Security measures to protect taxpayer information from external threats
The protection of taxpayer information is of the utmost importance for the Canada Revenue Agency (CRA). In today’s increasingly digital world, the CRA continually takes steps to safeguard sensitive information against ever-evolving threats.
Ongoing security enhancements
- Multi-factor authentication
The CRA uses Multi-factor authentication (MFA) across its sign-in services as a mandatory enhanced security measure. Individuals need to enter a one-time passcode to access the CRA sign-in services. Each code is good for a single session.
Since February 2026, CRA account users have been prompted to add a backup MFA option if they do not already have one. Users have the option to add their backup option later. This measure further strengthens account security and helps prevent users from getting locked out during the MFA process.
The CRA also expanded MFA to its phone services in February 2026, allowing individuals to partially authenticate themselves prior to reaching a service representative.
- Mandatory email address on file
To help protect taxpayers’ online accounts from unauthorized access, My Account users are required to have an email address on file with the CRA.
This security feature sends individuals email notifications when important changes are made on their account, such as changes to their address, direct deposit, or credential information (such as their CRA user ID and password). Canadians who receive these notifications, but have not authorized any changes, should contact the CRA immediately.
- Personal Identification Number
As an added security measure, taxpayers can set a unique Personal Identification Number (PIN) for their account to identify themselves quickly and securely when calling the CRA on the individual income tax and benefits enquiries lines.
- Captcha
To help distinguish between human users and web robots, Captcha was implemented in all CRA portals. This security feature requires individuals to identify specific images before being granted access to our digital services.
- Maximum one credential
New users can only register one credential with the CRA (either a CRA user ID and password or a Sign-In Partner). This prevents users from registering a new credential if they already have one. Provincial partners are not affected by this limit.
- At risk CRA user ID and password revocations
To help prevent unauthorized access and safeguard taxpayers’ information, the CRA conducts routine checks and analyses to identify CRA user IDs and passwords that may have been compromised. These credentials may have been obtained through sources external to the CRA, such as email phishing schemes or third-party data breaches.
CRA user IDs and passwords identified as being at risk are revoked. Affected individuals will receive an email notification with instructions on how to regain access to their CRA account.
- Inactive credential suspensions and revocations
The CRA revokes and unlinks credentials after a prolonged period of inactivity. This eliminates the risk of unused or forgotten credentials being misused by unauthorized parties to gain access to taxpayer accounts.
- Enhanced authorization processes for representatives
The CRA has implemented the Confirm my Representative process for all authorization requests submitted by third parties who request online access to taxpayer information. When a request is submitted by a representative, the taxpayer must confirm or deny the request.
- Expanded character limit for passwords
The CRA account sign-in credential allows passwords to be between 8 and 64 characters. This range gives users the option to create longer and stronger passwords, and is more flexible for those who use password manager software.
- Internal security measures to prevent fraud
The CRA uses automated monitoring, threat intelligence, and internal analysis to detect suspicious activity. The CRA continues to invest in and enhance its existing security measures, technologies, processes and controls, to identify specific threat indicators and risk patterns that may contribute to unauthorized use of taxpayer information by third parties.
The CRA works closely with a variety of partners, including other federal departments, provincial and territorial governments, financial institutions, and tax practitioners, sharing business intelligence and security best practices to prevent fraud. The CRA also collaborates with domestic and international partners to inform its security strategies.
- Identity Protection Services
The CRA created the Identity Protection Services (IPS) program to better help individuals who are suspected victims of identity theft. The program also responds to suspicious account activity to protect individuals and their information before identity theft occurs.
The IPS program reviews all cases of potential identity theft and works directly with identity theft victims, to make sure that their online account is restored and remains protected from unauthorized activity.