The Canada Revenue Agency (CRA) is rolling out new security measures for its online services ahead of the 2026 tax season. Starting in February 2026, all CRA My Account and My Business Account users will be required to have a backup multi-factor authentication (MFA) option on file. In practical terms, this means that in addition to your primary MFA (such as receiving a code by phone), you must set up at least one secondary authentication method – for example, a passcode grid or a third-party authenticator app. The goal of this change is to further strengthen the security of CRA accounts and prevent users from getting locked out during the MFA process.
Why Is CRA Requiring a Backup MFA Method?
During tax season, malicious actors ramp up their efforts to access taxpayers’ online CRA accounts to steal sensitive information or file fraudulent tax returns or benefit claims. In recent years, there have even been instances of mass account lockouts as a precaution against credential breaches. In 2021 the CRA locked hundreds of thousands of accounts after discovering stolen passwords being used by bad actors. These risks have prompted the CRA to continually improve its security measures.
Multi-factor authentication, which requires a one-time passcode each time you sign in, has already been mandatory for CRA accounts for some time. Until now many users relied on a single MFA method,often a code sent to a phone. If that single method becomes unavailable (e.g. you lose your phone or don’t have cellular service), you could be locked out of your account. This could cause you to miss important CRA communications or being unable to file returns by the required deadlines.
By mandating a backup MFA option, the CRA aims to ensure that taxpayers always have an alternate way to access their accounts even if their primary MFA method fails or is unavailable. According to the CRA, enrolling in more than one authentication option will “help ensure that you can still access your CRA account if you change your phone number, misplace your passcode grid, or delete the third-party authenticator app”. In short, this security enhancement is about both fraud prevention and avoiding unintended lockouts that could disrupt your access to important tax services.
Avoid Being Locked Out During Critical Tax Deadlines
From a taxpayer’s perspective, especially if you’re dealing with time-sensitive tax matters, this change is a welcome safeguard. The worst time to discover you’re locked out of your CRA account is when a filing, audit response, or objection deadline is looming. For instance, if you need to access your CRA My Account to retrieve tax slips before the April filing deadline, or if you must submit documents for an audit or file a Notice of Objection, not being able to log in could cause serious delays or even jeopardize your rights. Being locked out at a critical moment can result in missed deadlines, late-filing penalties, or lost opportunities to respond to the CRA. These scenarios often lead to unnecessary stress and potentially costly disputes.
By setting up a secondary login factor now, you can avoid the last-minute scramble. If your primary MFA method stops working at tax time (for example, your phone number changes or you lose access to your authenticator app), you’ll have a backup ready to go. This proactive step could save you days or even weeks of delay that might otherwise occur if you had to go through account recovery procedures.
How to Add a Backup MFA Method to Your CRA Account
The CRA is urging all users to log in and add a backup MFA option well before it becomes mandatory. The CRA’s website provides detailed instructions on updating your MFA settings and enrolling in multiple options. If you have only ever used one MFA method on your account, it’s a good idea to log in and add at least one backup method as soon as possible. It takes only a few minutes and ensures that when the new rule kicks in, you won’t face any hiccups signing in, or worse, find yourself unable to access your account when you need it most.
Additional Security Measures and Best Practices
The new backup MFA requirement is part of a broader effort by the CRA to safeguard taxpayer information. In addition to MFA enhancements, the CRA has been proactively revoking user IDs and passwords that appear compromised or that haven’t been used for a long time to prevent malicious actors from exploiting old or stolen credentials. The agency has also ramped up actions against phishing scams. Over the past year, hundreds of fraudulent websites impersonating the CRA have been taken down. Taxpayers are reminded to be vigilant by only using official CRA websites (addresses starting with Canada.ca or ending in .cra-arc.gc.ca) and to avoid clicking on links from unsolicited emails or texts purporting to be from the CRA.
The Bottom Line: Act Now to Secure Your CRA Account
In summary, the CRA’s new backup MFA mandate is a smart precaution to protect taxpayers, but it only helps if you take action. Don’t wait until February 2026 when the requirement becomes official or until you’re racing against a tax deadline. Log in to your CRA My Account or My Business Account and add a secondary MFA method as soon as possible. Doing this now will save you time and trouble later, ensuring that you can confidently access your tax information or deal with the CRA when it matters most. By strengthening your account security today, you’re not only complying with the new rules, but also gaining peace of mind that you’ll have one less thing to worry about during the hectic tax season.
For step-by-step guidance on adding a backup MFA option, refer to the CRA’s official instructions on updating your multi-factor authentication settings. For the official announcement of the backup MFA requirement, see the CRA’s news release on keeping your information safe this tax season. Each of these resources provides additional details to help you navigate the process.
