Insights
Back to All Articles

Implications of Using Multi-Factor Authentication to Access your CRA Accounts

Tuesday July 20, 2021

When logging in to your CRA My Account or My Business Account, you will notice a request to provide a cell phone or landline number for the purpose of multi-factor authentication. This new process is a security step being rolled out by the CRA to help prevent unauthorized users from accessing your account. Participating in multi-factor authentication is not currently mandatory, but the voluntarily nature of the program isn’t obvious.

Unfortunately, many individuals and businesses are signing up without fully understanding the implications of enrolment, or taking the necessary steps to ensure headache-free access to their accounts moving forward.

Note: once you elect to opt-in to multi-factor authentication, you can only opt-out by calling the CRA directly. There is no online method available to opt-out if you change your mind.

Be thoughtful about the phone number you provide for multi-factor authentication
Multi-factor authentication with the CRA requires that a single-use passcode be entered every time you attempt to log in to your account. These passcodes are sent as either a text or automated message (there is an option to select) to the phone number provided on sign-up.

If you elect to opt in to multi-factor authentication, it is important to provide a phone number that is assigned to a phone solely (and easily) accessible to the person setting up the account, as the passcodes will be specifically associated with (and necessary for) that person’s login. For example, if you provide the phone number of your main business line, whoever picks up the phone may think the automated message is a spam call or prank call and hang up. Not only can it be frustrating if the assigned phone number is not fully accessible to the person needing to access the account, it may also result in an account lock-out. A client of ours recently experienced difficulty retrieving a multi-factor authentication passcode that was sent to their business land line. As a result, after several unsuccessful log in attempts, they became locked out of their CRA business account.

Regardless of whether or not you choose to opt-in to multi-factor authentication, you need to formally authorize any representative that requires access to your CRA accounts, whether that person is your accountant, bookkeeper, lawyer, family member, friend, etc.  Each person must be authorized with their own login credentials.

Make sure your representatives are registered with the CRA and have their own separate login credentials.
Giving any unauthorized person access to your CRA account login details is considered a violation of CRA guidelines. In the case or the aforementioned client, when they contacted the CRA to have their account unlocked, they mentioned that it was their bookkeeper (who was not registered with the CRA as an authorized representative) trying to access the account using their login details. Consequently, not only would the CRA representative not unlock the account, our client was actually locked out for several additional days as they waited for a CRA Resource Officer to follow up with them to resolve the issue.

The bottom line is that the CRA can and will lock you out of your online account(s) if they discover you have shared your login credentials with anyone for any purpose. More than just a compliance issue, it is a security issue, and for this reason we recommend that you ensure anyone who requires access to your CRA account(s) be formally registered with the CRA—as this limits the personal details they are able to access and modify.

NOTE: Your accountant or other representative may already be registered as an authorized representative on your account. To confirm all current authorized representatives, click on ‘Profile’ and then ‘Manage Authorized Representatives’ on your CRA My Account or My Business Account overview page.

The fastest way to authorize a new representative is to log in to your CRA account and use the ‘Authorize New Representative(s)’ function. This is a straightforward process and will provide your representative with immediate access to your CRA account.

Other methods to authorize a representative – although not as fast – are:

  • your representative can submit an authorization request via EFILE
  • your representative can submit a business authorization request in Represent a Client
  • you or your representative can fill out and mail a form to the CRA

S+C Partners is committed to helping you
Need help? Our dedicated team is here to support you. Please call us at 905-821-9215 or email us at info@scpllp.com if you have any questions or require any assistance.