HMRC To Introduce Multi Factor Authentication For Agents

HMRC's decision to introduce MFA reflects a broader strategy to mitigate cyber risks facing tax agents and their clients. The department confirmed that evolving online threats prompted a review of its digital security procedures, with MFA considered a critical step in reinforcing account protection.

MFA has already been adopted for individual and business users, and now extends to users acting on clients' behalf. The update forms part of HMRC's commitment to ensure the security of online tax submissions and agent interactions.

According to official guidance, the move is designed to protect both agents and their clients from unauthorised access and related fraud.

Timeline for implementation

From 7 April 2026, agents logging into HMRC online services will encounter a notification advising them of the upcoming MFA requirement.

HMRC is currently undergoing a live testing phase with a limited group of agents to evaluate functionality and user experience. Subject to successful trials, HMRC intends to roll out MFA to all agents by the end of June 2026.

Agents with recent security concerns or who have previously contacted HMRC regarding account suspensions may be invited to participate in early adoption of the scheme. This phased approach aims to identify and resolve any operational challenges before the full implementation.

Functionality of Multi-factor Authentication

Multi-factor Authentication is a security protocol that requires users to provide at least two independent forms of verification—commonly a password and a unique access code. For agent accounts, once MFA goes live, agents will need to enter their password along with a one-time access code.

Although HMRC has not yet specified the method for delivering these access codes, similar systems typically use text messages, email, or authentication applications for code generation.

MFA will apply exclusively to web sign-ins on GOV.UK; the change does not affect PAYE or Making Tax Digital for VAT systems at present.

Impact on agent account management

HMRC is advising firms to review their preparations for MFA, particularly around receiving and managing access codes. Agents and administrators should confirm that staff responsible for online tax submissions can securely receive verification codes.

Where multiple employees share an agent account, HMRC reportedly plans to allow access using a single code, though internal management processes and credential-sharing policies may need updating.

Firms are also encouraged to consider options for employees who do not use work-issued mobile phones or whose policies restrict receiving business communications on personal devices.

Implications for third-party software

Agents using automated sign-in processes or relying on third-party software may need to consult their providers to ensure ongoing compatibility with MFA.

HMRC has stated that software developers have already been notified about the upcoming changes, and users should confirm their systems will continue to function as required.

Preparing in advance will help avoid disruptions in service, particularly for firms with high-volume digital interaction with HMRC. Planning ahead is key to ensuring a smooth transition to MFA when it becomes mandatory.

Related regulatory requirements

Alongside the new authentication requirements, from May 2026 all tax advisers representing clients before HMRC will be required to register as agents. This registration process introduces additional administrative steps and compliance measures.

Advisers will need to meet specific conditions, and failure to register could result in restricted access or other penalties. Prospective and existing agents are encouraged to familiarise themselves with

HMRC's guidance on agent registration and to review the steps necessary for compliance in advance of the rule changes.