someone holding a phone and using a laptop, with lock and unlocked padlock icons hovering above

HMRC confirm timetable for MFA rollout

8 June, 2026

Further to our articles published on 17 May and 23 March, HMRC have now confirmed the implementation timeline for the introduction of multi-factor authentication (MFA) to agent accounts.  The ATT and CIOT have updated their joint guide, Multi Factor Authentication – how can agents prepare?, to reflect HMRC’s implementation plans. 

Timelines

There will be three phases – two voluntary phases where agents can choose to have MFA switched on two dates over the summer and a final mandatory implementation phase, where HMRC will switch MFA on for all remaining agent accounts. 

Agents wishing to voluntarily opt in, will need to notify HMRC by completing a form which will be available in all accounts where MFA has not been switched on already from 10 June 2026. 

  • To have MFA activated on 15 July 2026, agents must submit a form to HMRC by midnight on 30 June 2026. 
  • To have MFA activated on 19 August 2026, agents must submit a form to HMRC by midnight on 31 July 2026. 

Between 28 September and 15 October 2026, MFA will be activated on all remaining agent accounts that do not already have it.  HMRC is unable to give a specific date within this period to agents who are part of this final group for activation. 

More information on the timeline and what it means if you have multiple agent accounts can be found within our guide. We are still seeking clarity on precisely how the opt in works for firms with multiple agent accounts. 

Use of shared credentials 

We are aware of member questions over the lack of ‘bulk allocation’ functionality when creating individual logins in Online Services Accounts (OSAs).  We continue to discuss this with HMRC, but our understanding is that bulk allocation functionality is not available currently. For those agents who wish to continue using shared credentials, please see the section on setting up and using an authenticator app for use on shared credentials in our MFA guide, which sets out how an authenticator app can be used to allow multiple employees to log in at the same time.