Multi-factor authentication is coming to HMRC agent accounts

HMRC confirmed that they will be introducing multi-factor authentication in HMRC’s agent update 141, published on 19 March 2026.

Currently, personal tax accounts and business tax accounts are accessed using both login credentials (username and password) and a security code. This code can be sent to a mobile phone or landline, or generated by a connected authenticator app. This is called multi-factor authentication (MFA).

Over the course of 2026 – with the exact timescale to be confirmed but an initial aim of the end of June – HMRC will extend MFA to agent online services. This will add a second step, asking for a security code when logging into your agent online accounts. It will apply to both the Agent Services Account and legacy online accounts. More information can be found in articles posted by CIOT and ATT.

HMRC briefly introduced MFA in 2017 but it had to be withdrawn as it was incompatible with the way that agents managed access to their HMRC accounts. Discussion on the use of MFA for agents came to the forefront again after the increase in unauthorised access attempts on agents’ HMRC online accounts.

In 2025, ATT and CIOT, along with other professional bodies, raised concerns and shared examples from members who were struggling to navigate agent account suspensions and, in some cases, dealing with the consequences of fraudulent filings. In response to this, HMRC set up the Digital Security Working Group, which CIOT and ATT attend.

ATT and CIOT, with the valuable help of their committee members, were involved in early discussions with HMRC on the potential re-introduction of MFA as an option to increase security on agents’ online accounts, particularly for those agents who did not have other forms of security technology or protections. Alongside our volunteers, we highlighted the complexities that come with introducing MFA for firms of different sizes, with varying levels of security technology and with differing practices around password sharing between employees.

Due to the complexities highlighted, and the importance of agents being able to access online accounts, HMRC have adopted a ‘test and learn’ approach. ATT, CIOT and other professional bodies have helped by recruiting a small number of volunteers to test the introduction of MFA within their firms. This phase is currently ongoing, but early feedback suggests it has been helpful in identifying complexities and nuances across different firms.

HMRC will soon be writing to agents who previously contacted them about a security concern or account suspension, inviting them to join the next phase of the test and learn, before wider rollout.

ATT and CIOT have also been involved in providing feedback on HMRC’s initial basic guidance and we have asked HMRC to provide more detail to allow members to prepare. We are currently exploring options for ATT, CIOT and other professional bodies to provide additional guidance for our members.

Lindsay Scott [email protected]
Helen Thornley [email protected]