Multi-factor authentication to access CRA sign-in services

What is Multi-factor authentication?

Multi-factor authentication (MFA) is a mandatory enhanced security measure that was implemented throughout our CRA sign-in services. When prompted to enroll in MFA, users can select either option:

Users who choose to enroll with the telephone option will need to provide at least one cell or landline phone number. Users will then be sent a one-time passcode that is required to be entered when they sign in to our online services. This code is good for a single sign in session. A new one-time passcode will be sent via Short Messaging Service (SMS) or provided in an automated message to the telephone number selected each time the user signs in to the CRA sign-in services using this option in the future.

When enrolling with a passcode grid, the system will generate a unique passcode grid for the user, who will be required to save or print it. The five-by-five grid includes twenty-five distinct cells each containing 3 random letters. With each sign in using this option, the user will be prompted to enter a different set of 3 groups of 3 letters that, together, make up the one-time passcode.

To enroll using a third-party authenticator app, users must first have one downloaded. Using the app, the user scans a QR code with a mobile device when prompted. If unable to scan the QR code the user can manually enter the setup key the CRA provides into the app. The app will then generate a one-time passcode to be entered.

What is a one-time passcode?

A one-time passcode is a string of characters or numbers that authenticates a user. Once enrolled in MFA, users are required to enter a one-time passcode each time they sign in to the CRA sign-in services. This code is good for a single sign in session.

When users enroll with or add a telephone option for MFA, a new 6 digit one-time passcode will be sent via SMS or automated message to the telephone number provided, each time they attempt to sign in to our CRA sign-in services using this option in the future.

When users enroll with or add the passcode grid option for MFA, a new one-time passcode combination will be requested each time they attempt to sign in to our CRA sign-in services using this option, and the user will be advised what grid coordinates to enter.

When users enroll with an authenticator app, it will generate a 6 digit Time-Based One-Time Passcode (TOTP). When signing in to the CRA sign-in services users will be required to enter a one-time passcode provided by the app.

What is a Passcode Grid?

A passcode grid is a table made up of numbered rows and lettered columns, similar to a Bingo card. The CRA will ask for combinations (i.e., B,1 ; A,3) and users will need to match the column and the row to provide the 3 letters that are shown in the square. The CRA will ask for three of these combinations each time a user signs in to CRA's sign-in services. The passcode grid is an option upon enrollment and it can also be added later in the Manage my Multi-factor authentication settings.

What is a third-party authenticator app?

A third-party authenticator app can be installed on an app enabled mobile or desktop device to be used for MFA. The app store offers many free third-party authenticator app options to choose from. Users will need to download an app that is compatible with the CRA sign-in services.

Using the app, the user scans a QR code with a mobile device when prompted. If unable to scan the QR code the user can manually enter the setup key the CRA provides into the app. The app will now be set up and the user will not have to complete this step again.

The app will then generate a 6 digit Time-Based One-Time Passcode (TOTP). When signing in to the CRA sign-in services users will be required to enter a one-time passcode provided by the app. For security, the app will generate a new TOTP every 30 seconds.

Why do I now need to enter a one-time passcode to access my online account?

The CRA has introduced an MFA process to enhance the security of its online services, and ensure the safety and protection of taxpayer information.

How do I use the Multi-factor authentication feature to access my CRA sign-in service?

CRA sign in

  1. Enter your CRA user ID and password.
  2. If asked, go through the captcha security process. To help distinguish between human users and web robots, this security feature will require individuals to identify specific images, before being granted access to online services.
  3. Answer a security question (If you select ‘Do not ask me a security question each time I sign in using this device,' you will not see this page in the future when using the same device or browser to sign in).
  4. Click ‘next' when taken to the Last CRA sign in page.
  5. First you will be required to enroll in the MFA process. To enroll, you will need to provide at least one cell or landline telephone number, generate a passcode grid or use a third-party authenticator app.
  6. If you enroll with the telephone option, once you receive your one-time passcode via SMS or automated message to the telephone number you provide, enter it. If you enroll with the passcode grid option, save a copy of your passcode grid and enter the combination of grid coordinates when prompted. If you enroll with the third-party authenticator app option, enter the one-time passcode that is generated by the app.
  7. You are now signed in!

Sign-In Partner sign in

  1. Choose the Sign-In Partner option to sign in.
  2. On the Interac sign-in service page, select the financial institution you wish to use.
  3. At the financial institution's site, enter the required sign-in information.
  4. You are returned to the CRA.
  5. First you will be required to enroll in the MFA process. To enroll, you will need to provide at least one cell or landline telephone number, generate a passcode grid or use a third-party authenticator app.
  6. If you enroll with the telephone option, once you receive your one-time passcode via SMS or automated message to the number you provide, enter it. If you enroll with the passcode grid option, save a copy of your passcode grid and enter the combination of grid coordinates when prompted. If you enroll with the third-party authenticator app option, enter the one-time passcode that is generated by the app.
  7. You are now signed in!

Alberta.ca Account sign in

  1. Choose the provincial partner option to sign in and choose Alberta.ca Account.
  2. Consent to let the provincial partner share information with the CRA.
  3. On the provinces' sign in page, complete the sign in process.
  4. You are returned to the CRA.
  5. First you will be required to enroll in the MFA process. To enroll, you will need to provide at least one cell or landline telephone number, generate a passcode grid or use a third-party authenticator app.
  6. If you enroll with the telephone option, once you receive your one-time passcode via SMS or automated message to the number you provide, enter it. If you enroll with the passcode grid option, save a copy of your passcode grid and enter the combination of grid coordinates when prompted. If you enroll with the third-party authenticator app option, enter the one-time passcode that is generated by the app.
  7. You are now signed in!

How do I use the one-time passcode?

If you select "Text me", the passcode will be sent by Short Messaging Service (SMS). Ensure to open the text message first, then use the passcode from the body of the message.

If you select "Call me", the passcode will be received as a phone call from a toll-free number and verbally provided to you in an automated message.

If you select "Passcode grid", you will need to match the column and the row to provide the 3 letters that are shown in the square (i.e., B,1 ; A,3).

If you select "Authenticator app", enter the one-time passcode that is generated by the app.

What if I didn't receive my one-time passcode?

If you enrolled with the telephone/passcode grid/authenticator app option and did not receive or cannot provide your one-time passcode, you can ask for it to be resent. If issues persist, please Contact us.

If you have more than one option on file, and are having difficulties with the one-time passcode (e.g., not receiving one-time passcode to your telephone, misplaced your passcode grid or are unable to access your third-party authenticator app) you can select to use  another option by choosing "different option" when prompted to enter your one-time passcode.

Can I receive my one-time passcode by email for Multi-factor authentication?

No. Once you've enrolled, it will be sent by SMS or automated message to the cell phone or landline number you provide. For the passcode grid option you'll be asked to enter a combination of grid coordinates. If you have enrolled in the third-party authenticator app option you must enter a Time-Based One-Time passcode generated by the app.

Can I use an international telephone number to receive one-time passcode with Multi-factor authentication?

Yes. However, at this time you can only use telephone numbers based within North American countries that participate in the North American Numbering Plan (i.e., countries that an individual can call from Canada by dialing 1 + 10 digits).

Telephone numbers in the following countries that can receive an OTP: American Samoa, Anguilla, Antigua and Barbuda, Bahamas, Barbados, Bermuda, British Virgin Islands, Canada, Cayman Islands, Dominica, Dominican Republic, Grenada, Guam, Jamaica, Montserrat, Northern Mariana Islands, Puerto Rico, Saint Kitts and Nevis, Saint Lucia, Saint Vincent and the Grenadines, Saint Maarten, Trinidad and Tobago, Turks and Caicos Islands, United States, and the United States Virgin Islands.

The telephone numbers must be supplied by telephone providers (i.e. landline or mobile phone). Additionally, you can enroll with a passcode grid option and you do not need access to a telephone at all.

Can I disable the Multi-factor authentication feature?

No. Multi-factor authentication (MFA) is mandatory for all users who wish to use the CRA sign-in services. If you are unable to use a telephone to receive a one-time passcode sent via SMS or automated message, you may choose one of the other options.

Can I stop getting Short Messaging Service (SMS) messages for CRA's Multi-factor authentication?

Yes. You can text "STOP" to 27223 or reply "STOP" to the message containing your one-time passcode to stop receiving SMS messages to that telephone number in the future. However, it is important to note that CRA's Multi-factor authentication (MFA) service is mandatory and a passcode is required to sign in to the CRA's sign-in services. Texting "STOP" will prevent your telephone from receiving an SMS message with your passcode in the future. Without the passcode, you will be unable to access the CRA sign-in services using this option and will need to choose an alternate MFA option to use. This option applies only to Canadian telephone numbers.

How do I re-enable the option to receive a one-time passcode for Multi-factor authentication via SMS?

To re-enable the option for your telephone to receive your one-time passcode, text "START" to 27223 or reply "START" to the message containing your one-time passcode to start receiving SMS messages to that telephone number again. This option applies only to Canadian telephone numbers.

Can I receive help by replying to the Multi-factor authentication one-time passcode sent by SMS?

Yes. You can receive further information if you text "HELP" or "INFO" to 27223 or reply "HELP" or "INFO" to the message containing your one-time passcode. This option applies only to Canadian telephone numbers.

What if I don't have access to text message or a landline?

If you do not have access to text message or a landline, you may use one of the other MFA options.

Will I need to keep a copy of the Passcode Grid?

Yes. You will be advised when generating the passcode grid to keep a copy for future sign in attempts. You must save the grid in PDF format on your device and/or print a copy to keep in your records. We recommend that you do not email your passcode grid to yourself or anyone else.

Can I use a VoIP service with Multi-factor authentication?

Yes, however some VoIP services may not be compatible with the CRA's MFA service. If you experience difficulty receiving the one-time passcode, please choose the "Call me" delivery method.

How do I update my Multi-factor authentication settings?

You can manage your MFA settings by selecting the Multi-factor authentication settings within My Account, My Business Account, and Represent a Client. This option allows you to add or change a telephone number for MFA, change your language setting, or remove the telephone option. Additionally, you can remove the passcode grid option or generate a new one. You can also add or remove the link to a third-party authenticator app. It is recommended that you have more than one option on file although only one option is required.

What should I do if I have been locked out of my account?

If your account becomes locked due to entering the wrong passcode too many times, Contact us to have your account unlocked.

What if my lose my Passcode Grid?

If you lose your passcode grid, you will still be able to sign in if you have added one of the other MFA options. If you have not, you will need to Contact us.

What does it mean when I see 'Standard message or data rates may be charged by your telephone service provider'? Is there a charge to receive the one-time passcode?

The CRA does not charge for this service, however your provider may charge standard message and data rates. Check with your provider if you have questions about your plan and costs.

Will the CRA ever call and ask me to provide my one-time passcode over the telephone?

No. The CRA will only request that you enter your one-time passcode on your device when signing in. Users should never share their one-time passcode with anyone, including anyone calling or texting to request it.

Page details

Date modified: