CRA Multi-Factor Authentication: What Small Businesses Must Know by February 2026

Bymanager

# CRA Multi-Factor Authentication: What Small Businesses Must Know by February 2026

The Canada Revenue Agency (CRA) is tightening security around its online services. Beginning **February 2026**, every CRA user—including small‑business owners—will be required to register a *backup* multi‑factor authentication (MFA) method in addition to their primary MFA. Failure to do so can result in account lockouts at a critical time in the tax cycle.

## Why the Backup MFA Requirement?

1. **Prevent Identity Theft** – A secondary MFA option ensures a taxpayer can still access their account if their primary method is compromised.
2. **Avoid Tax Season Delays** – If a primary device is lost or out of service, a backup prevents the business from missing filing deadlines.
3. **Strengthen Data Security** – The CRA’s goal is to safeguard taxpayer data against increasingly sophisticated cyber‑threats.

## What Counts as a Backup MFA Option?

| Acceptable Method | Description |
|—|—|
| Passcode Grid | A series of numbers chosen from a 3×3 or 4×4 grid that the user selects as a secret. |
| Third‑Party Authenticator App | Apps like Microsoft Authenticator, Google Authenticator, or Authy that generate time‑based codes. |

*Phone calls or text messages remain valid for primary MFA but are **not** considered a backup.*

## How to Set It Up

1. **Log In** – Use your existing primary MFA to sign into your CRA My Business Account.
2. **Navigate to Security Settings** – Find the *MFA* section under *Account Settings*.
3. **Add Backup Method** – Follow the on‑screen prompts to select either a passcode grid or authenticator app.
4. **Verify** – Enter the code generated by the backup method to confirm the setup.
5. **Save** – Confirm that the backup method is active; you should see a green checkmark.

### Quick Tip

Set up the backup MFA **before** the February 2026 deadline. The CRA system will block new users from accessing the account if no backup is registered. A short 5‑minute setup now saves hours of potential confusion later.

## Common Pitfalls and How to Avoid Them

– **Forgetting to Activate** – The CRA will only flag the account if you log in and the backup is not registered. Verify after setup.
– **Using an Ineligible Method** – Phone calls or SMS are not backups. Double‑check the method type.
– **Multiple Devices** – If you have several phones or computers, register the same backup MFA on all devices to prevent future lockouts.

## What Happens If You Don’t Register?

The CRA’s system will display a warning the first time you log in without a backup method. If ignored, the account will be locked during the 2026 filing window, forcing the business owner to contact CRA support and potentially pay a fee or delay filing.

## Need Assistance?

If you’re unsure how to add a backup MFA or encounter errors, contact the CRA’s help desk or consult with a CPA. Many accounting firms, including Insight SCPA, offer a quick MFA‑setup service to ensure compliance.

For more detailed guidance on CRA online account security, see our [Tax Planning](https://insightscpa.ca/intel/tax-planning) resource. If you run a small business, also review our [Small Business Accounting](https://insightscpa.ca/intel/small-business-accounting) page for related security tips.

*Prepared for Insight SCPA. © 2026. All rights reserved.*

Similar Posts