CRA Multi-Factor Authentication: What Small Businesses Must Know

The Canada Revenue Agency (CRA) is tightening security around its online services. Beginning February2026, every CRA user—including smallbusiness owners—will be required to register a backup multifactor authentication (MFA) method in addition to their primary MFA. Failure to do so can result in account lockouts at a critical time in the tax cycle.

Why the Backup MFA Requirement?

• Prevent Identity Theft — A secondary MFA option ensures a taxpayer can still access their account if their primary method is compromised.
• Avoid Tax Season Delays — If a primary device is lost or out of service, a backup prevents the business from missing filing deadlines.
• Strengthen Data Security — The CRA’s goal is to safeguard taxpayer data against increasingly sophisticated cyberthreats.

What Counts as a Backup MFA Option?

| Acceptable Method | Description |
|—|—|
| Passcode Grid | A series of numbers chosen from a 3×3 or 4×4 grid that the user selects as a secret. |
| ThirdParty Authenticator App | Apps like Microsoft Authenticator, Google Authenticator, or Authy that generate timebased codes. |

Phone calls or text messages remain valid for primary MFA but are not considered a backup.

How to Set It Up

• Log In — Use your existing primary MFA to sign into your CRA My Business Account.
• Navigate to Security Settings — Find the MFA section under Account Settings.
• Add Backup Method — Follow the onscreen prompts to select either a passcode grid or authenticator app.
• Verify — Enter the code generated by the backup method to confirm the setup.
• Save — Confirm that the backup method is active; you should see a green checkmark.

Quick Tip

Set up the backup MFA before the February 2026 deadline. The CRA system will block new users from accessing the account if no backup is registered. A short 5minute setup now saves hours of potential confusion later.

Common Pitfalls and How to Avoid Them

• Forgetting to Activate — The CRA will only flag the account if you log in and the backup is not registered. Verify after setup.
• Using an Ineligible Method — Phone calls or SMS are not backups. Doublecheck the method type.
• Multiple Devices — If you have several phones or computers, register the same backup MFA on all devices to prevent future lockouts.

What Happens If You Don’t Register?

The CRA’s system will display a warning the first time you log in without a backup method. If ignored, the account will be locked during the 2026 filing window, forcing the business owner to contact CRA support and potentially pay a fee or delay filing.

Need Assistance?

If you’re unsure how to add a backup MFA or encounter errors, contact the CRA’s help desk or consult with a CPA. Many accounting firms, including InsightSCPA, offer a quick MFAsetup service to ensure compliance.

For more detailed guidance on CRA online account security, see our Tax Planning resource. If you run a small business, also review our Small Business Accounting page for related security tips.

—

Prepared for InsightSCPA. 2026. All rights reserved.

Related Resources

• AI Advisory Services — Transform your accounting with our patent-pending AI governance framework
• Tax Planning Strategies — Proactive CPA-led tax optimization for Canadian businesses
• Schedule a Consultation — Speak with Bader A. Chowdry, CPA, CA, LPA