CRA Multi-Factor Authentication: What Small Businesses Must Know
The Canada Revenue Agency (CRA) is tightening security around its online services. Beginning February2026, every CRA user—including smallbusiness owners—will be required to register a backup multifactor authentication (MFA) method in addition to their primary MFA. Failure to do so can result in account lockouts at a critical time in the tax cycle.
Why the Backup MFA Requirement?
- Prevent Identity Theft — A secondary MFA option ensures a taxpayer can still access their account if their primary method is compromised.
- Avoid Tax Season Delays — If a primary device is lost or out of service, a backup prevents the business from missing filing deadlines.
- Strengthen Data Security — The CRA’s goal is to safeguard taxpayer data against increasingly sophisticated cyberthreats.
What Counts as a Backup MFA Option?
| Acceptable Method | Description |
|—|—|
| Passcode Grid | A series of numbers chosen from a 3×3 or 4×4 grid that the user selects as a secret. |
| ThirdParty Authenticator App | Apps like Microsoft Authenticator, Google Authenticator, or Authy that generate timebased codes. |
Phone calls or text messages remain valid for primary MFA but are not considered a backup.
How to Set It Up
- Log In — Use your existing primary MFA to sign into your CRA My Business Account.
- Navigate to Security Settings — Find the MFA section under Account Settings.
- Add Backup Method — Follow the onscreen prompts to select either a passcode grid or authenticator app.
- Verify — Enter the code generated by the backup method to confirm the setup.
- Save — Confirm that the backup method is active; you should see a green checkmark.
Quick Tip
Set up the backup MFA before the February 2026 deadline. The CRA system will block new users from accessing the account if no backup is registered. A short 5minute setup now saves hours of potential confusion later.
Common Pitfalls and How to Avoid Them
- Forgetting to Activate — The CRA will only flag the account if you log in and the backup is not registered. Verify after setup.
- Using an Ineligible Method — Phone calls or SMS are not backups. Doublecheck the method type.
- Multiple Devices — If you have several phones or computers, register the same backup MFA on all devices to prevent future lockouts.
What Happens If You Don’t Register?
The CRA’s system will display a warning the first time you log in without a backup method. If ignored, the account will be locked during the 2026 filing window, forcing the business owner to contact CRA support and potentially pay a fee or delay filing.
Need Assistance?
If you’re unsure how to add a backup MFA or encounter errors, contact the CRA’s help desk or consult with a CPA. Many accounting firms, including InsightSCPA, offer a quick MFAsetup service to ensure compliance.
For more detailed guidance on CRA online account security, see our Tax Planning resource. If you run a small business, also review our Small Business Accounting page for related security tips.
—
Prepared for InsightSCPA. 2026. All rights reserved.
Related Resources
- AI Advisory Services — Transform your accounting with our patent-pending AI governance framework
- Tax Planning Strategies — Proactive CPA-led tax optimization for Canadian businesses
- Schedule a Consultation — Speak with Bader A. Chowdry, CPA, CA, LPA