Ahead of the roll-out of multi-factor authentication (MFA) for agents, which we wrote about in March, HMRC has now published updated guidance on this in its Tax Agent's Handbook. The updated guidance explains the actions agents should take now to prepare. HMRC is aiming to roll out MFA for agents from June 2026; confirmation of the official launch date is expected later this week. In the meantime, HMRC has asked us to share details of the actions it recommends agents take to ensure they have no interruption to being able to access their HMRC agent accounts in order to service their clients.
HMRC continues to test MFA for agents and will be publishing more information in its guidance ahead of roll-out. Once launched, MFA will ne required for all agent accounts. This is being implemented as it adds an additional step to the sign-in process for agents and helps to protect agent accounts from security breaches, unauthorised access, and HMRC having to suspend access as a result.
At present, agents simply input their Government Gateway ID and password to access their Agent Services Account (ASA) or Online Services Account (OSA). Once MFA is introduced, the agent will also need to enter a one-time access code.
HMRC’s recommendations to help agents prepare are as follows:
- Step one: consider having multiple administrators in your practice.
The person who creates the firm’s ASA and/or OSA will be automatically set up as an administrator. Administrators can perform additional tasks compared to standard users, for example, they can add or remove users. HMRC has published guidance for firms on how to set up administrators and users for agent accounts.
HMRC recommends that firms with multiple staff members have at least two administrators. Potential benefits from this include allowing the firm to maintain continuity if an administrator is unavailable. The Institute recommends that larger firms may need to consider appointing more than two administrators.
- Step two: create accounts for staff members,
HMRC recommends that each member of staff who requires access to the firm’s ASA or OSA should have their own individual sign-in credentials. Administrators can add new users by following HMRC’s guidance.
Note that creating new users is different for ASAs and OSAs. For OSAs, the administrator must go into each client record and allocate that client to a user or users which will be a significant task for practices which do not currently use individual accounts for staff members.
HMRC has recently published a recorded webinar on creating and managing access groups in the ASA (this process is currently in private beta). Creating access groups allows firms to control which clients staff members are able to view and manage in the ASA.
HMRC also recommends that firms remove access when it is no longer required, for example, when a staff member leaves the firm or no longer works on that client.
- Step three: investigate how access codes will be received.
Access codes can be obtained through an authenticator app, a text message, or a voice call. HMRC recommends that firms use an authenticator app as the primary method and set up an additional method as a back-up. The ‘Remember me’ function will also be able to be used to sign in to an account from the same device, using the same browser, without the need to input an access code for seven days.
- Step four: review existing MFA options.
An existing MFA option may already be set up on the account. If this is the case, when MFA is rolled out, access codes will be sent to the contact details that were saved at the time that option was set up. HMRC recommends that firms ensure that any existing MFA options are correct. The Institute recommends that practices should ensure they still have these contact details .Although administrators can remove the MFA options for users, they cannot set up new MFA options on behalf of users.
The user can set up their MFA options:
- in advance of MFA being activated, or
- when prompted to do so when they first access the account after MFA has been activated.
- users will also have the opportunity to re-set up their MFA options if an administrator removes their security preferences.
- Step five: contact software providers.
HMRC recommends that agents who use automated processes or third-party software to manage their sign-in journey make contact with their software provider to check whether any adjustments are needed to this process. HMRC has advised that software developers have been notified of the roll-out of MFA to allow time for any necessary changes.
LOADING...