TaxCalc Blog

New Addition to HMRC Government Gateway Security

As part of HMRC’s Making Tax Digital strategy, we have been expecting security improvements to be made to taxpayers’ access to their online accounts via the Government Gateway.

On 29 March 2016, HMRC introduced a new optional layer of security that introduces a mobile phone into the logging in process for Individual taxpayers.

To be fair to HMRC, this form of two factor authentication is becoming pretty standard practice in the online world. Those of us that use online banking usually have a little device that can generate a code to allow access. The chances are that a third party has access to such a device or a mobile phone are incredibly slim.

How do taxpayers set this up?

HMRC are rolling this out over several weeks. However, when live on their account, once a taxpayer has logged in to their online accounts, they will find an option to activate the service. From there, it’s a matter of following the onscreen steps.

The feature isn’t mandatory. HMRC recognise that not all taxpayers will want this, perhaps because they don’t have a mobile phone or don’t have a signal. Nonetheless, it seems that some 600,000 taxpayers opted into this additional security last January.

If someone no longer has access to their mobile phone (such as they lose it or change numbers), they can reset it using HMRC’s Online Services Helpdesk.

Agent credentials

Another aspect of the introduction is that it will make it harder for a very small minority of agents that use their clients’ Government Gateway credentials to file tax returns on their behalf.

Strictly speaking, it is not correct or advisable that this practice carries on and, indeed, accountants can obtain their own credentials. Adding another layer of security makes it even harder for such agents to avoid obtaining their own credentials.

What should we expect to happen in the future?

It is highly likely that logging in using a mobile phone will be extended to other users of HMRC’s online service. This may include accountancy practices.

We also consider it likely that HMRC will introduce two factor authentication in its new API authorisation processes. Back in January, my colleague Greg Case, wrote about these and how they will present themselves in TaxCalc.