Strategy, Legal & Operations

HMRC multifactor authentication for agents: What it means for your practice and how to prepare

The extra security that MFA provides is coming to HMRC’s ASA and OSA agent accounts. It’s a huge change—and practices need to get onboard now.

A man entering an MFA code in an office
Published 7 min read

Key Takeaways

  • Multifactor authentication (MFA) is being added to all HMRC agent accounts during 2026.
  • Early opt-in activation is possible, or you can wait until it’s switched on for all accounts in later 2026.
  • Web sign-in for your agent services account (ASA) and online services account (OSA) are affected, but not things like sign-in for MTD for Income Tax and VAT submissions made through software.

Security is never far from the mind of accountants and bookkeepers, and HMRC has recently announced some interesting news: it’s adding multifactor authentication (MFA) to all agent accounts before the end of 2026.

MFA is a simple, well-established way to keep your practice and your clients’ information safer, and it’s the same kind of protection you almost certainly already rely on across plenty of other online services.

Here’s everything you need to know: the dates, the decisions, and a short checklist to get your practice ready:

What is multifactor authentication for agents?

If you already use multifactor authentication every day, feel free to skip ahead—but here’s a quick recap in case it’s handy.

Multifactor authentication, or MFA, simply adds an additional step to prove who you are when you log in.

As well as your username and password, you confirm it’s really you with a one-time access code—usually generated by an app on your phone, or sent to you by text message or voice call.

It’s the same extra layer you’ll recognise from online banking, and it’s already in place on the personal and business tax accounts that individuals and businesses use to access HMRC services, like the HMRC app.

Considering accessing agent service account (ASA) and online service account (OSA) records effectively open the door to your clients’ tax records, they’re a natural target for fraud—and the addition of MFA could be said to be overdue.

Nonetheless, adding this second step ASAP makes it much harder for anyone else to get in, keeping both your practice and your clients’ data better protected. In short: a small change at the login screen, and a big gain in security.

When is MFA being switched on and how do I get it?

This is the interesting part. MFA is arriving in three stages during 2026, and you can choose the timing that suits your practice best.

There are two early “opt-in” dates over the summer, plus a final stage where MFA is switched on automatically:

  • Apply by midnight on 30 June 2026 to have MFA activated on 15 July 2026.
  • Apply by midnight on 31 July 2026 to have MFA activated on 19 August 2026.
  • If you don’t pick an early date, MFA will be switched on automatically between 28 September and 15 October 2026.

To choose an early date, you complete a short form that appears when you sign in to your agent services account (ASA) or online services account (OSA) from 10 June 2026.

It works best when handled centrally by whoever manages your firm’s agent accounts, so it’s worth letting colleagues know to leave the form to them.

The opt-in is based on your Government Gateway identifier.

If your firm has more than one—for example, if you’ve grown through mergers and picked up additional agent accounts along the way—you can choose which ones to activate and when, and even stagger them across the two summer dates.

Should you opt in early or wait?

Opting in early gives you certainty. You’ll know exactly when MFA is coming, so you can prepare your team and pick a date that works around your busy periods.

It also means the right person is in the driving seat. The first time anyone signs in after MFA is switched on, they’ll set up the extra step—so it makes sense for that to be the person who looks after your agent accounts, on a day you’ve planned for, rather than a quiet morning when someone else happens to log in first.

Preferring to wait for the automatic stage is completely fine too. You’ll just want to make sure everyone who uses the accounts is ready before late September, since the exact day within the final window isn’t fixed. Either way, a short window of preparation is the key to a smooth switch.

Deciding how your team will log in

You have two options here, and both work seamlessly with MFA. But care needs to be taken.

The first is individual logins for each member of staff. This is HMRC’s recommended approach and it’s especially tidy for managing access: everyone has their own credentials, and you can simply remove a person’s access when they leave.

Individual accounts are challenging in the case of OSAs, however, because individual clients need to be assigned to each account. This requirement isn’t present with ASA accounts.

Therefore, a second option might seem better as a short-term option—to keep shared logins and use an authenticator app, especially where OSA client allocation makes individual access difficult.

But there can be little doubt that firms should consider individual access the cleaner, long-term model where it is practical.

Choosing how you receive your access codes

Once MFA is on, you’ll enter a one-time access code alongside your usual Government Gateway details. You can receive that code in one of three ways: by text message, by voice call, or through an authenticator app.

HMRC recommends using an authenticator app as your main method, with at least one backup set up as well. You can have a primary method plus up to two backups.

Adding a backup is a small step that’s well worth taking, so you always have a way to sign in even if your main device isn’t to hand. But bear in mind that any MFA attached to a phone number increases risk, because it’s possible for hackers to socially engineer mobile companies into transferring phone numbers and therefore get access to the MFA codes.

A quick checklist to get your practice ready for MFA

A few minutes of preparation now is all it takes. Here’s a simple checklist to work through:

  1. Check your contact details. Make sure the phone numbers and details on your accounts are current, so your access codes always reach the right place. It’s also worth checking whether an MFA option was set up on an account some time ago.
  2. Confirm who’s in charge. Decide who manages your firm’s agent account access, and make sure they’re the one to complete the opt-in form.
  3. List your Government Gateway identifiers. If your firm has more than one agent account, gather your identifiers in one place before you opt in.
  4. Choose your login approach and code method. Decide between individual or shared logins, and pick how you’ll receive your access codes.
  5. Brief your team. Let everyone know what’s changing and when, so the switch is no surprise.

Final thoughts

Multifactor authentication is a welcome, straightforward upgrade to the security around your clients’ data—and getting ready for it really is quick.

Decide whether you’d like an early date or prefer to wait, get your contact details and logins in order, and let your team know what to expect.

Do that, and switch-on day will pass without a hitch, leaving your practice better protected than ever.

Frequently asked questions

When is HMRC introducing multifactor authentication for agents?

MFA is being rolled out to all HMRC agent accounts during 2026. You can opt in for an early activation date of 15 July (by applying by 30 June) or 19 August (by applying by 31 July). If you don’t choose an early date, MFA will be switched on automatically between 28 September and 15 October 2026.

What happens if I don’t opt in for MFA for agents?

Nothing to worry about—MFA will simply be switched on for your accounts automatically at some point between 28 September and 15 October 2026. The only difference is that you won’t have a fixed date in advance, so it’s a good idea to make sure everyone who uses the accounts is ready to set up the extra step before late September.

Can I keep using shared logins for my HMRC agent account?

Yes, but it’s not the best approach. Individual logins for each staff member are HMRC’s recommended approach, although there’s no prohibition on keeping shared logins and using an authenticator app if that’s best for your practice at the moment. It still gives you the full benefit of MFA, and you can move to individual logins later when the timing is correct for you.

Will MFA affect my Making Tax Digital for Income Tax or VAT submissions?

No. The change applies to web sign-in for your agent services account and online services account on GOV.UK. It doesn’t affect Making Tax Digital for Income Tax or VAT submissions you make through software, so your day-to-day filing workflow carries on as normal.

What is the Government Gateway identifier and where do I find it?

It’s the reference linked to your agent account, and it’s what the opt-in form uses to switch MFA on. It’s different from the agent codes you might use on authorisation forms. The opt-in form includes instructions for finding it, and if your firm has more than one agent account it’s worth gathering all your identifiers in one place before you apply.

Explore Sage trust and security

Trust is the foundation of good security and our customer relations. Learn how we safeguard your security, value your privacy, and uphold the highest standards of data ethics.

Learn more
A man in an office exploring the Sage trust and security hub

Browse more topics from this article