Authentication and Credential Management v4.0

Assessment, Benefit and Service Branch
Digital Services Directorate

On this page

Overview & Privacy Impact Assessment (PIA) Initiation 

Government institution

Canada Revenue Agency

Government official responsible for the PIA

Gillian Pranke
Assistant Commissioner
Assessment, Benefit and Service Branch

Head of the government institution or Delegate for section 10 of the Privacy Act

Anne Marie Laurin
Director General
Access to Information and Privacy Directorate
Public Affairs Branch

Name of program or activity of the government institution

Information Technology

Information technology services involve doing activities to achieve efficient and effective use of information technology (IT) to support government priorities and program delivery, increase productivity, and enhance services to the public.

IT management activities include planning, developing (or procuring), and operating IT computing such as telecommunications, infrastructure, and applications.

Standard or institution specific class of record:

Information Technology
Record number: PRN 932

Standard or institution specific personal information bank:

Authentication and Credential Management Service
CRA PPU 607
TBS registration number: 20150040

Legal authority for program or activity

The Canada Revenue Agency (CRA) is designated as a separate Agency under Schedule II of the Financial Administration Act and as such has overall responsibility over its administration, contracts, and human resources management. 

Personal information is collected under the authority of paragraph 30(1)(a) of the Canada Revenue Agency Act which grants the CRA responsibility for general administrative policy in the Agency, and is used to allow access to online systems for the purposes of administering program legislation as per the Income Tax Act and the Excise Tax Act. Personal information is also collected as required under the Policy on Government Security as it relates to the Directive on Identity Management as per agreement with the President of the Treasury Board.

The legal authority for entering into Memorandum of Understanding is under section 61 of the Canada Revenue Agency Act, which states that the CRA is responsible for implementing agreements or arrangements between the CRA and departments or agencies of the Government of Canada to administer a program or carry out an activity. The authority for disclosing information to Innovation, Science and Economic Development Canada for Identity Validation Service, Veterans Affairs Canada for the Portageur (also known as Identity Exchange Facility) or Employment and Social Development Canada for Linked eAccounts, is under section 241(5) (consent) of the Income Tax Act. The authority to collect personal information to know whose information to disclose under section 241 is section 220 of the Income Tax Act.

Subsection 241(5) of the Income Tax Act, subsection 295(6) of the Excise Tax Act, subsection 211(8) of the Excise Act, 2001, and subsection 8(1) of the Privacy Act, authorize the CRA to provide taxpayer information, confidential information, or personal information relating to an individual, to a third party with the consent of the individual.

For the non-resident representative number, personal information is collected under the authority of subsection 220(1) of the Income Tax Act. The CRA will use personal information to process applications for a non-resident representative applying for a non-resident representative number.

The CRA collects the social insurance number under subsection 237(1.1) of the Income Tax Act for income tax purposes and section 220 of the Income Tax Act to identify the individual to allow access to their income tax and benefit information online and to associate the individual’s anonymous credential to them.

For the BC Services Card (previously known as British Columbia Digital Identity for Federal Services), and for the Alberta.ca Account (previously known as MyAlberta Digital ID) integration with the CRA, the personal information is collected under the authority of section 220 of the Income Tax Act, and section 275 of the Excise Tax Act. The CRA uses personal information to allow Canadians who hold a BC Services Card (BCSC) or Alberta.ca Account (previously known as MyAlberta Digital ID) immediate digital access to the federal government services and programs offered through the CRA’s My Account.

Summary of the project, initiative or change

Overview of the Program or Activity

The CRA’s Authentication and Credential Management Program performs the following functions:

To achieve this, the CRA uses their own systems and processes and may enter in partnership with external partners.

The CRA has been a major stakeholder in the Government of Canada’s Cyber Authentication Renewal Initiative. The CRA has played an active role and supports arrangements for federated identity. As part of the Cyber Authentication Renewal Initiative, the CRA also provides its own authentication and credential management service for individuals, business owners, and representatives to use when accessing its online services.

The CRA’s Authentication and Credential Management Service relies on its systems to provide identity proofing, access control, and credential management services to the CRA’s online services.

The following is a list of the CRA’s online services that use the system of the Authentication and Credential Management Services.

The CRA’s online portals

My Account: Individuals can view their personal income tax and benefit information and manage their tax affairs online.

My Business Account: Business owners (including partners, directors, and officers) can access their GST/HST, payroll, corporation income taxes, excise taxes, excise duties, and other levies accounts online.

Represent a Client: Employees and representatives can access an account on behalf of their employer or clients. Prior to the CRA granting a representative access to information and services on behalf of individuals or businesses, a representative must first be authorized by the individual or the business owner.

CRA mobile apps

MyCRA app: MyCRA is a web-based mobile application for individual taxpayers that allows users to securely access and view all of their personal tax information, pay their tax balance owing, and more.

MyBenefits app: MyBenefits CRA is a web-based mobile app that offers individual benefit recipients a view of their benefits, credit payment details, eligibility information, and more.

CRA BizApp: CRA BizApp is a web-based mobile app for small business owners and sole proprietors. The application offers secure access to make payments, view accounting transactions, and more.

CRA web services

Auto-fill my return: Individuals and authorized representatives can automatically fill in parts of a current year income tax and benefit return using various NETFILE or EFILE certified software.

Express NOA: Express NOA is a secure CRA service that allows individuals and authorized representatives to view the notice of assessment in the tax preparation software, right after the CRA receives and processes the return.

T2 Auto-fill: T2 Auto-fill is a secure service that lets business owners and authorized representatives download information from the CRA to their tax preparation software.

Address change and direct deposit through NETFILE: Users of NETFILE tax preparation software are provided with a link to the CRA’s login services where they can change the mailing address or update direct deposit information.

Account information retrieval service: The Account Information Retrieval Service is a secure CRA service that allows individuals, businesses, and their authorized representatives using CRA certified software to automatically obtain balance owing account information that the CRA has available at the time.

Trusted provincial digital identities

Use of the BC Services Card:

Individuals who hold a BC Services Card can use it to access the CRA’s My Account. This initiative was assessed under the Pan Canadian Trust Framework in 2020.

Use of Alberta.ca Account:

Albertans who hold a verified Alberta.ca Account (previously known as MyAlberta Digital ID) can access the federal government services and programs offered through the CRA’s My Account for individuals. By relying on the Trusted Digital Identity issued by the province, the streamlined process eliminates the need to receive the security code by mail or the need to use Digital Identity Validation for the registration to online services and eliminates steps in the sign-in process. This initiative was assessed under the Pan Canadian Trust Framework in 2021.

Security enhancements

Multi-factor authentication

Multi-factor authentication is a mandatory enhanced security measure that was implemented throughout CRA sign-in services. When users enroll, they are asked to give at least one cell or landline phone number. Users will then be sent a one-time single session passcode that is required to sign in to our online services. A new one-time passcode will be sent via SMS or provided in an automated message to the telephone number selected each time the user signs in to the CRA sign-in services.

The CRA provides an enhancement to multi-factor authentication to allow a passcode grid as an option upon enrollment or access to the CRA’s online services.

Automation and fraud defense

The CRA uses security solutions on its website to identify any unauthorized attempts to access and use online services. The solutions monitor and analyze web traffic data generated from a user web session to detect automated and malicious activities against CRA websites.

Account takeover prevention

The CRA utilizes a third party account takeover prevention service to identify possible compromised CRA credentials and lessen the risk of unauthorized access to taxpayer accounts.

Other CRA login services:

Business Registration Online (BRO): The BRO service allows individuals to register for a business number, register for seven types of program accounts, and link to other online business registries for some provincial programs.

Careers – Candidate profile: The Candidate profile service allows individuals to apply for job opportunities with the CRA.

Partnerships:

Identity validation for other government organizations

The CRA’s Authentication and Credential Management Service includes the Portageur service (based on Identity Exchange Facility and the Identity Validation Service), which leverage the CRA systems to validate identity of online users for partner organizations. Individuals consent to the electronic transfer of their personal identity information to partners for specified purposes. The partners can then use this trusted information as a part of their own business process of authentication and identity verification of the individual for access to their online service. Currently, the CRA systems provide identity validation service for users of online programs for Innovation, Science and Economic Development Canada, Veterans Affairs Canada, selected Employment and Social Development Canada programs and the province of Nova Scotia.

What’s New

Digital Identity Validation option

In March 2024, the CRA implemented a new option that provides a digital identity validation process for individuals registering to access the CRA’s online services, such as My Account, My Business Account, and Represent a Client. Users registering for the CRA’s online services are offered a digital, second-factor validation process as an alternative option that allows them full and immediate access to their information online. 

The digital identity validation option, known as the Interac document verification service option, is an enhancement that provides an alternative to the out of band security code letter that is currently part of the CRA’s registration process. 

After completing identity proofing for the CRA’s online services, a user will have the option to choose the Interac document verification service option. This option will redirect the user to Interac’s website to take a picture of one of three accepted government-issued photo identification documents and a real time picture of themselves. The three government-issued photo identification documents accepted are Canadian passports, Canadian driver’s licences, and provincial or territorial photo IDs. Interac relies on a third-party service provider’s technology to run artificial intelligence against the images to:

Following document processing and analysis by the technology, the user is redirected back to the CRA and Interac sends the CRA the results of the analysis of the identification document and photo comparison. The CRA will then match some of the identification information from the ID to our internal systems, to validate the user.

The CRA’s compliance and investigative programs will use information collected during the digital identity validation process to investigate and validate suspicions of fraud or misuse of the system. The use of information by these compliance and investigative programs are outside the scope of this privacy impact assessment.

Identity Validation Service to Innovation, Science and Economic Development Canada programs and services (ISED)

The CRA provides online Identity Validation Service to ISED as an option to verify the identity of users who want to register online for ISED programs.

When ISED users initially register for ISED’s newly developed Enterprise Level Digital Service, they will have the option to use the CRA’s Identity Validation Service to complete a one-time identity validation to finalize their ISED registration.

Once the user is authenticated, the CRA will send the specific identification data encrypted to ISED.

Multi-factor authentication

In February 2024, CRA added an additional feature to the current multi-factor authentication flow used to access digital services. This option is called timed based one-time passcode.

A user who is enrolling with a timed based one-time passcode option or adding timed based one-time passcode in the manage flow is provided a QR code or setup key that is associated to their social insurance number. They scan the QR code using their authenticator app or enter the setup key in their app.

Authenticator apps are already set up to generate the code by combining the setup key and QR code with the current time to generate the passcode for the user.

For each account that opts for the timed based one-time passcode option, the CRA will generate a unique passcode. A user enters the passcode that their CRA app gives them during the specified interval to match what the CRA generated in that same interval.

Linked eAccount between the CRA’s My Account and ESDC’s My Service Canada Account

This service allowing a user to sign in to an account with one organization and then access the other organization seamlessly within the same session is down until further notice.

Scope of the Privacy Impact Assessment

This PIA assessment gives an overview of the collection and sharing of personal information required to access the CRA’s external secure online program services and applications.  

This PIA also includes information about the collection and use of personal information required to access the CRA’s external secure online program services and applications, and services from other government departments that utilize the CRA’s authentication services.

However, this PIA does not cover information related to the internal services such as security and investigations that may utilize the CRA’s authentication services, including identity protection services or internal programs that display, use, and collect personal information through an external application such as the individual returns and assessment program.

Risk identification and categorization

Page details

Date modified: