HMRC will activate multi-factor authentication on tax agents’ accounts between 28 September and 15 October 2026 unless agents choose an earlier activation date, giving accountancy practices a defined timetable to prepare access controls and staff processes.
The rollout applies to agent services accounts and online services accounts. Once multi-factor authentication, or MFA, is activated, agents will enter their Government Gateway ID and password and then provide a one-time access code.
ICAEW said agents will be able to use an authenticator app or receive the code by text message or voice call. HMRC has already activated MFA on some agent accounts as part of a test-and-learn exercise and will now extend the requirement across the remaining population.
Agents that want to activate MFA earlier can complete an online form through their agent services account or online services account. Requests submitted by 30 June 2026 will lead to activation on 15 July 2026. Requests submitted by 31 July 2026 will lead to activation on 19 August 2026. Any account not activated early will be included in the final activation window from 28 September to 15 October.
The timetable creates an immediate operational task for accountancy practices. Firms with multiple agent IDs, inherited accounts from acquired practices, shared logins, distributed teams, or outsourced support arrangements will need to map access before selecting an activation date.
Staff should be warned not to complete the opt-in form individually, so the process can be handled centrally by the person responsible for managing access. Fragmented activation could create confusion across teams serving live client deadlines.
The change reflects a wider tightening of security around tax and corporate reporting systems. Agent accounts contain sensitive client information, and compromised access can create serious risks around tax filings, repayments, identity misuse, and fraud. MFA is now a baseline control across much of digital business infrastructure, but implementation still creates friction where legacy access practices are informal.
Practices are already handling heavier digital compliance demands, including Making Tax Digital preparations, Companies House reform, and increased scrutiny of company reporting. Companies House has set a 2028 accounts filing shift, while HMRC is also consulting on closer reporting of director loans and payments to participators.
The MFA rollout is an IT security change with direct consequences for service continuity. If access is disrupted during deadline periods, firms may struggle to file returns, respond to HMRC, check client records, or complete authorisation tasks. Practices need to test authentication routes, define backup processes, and make sure key staff understand the new login flow.
Firms should also review whether existing account access is appropriate. MFA can expose weak internal controls, including shared credentials, accounts linked to former employees, unclear ownership of agent IDs, and insufficient records of who can access which client services.
Hybrid and remote working add further complexity. Staff using different devices, locations, and phone numbers will need reliable authentication methods. Practices that rely on a single mobile device or a small number of administrative users may create bottlenecks unless they plan alternative access routes.
Client communication will be important where implementation affects service timing. Although MFA sits between agents and HMRC, delays in access could still affect client deadlines. Practices may need to reassure clients that the change is being managed and that authorisation, filing, and correspondence processes remain under control.
Digital tax administration depends on governance as well as software. Agents now have dates, choices, and a final activation window. The firms that use the timetable to clean up access, train staff, and document controls will reduce the risk of a security upgrade becoming a service disruption.
You must be logged in to post a comment.