Authentication and Credential Management v4.0
Assessment, Benefit and Service Branch
Digital Services Directorate
On this page
- Overview & Privacy Impact Assessment Initiation (PIA)
- Summary of the project, initiative or change
- Risk identification and categorization
Overview & Privacy Impact Assessment (PIA) Initiation
Government institution
Canada Revenue Agency
Government official responsible for the PIA
Gillian Pranke
Assistant Commissioner
Assessment, Benefit and Service Branch
Head of the government institution or Delegate for section 10 of the Privacy Act
Anne Marie Laurin
Director General
Access to Information and Privacy Directorate
Public Affairs Branch
Name of program or activity of the government institution
Information Technology
Information technology services involve doing activities to achieve efficient and effective use of information technology (IT) to support government priorities and program delivery, increase productivity, and enhance services to the public.
IT management activities include planning, developing (or procuring), and operating IT computing such as telecommunications, infrastructure, and applications.
Standard or institution specific class of record:
Information Technology
Record number: PRN 932
Standard or institution specific personal information bank:
Authentication and Credential Management Service
CRA PPU 607
TBS registration number: 20150040
Legal authority for program or activity
The Canada Revenue Agency (CRA) is designated as a separate Agency under Schedule II of the Financial Administration Act and as such has overall responsibility over its administration, contracts, and human resources management.
Personal information is collected under the authority of paragraph 30(1)(a) of the Canada Revenue Agency Act which grants the CRA responsibility for general administrative policy in the Agency, and is used to allow access to online systems for the purposes of administering program legislation as per the Income Tax Act and the Excise Tax Act. Personal information is also collected as required under the Policy on Government Security as it relates to the Directive on Identity Management as per agreement with the President of the Treasury Board.
The legal authority for entering into Memorandum of Understanding is under section 61 of the Canada Revenue Agency Act, which states that the CRA is responsible for implementing agreements or arrangements between the CRA and departments or agencies of the Government of Canada to administer a program or carry out an activity. The authority for disclosing information to Innovation, Science and Economic Development Canada for Identity Validation Service, Veterans Affairs Canada for the Portageur (also known as Identity Exchange Facility) or Employment and Social Development Canada for Linked eAccounts, is under section 241(5) (consent) of the Income Tax Act. The authority to collect personal information to know whose information to disclose under section 241 is section 220 of the Income Tax Act.
Subsection 241(5) of the Income Tax Act, subsection 295(6) of the Excise Tax Act, subsection 211(8) of the Excise Act, 2001, and subsection 8(1) of the Privacy Act, authorize the CRA to provide taxpayer information, confidential information, or personal information relating to an individual, to a third party with the consent of the individual.
For the non-resident representative number, personal information is collected under the authority of subsection 220(1) of the Income Tax Act. The CRA will use personal information to process applications for a non-resident representative applying for a non-resident representative number.
The CRA collects the social insurance number under subsection 237(1.1) of the Income Tax Act for income tax purposes and section 220 of the Income Tax Act to identify the individual to allow access to their income tax and benefit information online and to associate the individual’s anonymous credential to them.
For the BC Services Card (previously known as British Columbia Digital Identity for Federal Services), and for the Alberta.ca Account (previously known as MyAlberta Digital ID) integration with the CRA, the personal information is collected under the authority of section 220 of the Income Tax Act, and section 275 of the Excise Tax Act. The CRA uses personal information to allow Canadians who hold a BC Services Card (BCSC) or Alberta.ca Account (previously known as MyAlberta Digital ID) immediate digital access to the federal government services and programs offered through the CRA’s My Account.
Summary of the project, initiative or change
Overview of the Program or Activity
The CRA’s Authentication and Credential Management Program performs the following functions:
- provides identity proofing and access control for individuals, businesses owners, and the respective authorized representatives when accessing the CRA’s online services;
- provides and manages the CRA’s proprietary credentials;
- provides identity validation for users registering for the CRA’s partner organizations.
To achieve this, the CRA uses their own systems and processes and may enter in partnership with external partners.
The CRA has been a major stakeholder in the Government of Canada’s Cyber Authentication Renewal Initiative. The CRA has played an active role and supports arrangements for federated identity. As part of the Cyber Authentication Renewal Initiative, the CRA also provides its own authentication and credential management service for individuals, business owners, and representatives to use when accessing its online services.
The CRA’s Authentication and Credential Management Service relies on its systems to provide identity proofing, access control, and credential management services to the CRA’s online services.
The following is a list of the CRA’s online services that use the system of the Authentication and Credential Management Services.
The CRA’s online portals
My Account: Individuals can view their personal income tax and benefit information and manage their tax affairs online.
My Business Account: Business owners (including partners, directors, and officers) can access their GST/HST, payroll, corporation income taxes, excise taxes, excise duties, and other levies accounts online.
Represent a Client: Employees and representatives can access an account on behalf of their employer or clients. Prior to the CRA granting a representative access to information and services on behalf of individuals or businesses, a representative must first be authorized by the individual or the business owner.
CRA mobile apps
MyCRA app: MyCRA is a web-based mobile application for individual taxpayers that allows users to securely access and view all of their personal tax information, pay their tax balance owing, and more.
MyBenefits app: MyBenefits CRA is a web-based mobile app that offers individual benefit recipients a view of their benefits, credit payment details, eligibility information, and more.
CRA BizApp: CRA BizApp is a web-based mobile app for small business owners and sole proprietors. The application offers secure access to make payments, view accounting transactions, and more.
CRA web services
Auto-fill my return: Individuals and authorized representatives can automatically fill in parts of a current year income tax and benefit return using various NETFILE or EFILE certified software.
Express NOA: Express NOA is a secure CRA service that allows individuals and authorized representatives to view the notice of assessment in the tax preparation software, right after the CRA receives and processes the return.
T2 Auto-fill: T2 Auto-fill is a secure service that lets business owners and authorized representatives download information from the CRA to their tax preparation software.
Address change and direct deposit through NETFILE: Users of NETFILE tax preparation software are provided with a link to the CRA’s login services where they can change the mailing address or update direct deposit information.
Account information retrieval service: The Account Information Retrieval Service is a secure CRA service that allows individuals, businesses, and their authorized representatives using CRA certified software to automatically obtain balance owing account information that the CRA has available at the time.
Trusted provincial digital identities
Use of the BC Services Card:
Individuals who hold a BC Services Card can use it to access the CRA’s My Account. This initiative was assessed under the Pan Canadian Trust Framework in 2020.
Use of Alberta.ca Account:
Albertans who hold a verified Alberta.ca Account (previously known as MyAlberta Digital ID) can access the federal government services and programs offered through the CRA’s My Account for individuals. By relying on the Trusted Digital Identity issued by the province, the streamlined process eliminates the need to receive the security code by mail or the need to use Digital Identity Validation for the registration to online services and eliminates steps in the sign-in process. This initiative was assessed under the Pan Canadian Trust Framework in 2021.
Security enhancements
Multi-factor authentication
Multi-factor authentication is a mandatory enhanced security measure that was implemented throughout CRA sign-in services. When users enroll, they are asked to give at least one cell or landline phone number. Users will then be sent a one-time single session passcode that is required to sign in to our online services. A new one-time passcode will be sent via SMS or provided in an automated message to the telephone number selected each time the user signs in to the CRA sign-in services.
The CRA provides an enhancement to multi-factor authentication to allow a passcode grid as an option upon enrollment or access to the CRA’s online services.
Automation and fraud defense
The CRA uses security solutions on its website to identify any unauthorized attempts to access and use online services. The solutions monitor and analyze web traffic data generated from a user web session to detect automated and malicious activities against CRA websites.
Account takeover prevention
The CRA utilizes a third party account takeover prevention service to identify possible compromised CRA credentials and lessen the risk of unauthorized access to taxpayer accounts.
Other CRA login services:
Business Registration Online (BRO): The BRO service allows individuals to register for a business number, register for seven types of program accounts, and link to other online business registries for some provincial programs.
Careers – Candidate profile: The Candidate profile service allows individuals to apply for job opportunities with the CRA.
Partnerships:
Identity validation for other government organizations
The CRA’s Authentication and Credential Management Service includes the Portageur service (based on Identity Exchange Facility and the Identity Validation Service), which leverage the CRA systems to validate identity of online users for partner organizations. Individuals consent to the electronic transfer of their personal identity information to partners for specified purposes. The partners can then use this trusted information as a part of their own business process of authentication and identity verification of the individual for access to their online service. Currently, the CRA systems provide identity validation service for users of online programs for Innovation, Science and Economic Development Canada, Veterans Affairs Canada, selected Employment and Social Development Canada programs and the province of Nova Scotia.
What’s New
Digital Identity Validation option
In March 2024, the CRA implemented a new option that provides a digital identity validation process for individuals registering to access the CRA’s online services, such as My Account, My Business Account, and Represent a Client. Users registering for the CRA’s online services are offered a digital, second-factor validation process as an alternative option that allows them full and immediate access to their information online.
The digital identity validation option, known as the Interac document verification service option, is an enhancement that provides an alternative to the out of band security code letter that is currently part of the CRA’s registration process.
After completing identity proofing for the CRA’s online services, a user will have the option to choose the Interac document verification service option. This option will redirect the user to Interac’s website to take a picture of one of three accepted government-issued photo identification documents and a real time picture of themselves. The three government-issued photo identification documents accepted are Canadian passports, Canadian driver’s licences, and provincial or territorial photo IDs. Interac relies on a third-party service provider’s technology to run artificial intelligence against the images to:
- capture the biometrics;
- validate the picture taken and the image of the identification document, and
- ensure the document is authentic and matches the individual.
Following document processing and analysis by the technology, the user is redirected back to the CRA and Interac sends the CRA the results of the analysis of the identification document and photo comparison. The CRA will then match some of the identification information from the ID to our internal systems, to validate the user.
The CRA’s compliance and investigative programs will use information collected during the digital identity validation process to investigate and validate suspicions of fraud or misuse of the system. The use of information by these compliance and investigative programs are outside the scope of this privacy impact assessment.
Identity Validation Service to Innovation, Science and Economic Development Canada programs and services (ISED)
The CRA provides online Identity Validation Service to ISED as an option to verify the identity of users who want to register online for ISED programs.
When ISED users initially register for ISED’s newly developed Enterprise Level Digital Service, they will have the option to use the CRA’s Identity Validation Service to complete a one-time identity validation to finalize their ISED registration.
Once the user is authenticated, the CRA will send the specific identification data encrypted to ISED.
Multi-factor authentication
In February 2024, CRA added an additional feature to the current multi-factor authentication flow used to access digital services. This option is called timed based one-time passcode.
A user who is enrolling with a timed based one-time passcode option or adding timed based one-time passcode in the manage flow is provided a QR code or setup key that is associated to their social insurance number. They scan the QR code using their authenticator app or enter the setup key in their app.
Authenticator apps are already set up to generate the code by combining the setup key and QR code with the current time to generate the passcode for the user.
For each account that opts for the timed based one-time passcode option, the CRA will generate a unique passcode. A user enters the passcode that their CRA app gives them during the specified interval to match what the CRA generated in that same interval.
Linked eAccount between the CRA’s My Account and ESDC’s My Service Canada Account
This service allowing a user to sign in to an account with one organization and then access the other organization seamlessly within the same session is down until further notice.
Scope of the Privacy Impact Assessment
This PIA assessment gives an overview of the collection and sharing of personal information required to access the CRA’s external secure online program services and applications.
This PIA also includes information about the collection and use of personal information required to access the CRA’s external secure online program services and applications, and services from other government departments that utilize the CRA’s authentication services.
However, this PIA does not cover information related to the internal services such as security and investigations that may utilize the CRA’s authentication services, including identity protection services or internal programs that display, use, and collect personal information through an external application such as the individual returns and assessment program.
Risk identification and categorization
A) Type of program or activity
Compliance and regulatory investigations and enforcement
Level of risk to privacy: 3
Details:
The CRA uses personal information such as the social insurance number, non-resident representative number, postal/ZIP code, date of birth, last name, province, and information from the individual’s income tax and benefit return to identify the individual. It also uses the information for the purpose of accessing the CRA’s suite of services that use CRA’s authentication and credential management systems.
As part of the registration process for services that leverage credentials, an individual must create a credential (CRA user ID and password) or sign in with their external credential. To provide additional security and recovery options, the individual will need to provide security questions and answers.
Information will be used to validate the user’s identity to grant full access to the CRA’s online services. There will be some situations where the CRA may suspect attempts to gain access to a user’s account. The CRA will make sure to review these cases for unauthorized access.
B) Type of personal information involved and context
Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples, or the context surrounding the personal information is sensitive.
Level of risk to privacy: 4
Details:
Personal information and tax or benefit information resulting from direct or indirect collection is used for the authentication and identity validation.
Personal information collected may include social insurance number, identification numbers, biographical data, date of birth, contact information, financial information, internet protocol address, photo identification, and photographs.
C) Program or activity partners and private sector involvement
Private sector organizations, international organizations, or foreign governments
Level of risk to privacy: 4
Details:
Upon consent the CRA receives and discloses personal information for the purpose of identity validation service for individual users to gain access to online programs administered by Veterans Affairs Canada, Innovation, Science and Economic Development Canada, Employment and Social Development Canada, and to the province of Nova Scotia.
The province of BC and Alberta share personal information with the CRA to confirm a user’s identity to give the user access to the CRA’s My Account.
Information may be shared with other CRA programs to assist with a criminal investigation or suspected abuse of the system or internal programs.
D) Duration of the program or activity
Long-term program
Level of risk to privacy: 3
Details:
There is no sunset date for this activity because it follows the Government On-Line initiative, a key component of the Government of Canada’s service strategy.
E) Program population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy: 3
Details:
The program affects individuals that choose to use the CRA’s online services.
It also affects individuals who choose to use the CRA online digital Services or other government partners services.
F) Technology & privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy: Yes
Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy: Yes
Does the new or modified program or activity involve the implementation of one or more of the following technologies?
Enhanced identification methods - this includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy: Yes
Use of Surveillance - this includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy: Yes
Use of automated personal information analysis, personal information matching and knowledge discovery techniques - for the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy: Yes
G) Personal information transmission
The personal information is transmitted using wireless technologies.
Level of risk to privacy: 4
Details:
Information is securely shared with other government departments using the Government of Canada’s approved technologies.
The personal information is used in a system that has connections to at least one other system.
CRA employees can use a laptop with access controls. Access to the CRA network from remote locations must be done with full disk encryption and standard secure remote access. The CRA’s Information Technology Branch has developed an enterprise-wide telecommuting platform that offers users secure access to the CRA network.
H) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee
Details:
A breach of personal information could have a financial impact on the individual because it could lead to identity theft. If the personal information, including pictures and biometrics, was compromised, the information has the potential to cause financial, emotional/mental, and physical harm to the individual.
Page details
- Date modified: