<back to top>

What options are available to set up MFA on my HMRC online services? 

MFA can be introduced to the login process for the ASA and OSA in several ways. 

Agents must first choose how staff will access their online services accounts and secondly, how they wish to receive their access codes (next section). 

HMRC’s preferred option is for firms to set up separate login credentials for each member of staff. If a firm doesn’t wish to transition to single staff credentials now, it is possible to set up MFA on shared logins and move to individual logins later.   

Option 1: Create individual logins 

This option is HMRC’s preferred approach which they view as the most secure. 

Individual login credentials need to be set up for each employee, enabling each employee to choose their own password and set up a method for receiving access codes, typically via a mobile device. (Other options are available where staff don’t have their own devices or the firm would prefer staff to use authenticator apps.) Such codes are typically ‘single use’ codes, in a similar manner to those on the PTA/BTA. 

The advantage of this approach is that individual accounts can be removed by administrators as required, for example when employees leave the firm. 

The downside to creating individual logins, is the extra work needed to manage access for each individual staff member to log in to client records. 

For the legacy OSAs, clients must be allocated to each staff login for the member of staff to be able to access the client records. So if the firm has 20 staff and 4,000 clients on a shared login and all staff need access to all those clients, each of the 4,000 clients must be allocated to each of the 20 staff members. If a member of staff joins, the process must be repeated for them. Set up and maintenance of individual logins can be a significant burden for firms. HMRC are aware this can be time-consuming but there is currently no method to bulk allocate clients to logins on the OSAs. 

Individual logins are set up differently on the ASA and the issues of client allocation are not as challenging. For the ASA, it is possible to manage staff access via Access Groups. Please see how to set up access groups in the ASA. 

Option 2: Retain shared account logins and receive time based access codes 

In some firms, staff share a single account and use the same user ID and password to login. This is not HMRC’s preferred option - but allows staff to access all clients on that account without the allocation issues noted above. 

HMRC advises that its services are designed to support individual user accounts for each member of staff, supporting clear accountability and strong security controls. However HMRC recognises that some firms operate different models, including shared accounts. They advise that firms operating in this way can still incorporate multi-factor authentication (MFA), for example through time-based passcode generation. This allows MFA to be integrated into existing ways of working to strengthen authentication and protect accounts.

If the firm decides to continue with this approach, firms will need to move to receiving time-based access codes via an authenticator app, password manager or browser extension (please see next section for further information on these options for receiving codes). This will involve the firm sharing a QR code or the ‘seed key’ between employees when setting up the authenticator app. Employees would then use their own authenticator app to generate their own time-based code for the same credential when they want to login. 

This can help to avoid the work allocating clients to individual staff credentials but means that either the password and/or multi-factor method must be changed when staff leave to prevent unauthorised use of the account after they have left. 

<back to top>

How can staff receive access codes?

There are three ways to receive an access code: authenticator app, SMS text message or via an automated call on a landline. It is recommended that the firm’s account administrators (and any staff who have their own credentials set up already) check their existing preferences and agree a consistent approach in advance of MFA being activated by HMRC. This approach should then be communicated within their firm.

HMRC recommend that agents set up at least one backup option (all three options can be selected) so there is always at least one way of receiving an access code. 

The options are: 

Option 1: Use an authenticator app 

An authenticator app is recommended by HMRC for most organisations. These can generate access codes for staff who are using their own, individual login credentials, or for shared credentials. 

The user can install an authenticator app on a phone, tablet or computer.  Authenticator apps are therefore helpful where either staff do not have work mobiles, or use of personal mobiles is not permitted. 

To set this option up, the administrator should choose authenticator app as the access-code method.  They will need to download and install a suitable authenticator app with appropriate functionality for their firm. 

Please see further information on setting up and using an authenticator app where shared logins are used. 

Time based access codes can also be handled via browser extensions and password managers. In the account, set the MFA preference as ‘authenticator app’. 

Browser extensions 

There are browser extensions that can generate and insert time based access codes, reliant on a secure central password manager or authenticator app. 

Password managers 

Enterprise password managers and privileged access tools offer shared vaults for team credentials and browser extensions, enabling time based access codes to be accessed with greater governance, centralised controls, logging and auditing.  These can support the use of shared accounts between staff.  This approach eases management of staff changes, starters and leavers.

Option 2: Receive access codes by text message (SMS) 

To set this option up, the user needs to select text messages as an access-code method, enter the mobile phone number and finally, enter the code sent to them to confirm setup. 

The 6-digit code will be valid for up to 15 minutes and can only be used by one user. A unique code will be sent each time they sign in.  When using the SMS option in the UK, codes are sent from ‘60551’. 

This approach does not always work for non-UK registered phones as HMRC will only send SMS codes to certain countries. Users should confirm that their phone is non-UK and select from the list of countries offered. If the user does not then receive a code within 15 minutes, authenticator apps are an alternative solution. 

Even those who successfully set up a non-UK phone to receive SMS access codes may wish to consider authenticator apps as occasionally connectivity can be unreliable - meaning the code arrives outside the 15 minute window. 

Option 3: Receive codes by voice call 

To set this option up, the user needs to select voice call as an access-code method, enter the UK phone number (mobile or landline) and finally, answer the call and enter the call to confirm setup. 

Once set up, after entering the password, the user will receive an automated call from HMRC on 01749 608007. The recorded message reads out a 6-digit code which the user should enter to complete sign-in. The code is valid for up to 15 minutes and can only be used once. 

This option can be useful where text messages are not suitable but still depends on phone availability and network connection. 

This option is not suitable for switchboards. 

<back to top>

Which option is best for my firm?

The ATT and CIOT are not making recommendations around how firms set up MFA on their HMRC accounts. Firms need to consider the security, functionality and on-going governance issues of each option in line with their individual circumstances. 

The right approach typically includes one that:

• protects against stolen or reused passwords
• fits how the firm works today
• copes with busy periods and staff changes
• allows access to be removed quickly when roles change.

Agents are responsible for ensuring they have appropriate procedures in place to govern access to their HMRC online services accounts and keeping their accounts up to date. 

<back to top>

What steps do agents need to take to get ready?

Agents need to take the following step before MFA is activated on their accounts: 

Step 1. Review and refresh the administrator roles

The first person to set up an agent online account is automatically set up as the ‘administrator’. The administrator can set up other administrators or standard users. It is recommended by HMRC that there is a minimum of two administrators on each account, as the administrator can do MFA resets for others, but not for themselves (a second administrator would need to reset the first administrator). 

Firms should ensure all users know their role before MFA is added, and who to contact for assistance within the organisation.

If all administrators currently set up on the OSA or ASA have left the business or are unavailable, agents should contact HMRC’s technical support for online services. 

If the administrator has changed because the business has changed, the firm should contact the Agent Compliance Team. More information can be found in HMRC’s guidance ‘What to do if your tax agent business is changing’. 

If the agent is a sole trader and has lost access, they would need to contact HMRC’s technical support for online services for an MFA reset.

Step 2: Check all accounts for any existing MFA access code setting(s) and change if out of date

To prepare for switch on, agents must check their current access code settings on all their accounts and update those options if they are out of date. 

If this is not done, and access code options which were previously set up are out of date, an agent may be locked out of their ASA on day one (the first day MFA is activated). 

Administrators and standard users can update their own settings via their Government Gateway profile page. Administrators can remove access code settings for other standard users and other administrators but cannot remove settings for themselves. 

For further information see check current access code settings. 

For further information see how to change access code settings. 

Step 3: Decide which option that the organisation (and its employees) will use to access HMRC online services 

Agents need to review how their employees currently access all their OSAs and ASAs, including whether they use individual credentials or shared credentials. Firms will need to decide if they wish to continue with any shared credentials or set up individual credentials for all staff. 

Step 4: Decide which method of receiving access codes works best for the organisation 

HMRC recommend that all users (particularly administrators) should choose at least two authentication preferences so that there is always a backup method to receive a code. Otherwise if the user gets locked out they will need to contact HMRC online services desk for support. 

Firms will need to set their own policies around setting up back up methods for employees’ own individual credentials as use of personal mobiles may not always be appropriate.

Step 5: Set up MFA access code settings on all HMRC online credentials 

Agents can set up their MFA access code setting before MFA is activated or wait until the day that MFA is activated. 

Our current understanding is that HMRC will not be able to tell individual firms exactly when MFA will be switched on for their accounts – although we are hopeful firms will be able to work out which tranche their accounts will be in, giving them a window of possible switch-on dates. We recommend that agents set up their MFA access code settings in advance, before MFA is due to be activated for that tranche. 

Setting up MFA before activation will be key for shared credentials. Agents who have shared login credentials may find that on the day HMRC turn MFA on, it is the first employee to login who will be asked to choose how to get the access codes, rather than the administrator. Administrators will either need to set up their approach before the first day of their implementation tranche or issue strict instructions to staff on what to do if they are asked to set up MFA. Employees need to be warned not to tie a shared login to their own mobile, as this may need to be changed later.  Please see further information on setting up and using an authenticator app where shared logins are used. 

For those who wait until MFA is activated by HMRC on their account, the first user to log in after MFA has been activated will be asked to set up the preferred method of receiving access codes. 

For firms that have individual logins which are not shared (i.e. individual employees have their own login credentials and manage their own password), users will need to set up their own access code settings and can do so before MFA is switched on. The administrator can delete existing security settings if MFA has been previously activated but they cannot set up new access code preferences for users (as they won’t have the password to access the individual account to do so). 

Step 6: Communicate the MFA plan to the organisation ahead of MFA activation 

Firms should discuss the approach with relevant teams and agree on the processes, responsibilities, and communication arrangements to ensure the MFA solution works effectively for their organisation.

Step 7: Ongoing maintenance 

Once MFA is in place, firms will need policies for managing individual staff credentials and access codes to ensure ongoing security. This would include ensuring that staff credentials are removed on departure from the firm and that passwords are changed on shared credentials when staff members leave. 
 

<back to top>

What support is available for firms? 

The following HMRC support is available to agents: 

• Guidance in the Agent Tax Handbook
• Contact HMRC’s Online Support Helpdesk if assistance is required with resetting access codes or with difficulties self-serving using the online functionality  

<back to top>

Creating individual logins on your HMRC online services and allocating client access

HMRC has guidance on how to give staff individual login access to HMRC online services for agents account and the ASA. 

HMRC Online Services Account 

Once administrators and standard users have been set up, clients will not automatically appear on any users client list. Clients will show in an unallocated pool until an administrator assigns them to one or more standard users.  As noted above, if there are significant numbers of clients on a specific account, this can be time-consuming. 

Agent Services Account

By default, if an agent sets up individual login credentials for all staff members who need access to the ASA, all users will be able to see all clients on the ASA. 

If the administrator wants to restrict which employees can see certain clients, the administrators will need to request and enable 'Access Groups'.

‘Access Groups’ help manage staff access if the agent has two or more clients and two or more team members. Guidance is available from within the ASA itself on setting up Access Groups. HMRC have also recorded a webinar, which covers the initial set up and managing of Access Groups. 

Agents can set up one or more Access Groups within their ASA. Access Groups can be set up by tax service, location, sensitivity and any other criteria. Clients and employees can be allocated to more than one access group. 

Access Groups is currently in testing (private Beta stage). Administrators can request the function by clicking on the banner in the ASA home page or, if the offer to participate in the private Beta stage is no longer available and the banner has disappeared, the administrator will need to email HMRC on [email protected] to request that the function is turned on. 

It should take one week for HMRC to activate Access Groups.  

<back to top>

Setting up and using an authenticator app for use on shared credentials 

As firms will not get advance notice of the exact day MFA will be switched on (other than details of the activation tranche, which is to be confirmed by HMRC), we strongly recommend that agents who use login credentials which are shared (i.e. used by more than one employee), go into their OSA and ASA and set up their MFA settings before HMRC turns on MFA on their accounts. Otherwise, it will be the first employee to login on when MFA is switched on that will be asked how the firm wants to set up MFA. 

Where MFA is being introduced on shared credentials, an authenticator app (or password manager/browser extension) will be needed to generate time based one time passwords (TOTPs).  

An authenticator app allows multiple employees to log in at the same time. Provided that each employee has access to an authenticator app (which has been set up with the same ’secret key’ generated and shared by the administrator for that credential), all users will be able to access the necessary codes. 

After entering the user ID and password, the user will be prompted to enter the number displayed on their authenticator app. The authenticator app will display a new 6-digit code which is ‘live’ for 30 to 60 seconds.  
The steps that should be taken to set up an authenticator app for shared logins include:

Step 1: Choose an authenticator app 

Choose which authenticator app is appropriate for the firm. All employees with access to HMRC accounts will need access to an authenticator app.  

Step 2: Set up MFA access code settings on all HMRC online accounts – on administrator credentials 

The administrator (using their administrator’s credentials) needs to go into the access code options in settings of the firm’s ASA and any OSAs and choose authenticator app as the preferred access code method.

If there are existing settings there, these can be updated.  

To connect the app to the account, the administrator will need to scan the QR code (which contains the ‘seed key’) shown on screen. If using a mobile with an authenticator app, the administrator can scan the QR code with their phone, and the app will automatically generate a unique 6-digit code which the user will have 30 to 60 seconds (from when the code is generated) to enter and confirm set up.

If not using a phone the user will need to manually enter the ‘secret key’ into their app and again confirm set up with the access code generated.

As the authenticator app generates the codes the user doesn’t need to have a mobile signal or internet access.  This option is known as a time based one-time password (TOTP).  

It is important the administrator keeps a copy of this ‘seed key’/ ‘secret key’ somewhere safe for future reference. 

The administrator should complete step 3 for the firm’s ASA and each of the firm’s OSH accounts.

Step 3: Name each account on the authenticator app before MFA is activated. 

If the QR code has been scanned, revisit the authenticator app and re-name the account listing to distinguish between account credentials, for example e.g. ‘VAT’, ‘Income Tax London office’ etc.  Alternatively, if the ‘secret key’ is manually entered into the authenticator app the user will be prompted to enter an ‘account name’.
If names are not unique for each credential the authenticator app may over-write an existing account listing (and assume it’s the same credential).
If users have multiple credentials on their authenticator app they must make sure they are using an access code for the correct credential.

Step 4: Set up MFA access code settings on all HMRC online accounts – on shared individual logins 

Some firms have created individual logins within their HMRC online accounts, perhaps to segregate client access.

Where these credentials have also been shared with more than one employee, the administrator will also need to complete step 2 for each of the those credentials.  

Step 5: Employees install an authenticator app 

The employees will need an authenticator app installed on a phone, tablet or computer.

Step 6: The administrator shares the ‘secret key’ with each employee 

The administrator will need to share the unique QR code, called the ‘secret key’, with each staff member so that they can also set up their own authenticator app. The employee can then use the shared credentials to log into HMRC online services, but generate an access code via their own authenticator app.  

Step 7: Setting up a back up option 

HMRC recommend that agents set up a backup option so that there is always at least one way of receiving an access code. Once the user has completed their initial access code preference and received their confirmation code, they can revisit their Government Gateway profile page to set up the backup option via the link in their account. 

Some key points to note: 

• Provided the ‘seed code’ or ‘secret key’ is securely saved, an agent can use the key to set up an authenticator app again, should they encounter any problems or devices are lost.  
• There are additional risks when using shared credentials. Employees who have left the firm may still be able to access the firm’s accounts if shared passwords or MFA methods are not changed promptly.  
•   To ensure continued security, it is important that firms have a process for governance of their HMRC online accounts. This will include
  • Deleting, refreshing and communicating new QR codes when staff leave the organisation.  
  • Capturing and storing the ‘secret key’ securely (not with your user ID or password) or saving it digitally e.g. screen shot or within a password manager.  
     

<back to top>