How to get ready for increased security on HMRC agent accounts

Further to our article published on 19 March, the ATT and CIOT have now released a new guide, Multi-Factor Authentication – how can agents prepare?, outlining the steps agents should take to prepare for the upcoming changes. 

Although HMRC has not yet confirmed the final implementation timetable, agents should be aware of the forthcoming changes to the direct login process for all HMRC online agent accounts and take prompt action to ensure they are ready.

What is MFA?

Multi-factor authentication (MFA) is an additional security measure which requires users accessing HMRC services to provide both their login credentials (username and password) and a separate access code.

The access code may be sent to a mobile phone or landline, or generated through an authenticator app. This approach is known as multi-factor authentication because it requires users to provide more than one form of verification to access their account.

MFA has already been introduced to the accounts used by individuals and organisations and will now be extended to those used by agents, including the Agent Services Account (ASA) and legacy HMRC Online Services Accounts (OSAs). 

When will it be introduced?

HMRC is expected to confirm the implementation timetable for MFA in early June.