From June 2026, HMRC has begun requiring agents — accountants and bookkeepers who manage tax affairs on behalf of clients — to use two-factor authentication (2FA) when accessing agent services accounts. If you have an accountant or bookkeeper filing VAT returns, Self Assessment, or other submissions for you, this change touches the systems behind your filings, even if you never log into HMRC yourself.
HMRC's agent services accounts now require a second verification step at login — typically a code sent to a mobile device or generated by an authenticator app — in addition to a username and password.
Tightening security around agent access
Agent services accounts hold access to sensitive tax information and submission capability for potentially hundreds of clients. A compromised login is a high-value target — 2FA is a standard, low-friction defence that significantly reduces the risk of unauthorised access from stolen or guessed passwords.
This mirrors a broader trend across UK government digital services and follows similar moves already made for individual taxpayer accounts in recent years.
If your accountant files on your behalf
In practice, this is mostly invisible to clients — your accountant or bookkeeper sets up 2FA on their own agent account once, and ongoing filings continue as normal. There is no action required from you as a client.
What's worth checking is simply that your accountant is aware of the change and has it set up — a brief disruption while an agent re-authenticates shouldn't affect your filing deadlines if handled in good time, but leaving it until a deadline week is best avoided.
What this is not
This is not a change to filing deadlines, tax rates, or what needs to be submitted. It is a login security change for the professionals managing your tax affairs. If you use a firm or sole practitioner for your bookkeeping, accounting, or tax filings, this is the kind of background infrastructure change that a well-run practice absorbs without it touching your experience at all.
The bigger picture
HMRC has signalled that stronger authentication requirements across its digital services are likely to continue expanding — partly in response to rising volumes of digital tax interactions under Making Tax Digital, and partly as standard security hygiene. If you manage your own HMRC login, setting up an authenticator app now (rather than waiting for it to become mandatory) is a sensible five-minute task.
Want a practice that stays on top of this for you?
I keep my own systems current with HMRC's requirements so you don't have to think about it. Book a free 30-minute call to discuss your bookkeeping and filing needs.