HMRC have updated their Tax Agent Handbook in anticipation of the introduction of Multi-Factor Authentication (MFA) when logging into Agent Accounts.
Agents currently signing in to HMRC's online services will see a new page explaining that Multi-Factor Authentication (MFA) is coming.
- MFA will add an extra step to the login process, whereby a one-time access code will be issued to strengthen online security for agents.
HMRC have released some guidance on how agents can prepare for the changes.
Set up individual accounts for each staff member
HMRC have advised that each member of staff should have their own individual credentials for logging in. The Agent Services Account (ASA) and the Online Services Account (OSA) use different methods for adding individual sign-in credentials.
- The ASA allows the creation of access groups to control which clients staff members can view and manage.
- The OSA requires accessing each client record and manually assigning it to staff members.
This process will create an administration burden for firms of all sizes. It is not clear if setting up individual login details is a requirement or a recommendation at this point.
Set up at least two administrators
HMRC recommend that at least two administrators are set up to:
- Allow agents to manage any required resets internally.
- Avoid the need to contact HMRC for routine access issues.
- Maintain continuity if an administrator is unavailable.
Remove accounts no longer needed
To avoid the risk of unauthorised access, HMRC advise that access should be removed for staff who have left the business.
- Guidance on removing and adding staff can be found here.
Consider how access codes will be received
HMRC recommends that the agreed method of receiving codes is communicated to all employees.
There are three ways to get an access code:
- Authenticator app.
- Works on a phone, tablet or computer.
- A mobile signal is not needed.
- Codes can be provided offline.
- Text message.
- Each code lasts 15 minutes.
- A mobile signal is needed.
- Voice call.
HMRC recommends using the authenticator app first, with one additional backup method.
Choosing the 'remember me' option allows you to sign in on the same device for seven days without having to re-enter a code.
Check and update existing settings
Some accounts may already have MFA set up. HMRC recommend checking for this and confirming that any MFA options are still current.
- Administrators can remove existing options, but cannot set new MFA options on behalf of other staff.
Setting up the MFA options
Once the administrator has activated MFA, each user will be prompted to set up their own MFA options when they first sign in.
- HMRC recommends coordinating this across the team.
Once activated:
- If they already have an account, the user will be asked to type in their access code on a new screen when they log in.
- If they are creating a new account, the user will be asked to set up MFA.
Use of third-party software
The introduction of MFA may affect any automated processes or third-party software used to manage logins. This should be checked with the software provider.
Useful guides on this topic
HMRC introducing Multi-Factor Authentication for agents
HMRC have confirmed that they will introduce Multi-Factor Authentication (MFA) for agent accounts as part of their efforts to combat the continued and evolving threat to online security.
Mandatory tax adviser registration with HMRC
From May 2026, all tax advisers who interact with HMRC on behalf of clients will be required to register with them. Who will be required to register? What conditions must be met? What are the consequences of non-compliance with 'mandatory tax adviser registration'?
Setting up as a tax agent
What do you need to consider when setting up as a tax agent? What are the steps? How do you register with HMRC?
External link