Service Improvement Request — Multi-factor authentication

We reviewed the Canada Revenue Agency’s (CRA) rollout of a new backup multi-factor authentication (MFA) requirement for CRA account users, which aims to reduce contact centre call volumes and enhance account security.^{Footnote 1} 

The CRA originally planned to require a backup MFA starting February 9, 2026, when taxpayers login to their CRA account. Soon after the CRA announced this requirement in December 2025, we anticipated that it might cause service issues for taxpayers unfamiliar with authenticator apps or passcode grids. To avoid problems during tax season, we raised concerns with the CRA on January 7, 2026. Although the CRA was already assessing multiple approaches to backup MFA, our inquiry further prompted it to review its initiative and refine its communication approach. Specifically, starting on February 9, 2026, and just for this tax filing season, the CRA decided it would only present users with the option to add a backup MFA, and allow them to set one up later.

While taxpayers are no longer required to add a backup MFA this tax season, those who choose to do so could still experience difficulties. This is because we found the CRA’s current guidance for the new backup MFA requirement lacks clarity about options, detailed instructions, and scam warnings.

Many Canadians desire simpler processes and are therefore less familiar with MFA options like authenticator apps and passcode grids compared with text message and phone call MFA one-time passcodes.

We found CRA’s guidance on MFA apps unclear and incomplete, particularly regarding the authenticator applications that are built-into some operating systems for certain devices and compatible third-party applications for other devices. CRA’s resources lack detailed instructions on setting up MFA, warnings about scams, and advice on choosing compatible apps.

CRA provides notifications for new registrations and changes to MFA options managed within the portal. Notifications are not currently issued for logins on new devices. However, if it were to do so, this would enhance account security.

Taxpayers without access to any existing MFA must call the CRA to reset it, creating inconvenience and inefficiency. Further, it leads to more calls to the CRA’s contact centre. Therefore, the CRA should consider alternative solutions that do not require a backup MFA, such as automatically resetting MFA options during re-registration without the need to call the CRA.

The Taxpayers’ Ombudsperson requests the following service improvements:

1. Identify and list compatible authenticator apps on the CRA website.
2. Enhance guidance on the new MFA requirement, including setup instructions, benefits, and warnings about scam risks.
3. Develop clear instructional videos for mobile and desktop users to simplify the MFA setup.
4. Notify users without a backup MFA via email, explaining the requirement and directing them to resources.
5. Allow automatic cancellation of existing MFA upon re-registration if users lack access to their current MFA, avoiding the need to contact CRA.
6. Introduce email notifications for logins on new devices.