HMRC Begins Testing Multi-Factor Authentication for Agents

HMRC has started testing multi-factor authentication (MFA) as part of its ongoing efforts to strengthen security across its digital services. The new system is currently being trialled with a small group of volunteer agents before a wider rollout planned by the end of June 2026.

The purpose of this testing phase is straightforward — to identify any usability issues, technical problems, and overall user experience challenges before MFA becomes mandatory. By working with real agents in live conditions, HMRC can fine-tune the process and avoid disruptions when the system is rolled out to everyone.

A key change will take place from 7 April 2026, when HMRC introduces a new page within the agent sign-in journey. This page is designed to raise awareness about MFA and prepare users for the upcoming changes. Instead of suddenly enforcing the new system, HMRC is taking a gradual approach to ensure agents understand what’s coming and how it will affect them.

Once fully implemented, MFA will require agents to verify their identity using more than just a password. This could include a one-time code sent to a mobile device or generated through an authentication app. While this adds an extra step to the login process, it significantly reduces the risk of unauthorized access and fraud.

The reality is simple — passwords alone are no longer secure enough. As cyber threats continue to evolve, adding an extra layer of protection is becoming standard across all major platforms, especially where sensitive financial data is involved.

For agents, this change means a slight adjustment in how they access HMRC systems, but it also brings a major improvement in security. Those who prepare early and familiarize themselves with MFA will avoid potential login issues once the rollout becomes mandatory.

HMRC’s approach is cautious but necessary — test first, educate users, and then enforce.