If you use CRA My Account, My Business Account, or Represent a Client, you will be asked to use multi-factor authentication, also called MFA, when signing in.
MFA is an extra security step that helps protect your CRA account. Instead of signing in with only your username and password, the CRA also asks for a one-time passcode each time you access your account. The CRA confirms that MFA is mandatory for users who want to access a CRA account online.
You can sign in to your CRA account here:
CRA sign-in page: https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services.html
Multi-factor authentication means that after entering your CRA login information, you must also confirm your identity using a one-time passcode.
The CRA currently allows the following MFA methods:
CRA MFA applies to CRA online services such as:
CRA MFA information page:
CRA multi-factor authentication help: https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services/help-cra-sign-in-services/multi-factor-authentication.html
The CRA requires MFA to help protect online accounts from unauthorized access. Your CRA account can include sensitive personal and business tax information, such as:
Because of this, MFA helps ensure that even if someone knows your password, they still cannot access your CRA account without the one-time passcode.
Starting in February 2026, the CRA began prompting CRA account users to add a backup MFA option if they do not already have one. During tax filing season, users may have the option to skip this step temporarily, but the CRA encourages users to add a backup method to avoid being locked out later.
The CRA says backup MFA options can be:
Telephone can still be used as a primary MFA option, but it is not available as a backup MFA option.
CRA backup MFA announcement:
CRA account users encouraged to add backup MFA: https://www.canada.ca/en/revenue-agency/news/newsroom/tax-tips/tax-tips-2026/cra-account-users-encouraged-add-backup-multi-factor-authentication-option.html
A third-party authenticator app generates a one-time code that changes regularly. This method is often more reliable than receiving a text message, especially if you travel, change phone numbers, or have issues receiving CRA text messages.
The CRA allows users to set up an authenticator app by scanning a QR code or entering a setup key into the app.
Examples of commonly used authenticator apps include:
This option may be helpful if:
A passcode grid is a chart generated by the CRA. When you sign in, the CRA asks you to enter specific values from the grid.
If you choose this option, you must save or print the grid because you will need it when signing in. The CRA states that a passcode grid expires after 18 months, and users should generate a new one before it expires.
This option may be helpful if:
Important: keep your passcode grid in a secure place. Do not email it to yourself or share it with anyone.
With phone MFA, the CRA sends a one-time passcode by text message or provides it through an automated phone call.
Phone MFA can be convenient, but it can create issues if:
If text messages are not working, the CRA recommends trying the “Call me” option where available.
Because phone access can change, it is recommended to add an authenticator app or passcode grid as a backup.
To add or update your CRA MFA options:
CRA sign-in page:
https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services.html
CRA MFA help page:
https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services/help-cra-sign-in-services/multi-factor-authentication.html
If you cannot receive your CRA MFA code, you can try:
If none of your MFA options work, you may need to contact the CRA or recover access through CRA’s account recovery process.
CRA locked account help page:
https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services/help-cra-sign-in-services/locked-account.html
Your CRA account may become locked if incorrect information is entered too many times. This can include:
The CRA states that if your account is temporarily locked, you may not need to call. However, if you cannot regain access, you may need to recover the account or contact the CRA.
CRA locked account page:
https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services/help-cra-sign-in-services/locked-account.html
Never share your CRA one-time passcode with anyone.
The CRA states that it will never call and ask you for your one-time passcode over the phone. You should also avoid sharing your CRA user ID, password, security code, SIN, or personal tax information with others.
If someone contacts you asking for your CRA code, password, or personal information, treat it as suspicious.
Here are the main CRA pages related to sign-in and MFA:
CRA sign-in page:
https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services.html
CRA multi-factor authentication help:
https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services/help-cra-sign-in-services/multi-factor-authentication.html
Register for a CRA account:
https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services/register-cra-sign-in-services.html
CRA locked account help:
https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services/help-cra-sign-in-services/locked-account.html
Help with using your CRA account:
https://www.canada.ca/en/revenue-agency/services/e-services/cra-login-services/help-cra-sign-in-services.html
My Business Account information:
https://www.canada.ca/en/revenue-agency/services/e-services/digital-services-businesses/business-account/about-business-account.html
Represent a client information:
https://www.canada.ca/en/revenue-agency/services/e-services/represent-a-client/about-represent-a-client.html
To avoid problems accessing your CRA account:
CRA multi-factor authentication is now a normal part of accessing CRA online services. While it adds an extra step when signing in, it helps protect your personal and business tax information.
The best approach is to set up more than one MFA method, especially an authenticator app or passcode grid, so you do not lose access if your phone number changes or your primary method stops working.