Compliance
Mandatory Backup MFA & Digital Security Changes at CRA: What You Need to Know
New rules on CRA account security are changing how you sign in—backup multi-factor authentication is now required. Here's how this impacts your tax compliance and digital safety.
By NomadicTax Research Team • 5-8 min read • March 27, 2026
## What’s New
- The **Canada Revenue Agency (CRA)** is introducing a requirement for **backup multi-factor authentication (MFA)** for CRA account users who don’t already have one. ([canada.ca](https://www.canada.ca/en/revenue-agency/news/newsroom/tax-tips/tax-tips-2026/cra-account-users-encouraged-add-backup-multi-factor-authentication-option.html?utm_source=openai))
- Users can select among options such as a **third-party authenticator app**, a **passcode grid**, or hold off setting it up until later—but during tax season, they will be prompted. ([canada.ca](https://www.canada.ca/en/revenue-agency/news/newsroom/tax-tips/tax-tips-2026/cra-account-users-encouraged-add-backup-multi-factor-authentication-option.html?utm_source=openai))
- This measure is part of the CRA’s larger plan to enhance **account security**, reduce lockouts, lower call volumes, and protect sensitive tax and benefits information. ([canada.ca](https://www.canada.ca/en/revenue-agency/corporate/about-canada-revenue-agency-cra/departmental-plan/2026-27-cra-departmental-plan.html?utm_source=openai))
## Who Needs to Act & Why
- **Individuals and businesses** using CRA online sign-in services—My Account, My Business Account, or Represent a Client—are covered. If you don’t have backup MFA already, you’ll be asked to add it.
- **Authorized representatives/tax preparers** using Represent a Client must also ensure their clients’ accounts are secure to continue accessing services.
- **Seasonal filers** or those who infrequently access CRA accounts should set backup methods now, to avoid issues during peak tax-filing periods.
## How to Set It Up (Action Steps)
1. Log into your CRA account (My Account, My Business Account, or other).
2. Navigate to **Security Settings > Multi-Factor Authentication**.
3. Enrol your existing MFA method if you have one; then add a second, backup method:
- **Authenticator app** – generates one-time codes on your device.
- **Passcode grid** – printable grid of codes used when required.
- **Phone** – receive SMS or an automated call with code.
4. Use test sign-in to ensure the backup method works (especially if you change phone numbers).
## Implications for Compliance
- Without backup MFA, account lockouts could happen more often, particularly if primary MFA device is lost or unavailable. Being locked out can delay access to notices, assessments, or filing situations—potentially causing late-filing penalties.
- Tax representatives must ensure clients are set up properly before the filing season starts—missing this can affect trust access, document submission, etc.
- Misplaced or lost MFA options affect identity verification: CRA also has a document verification service to regain access. Keep IDs handy.
## Best Practices & Tips
- Enrol **two MFA methods now**, not just when prompted, so you have fallback.
- Keep your contact information (phone number, email) **current** with CRA. If you lose access to your phone, other backup options become essential.
- Print and securely store your passcode grid; if your authenticator app fails or your phone is unavailable, this becomes your lifeline.
## Example
Jane is an individual taxpayer who currently uses authenticator app as her only MFA method. In August 2025, when her phone is stolen, she cannot sign in and cannot complete her benefit application. If she’d set up a passcode grid backup earlier, she'd avoid lockout.
**Bottom line**: Setting up backup MFA is now a small but essential step in digital tax compliance. Do it early to avoid problems during the rush of tax season—and stay secure.