CRA Multi-Factor Authentication: What Small Businesses Must Know by February 2026

Bymanager

The Canada Revenue Agency (CRA) is tightening security around its online services. Beginning February 2026, every CRA user-including small business owners-will be required to register a backup multi-factor authentication (MFA) method in addition to their primary MFA. Failure to do so can result in account lockouts at a critical time in the tax cycle.

Why the Backup MFA Requirement?

  1. Prevent Identity Theft – A secondary MFA option ensures a taxpayer can still access their account if their primary method is compromised.
  2. Avoid Tax Season Delays – If a primary device is lost or out of service, a backup prevents the business from missing filing deadlines.
  3. Strengthen Data Security – The CRA’s goal is to safeguard taxpayer data against increasingly sophisticated cyber-threats.

What Counts as a Backup MFA Option?

Acceptable Method Description
Passcode Grid A series of numbers chosen from a 3×3 or 4×4 grid that the user selects as a secret.
Third-Party Authenticator App Apps like Microsoft Authenticator, Google Authenticator, or Authy that generate time-based codes.

Phone calls or text messages remain valid for primary MFA but are not considered a backup.

How to Set It Up

  1. Log In – Use your existing primary MFA to sign into your CRA My Business Account.
  2. Navigate to Security Settings – Find the MFA section under Account Settings.
  3. Add Backup Method – Follow the on-screen prompts to select either a passcode grid or authenticator app.
  4. Verify – Enter the code generated by the backup method to confirm the setup.
  5. Save – Confirm that the backup method is active; you should see a green checkmark.

Quick Tip

Set up the backup MFA before the February 2026 deadline. The CRA system will block new users from accessing the account if no backup is registered. A short 5-minute setup now saves hours of potential confusion later.

Common Pitfalls and How to Avoid Them

  • Forgetting to Activate – The CRA will only flag the account if you log in and the backup is not registered. Verify after setup.
  • Using an Ineligible Method – Phone calls or SMS are not backups. Double-check the method type.
  • Multiple Devices – If you have several phones or computers, register the same backup MFA on all devices to prevent future lockouts.

What Happens If You Don’t Register?

The CRA’s system will display a warning the first time you log in without a backup method. If ignored, the account will be locked during the 2026 filing window, forcing the business owner to contact CRA support and potentially pay a fee or delay filing.

Need Assistance?

If you’re unsure how to add a backup MFA or encounter errors, contact the CRA’s help desk or consult with a CPA. Many accounting firms, including Insight SCPA, offer a quick MFA setup service to ensure compliance.

For more detailed guidance on CRA online account security, see our Tax Planning resource. If you run a small business, also review our Small Business Accounting page for related security tips.

Prepared for Insight SCPA. © 2026. All rights reserved.

Related Resources