HMRC Is Introducing Multi-Factor Authentication for Government Gateway Accounts: What Businesses and Accountants Need to Know

HMRC is rolling out Multi-Factor Authentication (MFA) for Government Gateway accounts throughout 2026, with agent accounts expected to begin receiving MFA requirements from June onwards. The change is designed to strengthen account security and better protect sensitive taxpayer information from cyber threats and unauthorised access.

While the additional security is welcome, many businesses and accountancy firms are now asking the same question:

How do we manage one-time passcodes when multiple people need access to the same HMRC account?

This is particularly challenging for firms using shared Agent Services Accounts (ASA) and legacy agent accounts, where MFA codes are often sent to a single mobile device or individual.

In this article, we'll explain what is changing, who is affected, and how My1Login helps organisations securely manage MFA and one-time passwords for HMRC Government Gateway accounts.

What Is HMRC MFA?

Multi-Factor Authentication (MFA) adds an additional security step when signing into an account.

Instead of simply entering a Government Gateway username and password, users must also provide a one-time access code generated by an authenticator app or sent to a registered device.

Even if a password is compromised, MFA helps prevent unauthorised access because attackers would also need access to the second authentication factor.

HMRC has confirmed that MFA is being introduced to agent accounts following testing with accounting firms and professional bodies, with wider rollout expected during 2026.

Which Government Gateway Accounts Are Affected?

There are four common types of HMRC online accounts:

Individual Accounts

Used by taxpayers accessing personal services such as Self Assessment and personal tax information.

Business Accounts

Used by organisations to manage PAYE, VAT, Corporation Tax and other business tax obligations.

Agent Services Accounts (ASA)

Used by accountancy firms and tax advisers to access modern HMRC services and manage client authorisations.

Legacy Agent Accounts

Older agent accounts that many accounting firms still use to access certain HMRC services.

HMRC has confirmed that MFA will apply to both Agent Services Accounts and legacy agent accounts.

The Challenge for Accountancy Firms

For individual users, MFA is relatively straightforward.

For accountancy firms, however, things become much more complicated.

Many practices have:

• Shared HMRC accounts
• Multiple staff requiring access
• Remote and hybrid workers
• Teams working across different offices
• Separate departments accessing the same HMRC services

When MFA codes are sent to a single mobile phone, firms can quickly encounter operational issues:

• Staff cannot log in without contacting the phone owner
• Authentication becomes dependent on one individual
• Productivity suffers when teams are waiting for access codes
• Firms resort to insecure workarounds such as sharing phones or forwarding screenshots of codes

As HMRC rolls out MFA across agent accounts, these challenges are likely to become increasingly common.

Why Shared MFA Is Becoming a Security and Compliance Issue

The introduction of MFA is intended to improve security.

However, if organisations respond by sharing authentication devices or distributing codes through email and messaging apps, they can inadvertently create new security risks.

Many firms currently have limited visibility of:

• Who is accessing Government Gateway accounts
• How authentication codes are being shared
• Which staff members have access
• Whether access is still appropriate when employees change roles or leave the organisation

For firms handling sensitive client tax information, stronger access controls are becoming increasingly important.

How My1Login Helps

My1Login enables organisations to securely manage access to Government Gateway accounts without sharing passwords or relying on a single employee's mobile device.

Automate One-Time Password Generation

My1Login can securely generate and manage Time-based One-Time Passwords (TOTPs), allowing authorised users to complete MFA authentication without needing access to a shared mobile phone.

This is particularly valuable for:

• Agent Services Accounts (ASA)
• Shared HMRC accounts
• Finance teams
• Accountancy practices
• Tax advisory firms

Instead of waiting for somebody to provide a code, authorised users can securely access the required authentication code when needed.

Secure Shared Account Management

My1Login enables organisations to provide access to shared Government Gateway accounts while maintaining security and accountability.

This removes the need to:

• Share passwords
• Share mobile devices
• Store credentials in spreadsheets
• Send MFA codes through email or messaging applications

Improve Auditability

Administrators can maintain greater visibility and control over access to critical HMRC accounts.

This helps organisations:

• Manage user permissions
• Remove access when staff leave
• Support compliance requirements
• Reduce reliance on individual account owners

Preparing for HMRC's MFA Rollout

HMRC has encouraged agents to prepare for MFA before the wider rollout begins. Professional bodies have also advised firms to review how they manage access to online agent services and MFA codes.

Organisations should consider:

• Which Government Gateway accounts are shared
• How MFA codes will be managed
• Whether access depends on specific individuals
• How remote workers will authenticate
• Whether current processes are secure and scalable

The sooner firms address these questions, the smoother the transition will be when MFA becomes mandatory.

Future-Proofing HMRC Access

HMRC's introduction of MFA is a positive step for protecting taxpayer and client information.

However, for accountancy firms and organisations that rely on shared Government Gateway accounts, the rollout highlights a wider challenge: securely managing access to business-critical systems without creating operational bottlenecks.

My1Login helps organisations overcome these challenges by securely managing credentials, automating one-time password generation, and providing controlled access to shared HMRC accounts.

As MFA becomes standard across HMRC services, organisations that modernise their access management processes now will be better positioned to maintain security, compliance and productivity.

Find out more about the government's plan to introduce MFA here.