your firm previously enabled MFA while using an HMRC service such as Making Tax Digital for VAT. When MFA is activated for sign-in, access codes will be sent to the contact details that were saved at the time the option was set up.

HMRC suggests that you should check your accounts for any existing MFA options and confirm they are current. HMRC also sets out additional actions you can take to update MFA details and set up new options in the Tax Agent’s Handbook.

6. Use of third-party software

If you use automated processes or third-party software to manage your sign-in process, the introduction of MFA may affect those products.

HMRC recommends contacting software providers in advance, to check whether any adjustments are needed. HMRC has already notified software developers of this change to allow time for necessary updates.

Let us know what you think

We respond to tax consultations and calls for evidence and attend meetings with HMRC at which service levels, delays and other issues you raise with us are discussed. We welcome input from members to inform our work; email us to share your insights and feedback.

Categories: