CRA account help - Multi-factor authentication (MFA)
Backup multi-factor authentication being introduced
When signing in to your CRA account, you will be prompted to add a backup multi-factor authentication option if you do not already have one. Users will have the option to temporarily skip this step during tax filing season.
Multi-factor authentication (MFA) increases the security of your CRA account by requiring you to enter a one-time passcode every time you sign in. MFA is mandatory for all users who wish to use a CRA account.
On this page
MFA Options
When you register, you will be prompted to enroll in 2 MFA options to get your one-time passcode, choosing from the following:
After you enroll, you can make changes after signing in. On your CRA account Welcome page, select Security settings then Multi-factor authentication.
If your account becomes locked
If your account becomes locked due to entering the wrong one-time passcode too many times, you will be temporarily locked out for 30 minutes. After that period, you can try again or use another method you are enrolled with. If this happens 3 times, you will be permanently locked out and will need to contact us.
Get your passcode with a third-party authenticator app
If you choose to use a third-party authenticator app, you will need to download an app that is compatible with a CRA account. The app store offers many free third-party authenticator app options to choose from.
Using the app, scan the provided QR code with a mobile device when prompted. If you are unable to scan the QR code, you can manually enter the setup key the CRA provides to you into the app. The app will now be set up and you will not have to complete this step again.
The app will then generate a 6-digit time-based one-time passcode for you to sign in with. For security, the app will generate a new passcode every 30 seconds.
Get your passcode by phone
If you choose to enroll with the phone option, you will need to provide at least one cell or landline number. Each time you sign in, a new one-time passcode will be sent to the phone number selected.
You can use VoIP to get your passcode
You can use a VoIP service with multi-factor authentication. However, some VoIP services may not be compatible with MFA. If you can’t get the one-time passcode by text, choose the “Call me” delivery method.
You can use an international phone number to receive your one-time passcode
You can receive your passcode to phone numbers based within North American countries that participate in the North American Numbering Plan (countries that an individual can call from Canada by dialing 1 + 10 digits). The phone number must be supplied by telephone providers.
Phone numbers in the following countries can receive a passcode:
- American Samoa
- Anguilla
- Antigua and Barbuda
- Bahamas
- Barbados
- Bermuda
- British Virgin Islands
- Canada
- Cayman Islands
- Dominica
- Dominican Republic
- Grenada
- Guam
- Jamaica
- Montserrat
- Northern Mariana Islands
- Puerto Rico
- Saint Kitts and Nevis
- Saint Lucia
- Saint Vincent and the Grenadines
- Saint Maarten
- Trinidad and Tobago
- Turks and Caicos Islands
- United States
- United States Virgin Islands
Alternately, you can enroll with the passcode grid or third-party authenticator app options which do not need access to a phone at all.
When you sign in, you can choose to receive your one-time passcode by:
-
Text message Option 1 of 2
Open the text message first, then use the passcode from the body of the message.
The CRA does not charge for this service, however your provider may charge standard message and data rates.
-
Phone call Option 2 of 2
Your passcode will be verbally told to you in an automated message from a toll-free number.
If you did not receive your one-time passcode, you can:
- Ask for it to be resent or sent to a different phone number that you have already enrolled with
- Try the Call me option instead of Text me if you are using a VoIP service
- Use the passcode grid if you are already enrolled with that option
- Use the third-party authenticator app if it is already set up
If you still can't receive your one-time passcode, you will need to contact us.
Get your passcode by passcode grid
If you choose to enroll with a passcode grid, the system will generate a unique passcode grid for you. You will use this grid every time you sign in, so you must either save it or print it.
The passcode grid is a table made up of numbered rows and lettered columns, similar to a Bingo card. We will ask for combinations (for example, B,1; A,3) to create your one-time passcode. We will ask for 3 of these combinations each time you sign in.
Your passcode grid will expire after 18 months. Before the expiry date, sign in and generate a new one in your CRA account. After you sign in, on your Welcome page select Security settings, then Multi-factor authentication.
If you lose your passcode grid, you will still be able to sign in if you have added the phone or authenticator app option for MFA. If you have not, you will need to contact us.
Update your MFA settings
After you sign in to your CRA account, on the Welcome page select Security settings then Multi-factor authentication to update your current MFA settings or enroll in additional MFA options. You can:
- Add or change a phone number for MFA
- Change your language settings
- Add or change an MFA option
- Generate a new passcode grid
Enroll in multiple multi-factor authentication (MFA) options
Enrolling in multiple MFA options will help ensure that you can still access your CRA account if you change your phone number, misplace your passcode grid, or delete the third-party authenticator app.
You must have access to your CRA account to make changes to your MFA settings.
If you can't receive your one-time passcode
If your phone number has changed and you can no longer receive your one-time passcode to that number, you can use another MFA option you are already enrolled with.
If you still cannot receive your one-time passcode, contact us.