Key Takeaways
- Multifactor Authentication (MFA) added to all HMRC agent accounts during 2026.
- Early check-in is possibleor you can wait until it opens for all accounts later in 2026.
- Web login for your online services account (ASA) and online services account (OSA) are affected, but not things like MTD login for Income Tax and VAT submissions done via software.
Security is never far from the thoughts of accountants and bookkeepers, and HMRC has recently announced exciting news: it is adding multifactor authentication (MFA) to all agent accounts before the end of 2026.
MFA is a simple, well-established way to keep your transactions and your customers’ information safe, and it’s the same type of protection you probably already rely on for every other online service.
Here’s everything you need to know: dates, resolutions, and a short checklist to prepare for your practice:
What is multifactor authentication for agents?
If you already use multifactor authentication on a daily basis, feel free to skip ahead—but here’s a quick recap just in case.
Multifactor authentication, or MFA, simply adds an extra step to prove your identity when you sign in.
Along with your username and password, you confirm that you are the one with the one-time access code—usually generated by an app on your phone, or sent to you via text message or voice call.
It’s the same extra layer you’ll see in online banking, and it already exists in the personal and business tax accounts that individuals and businesses use to access HMRC services, such as the HMRC app.
Considering access to account service agent (ASA) and online service account (OSA) records effectively open the door to your clients’ tax records, they are natural targets for fraud—and the addition of MFA may be overdue.
However, adding this second step ASAP makes it more difficult for anyone else to break in, keeping both your practice and your clients’ data more secure. In short: a small change to the login screen, and a big gain in security.
When does the MFA open and how do I get it?
This is the interesting part. The MFA comes in three phases through 2026, and you can choose the period that best suits your practice.
There are two early “check-in” dates in the summer, and a final phase where the MFA is automatically opened:
- Apply by midnight on 30 June 2026 to open an MFA 15 July 2026.
- Apply by midnight on 31 July 2026 to open an MFA 19 August 2026.
- If you do not select an earlier date, the MFA will be automatically activated in between 28 September and 15 October 2026.
To choose an earlier date, you fill in the short form that appears when you log in to your agent services account (ASA) or online services account (OSA) from 10 June 2026.
It works best if it’s handled by whoever manages your company’s agent accounts, so it’s worth letting your colleagues know to leave the form for them.
The login option is based on your Government Gateway identifier.
If your company has more than one—for example, if you’ve grown through mergers and picked up more agent accounts along the way—you can choose which ones to open and when, and even interrupt them during the summer fortnight.
Should you choose to check in early or wait?
Choosing to check in early gives you a guarantee. You will know exactly when the MFA is coming up, so you can prepare your group and choose a date that works around your busy schedule.
It also means that the right person is in the driving seat. The first time anyone signs in after an MFA is opened, they’ll set up an extra step—so it makes sense to have that person handle your agent’s accounts, on the day you plan, rather than on a quiet morning when someone else signs in first.
Choosing to wait for the default stage is also fine. You’ll want to make sure everyone’s accounts are ready before the end of September, as the exact date of the closing window has not been fixed. Either way, a short preparation window is key to a smooth transition.
Deciding how your team will fit in
You have two options here, and both work seamlessly with MFA. But it should be noted.
First is the individual entry of each member of staff. This is HMRC’s recommended approach and is particularly neat for access control: everyone has their own qualifications, and you can simply remove someone’s access when they leave.
Individual accounts are a challenge in the case of OSAs, however, because individual clients need to be assigned to each account. This requirement does not apply to ASA accounts.
Therefore, the second option may seem better as a temporary option—maintaining shared logins and using an authentication application, especially when OSA client sharing makes individual access difficult.
But there can be little doubt that firms should consider individual access to a clean, long-term model where it works.
Choosing how to get your access codes
Once MFA is activated, you’ll enter a one-time access code next to your regular Government Gateway credentials. You can get that code in three ways: via text message, voice call, or through an authentication app.
HMRC recommends using an authentication app as your primary method, with one backup copy set up as well. You can have a primary path and up to two backups.
Adding a backup is a small step to take, so you always have a way to log in even if your primary device is gone. But remember that any MFA attached to a phone number increases the risk, because it is possible for criminals to have social engineers mobile phone companies transfer phone numbers and gain access to MFA codes.
A quick checklist for preparing for your MFA practice
A few minutes of preparation is now all that is required. Here’s a simple checklist to work with:
- Check your contact information. Make sure your phone numbers and account details are up-to-date, so your access codes always arrive in the right place. It is also worth checking that the MFA option was established on the account some time ago.
- Make sure who is in charge. Decide who has access to your company’s agent account, and make sure they are the ones to fill out the login form.
- List your Government Gateway identifiers. If your company has more than one agent account, collect your credentials in one place before you opt-in.
- Choose your login method and code method. Decide between individual or shared login, and choose how to get your access codes.
- Briefly your team. Let everyone know what’s changing and when, so the change isn’t a surprise.
Final thoughts
Multifactor authentication is a welcome, straightforward improvement to the security of your customers’ data—and it’s really quick to set up.
Decide if you’d like an early date or prefer to wait, get your contact information and login, and let your team know what to expect.
Do that, and changeover day will go off without a hitch, leaving your practice better protected than ever.
Frequently Asked Questions
MFA is being rolled out to all HMRC agent accounts by 2026. You can choose to opt-in for an early access date of 15 July (by applying by 30 June) or 19 August (by applying by 31 July). If you do not select an earlier date, the MFA will automatically open between 28 September and 15 October 2026.
There’s nothing to worry about—MFA will simply be activated for your accounts automatically sometime between 28 September and 15 October 2026. The only difference is that you won’t have a pre-set date, so it’s a good idea to make sure everyone using the accounts is ready to set up the extra step before the end of September.
Yes, but it’s not the best way. Individual login for each employee is HMRC’s recommended approach, although there is no restriction on maintaining a shared login and using an authentication app if that is convenient for you at the moment. It still gives you the full benefit of MFA, and you can move to individual entry later when the time is right.
No. The change applies to the web login for your agent services account and online services account on GOV.UK. It does not affect the Digitization of Income Tax or VAT submissions that you do with the software, so your daily filing workflow can continue as usual.
It’s the reference linked to your agent account, and that’s what the login form uses to activate MFA. It is different from the agent codes that you can use on authorization forms. The login form includes instructions on how to get it, and if your company has more than one agent account it’s worth gathering all your credentials in one place before applying.
Check the reliability and safety of Sage
Trust is the foundation of good security and our customer relationships. Learn how we protect your security, value your privacy, and maintain the highest standards of data ethics.
Read more