HMRC's Two Step Authentication
For some time now there has been the option to set up two step authentication to access your personal tax account through HMRC or the Government Gateway. I have found that that choice no longer exists.
Today I had to set up two step authentication and not only did I have to provide either my mobile or landline number, once logged in with the access code sent to me I then had to provide my first name, my surname, my NI number and my date of birth in order for HMRC to verify that I was the person setting up the authentication. And if that wasn't enough I was then asked if I wanted to provide information from my payslip, my P60 or my passport. I couldn't access anything until I had provided all this information. Who has their payslip, their passport or their P60 conveniently accessible to provide this information?
It was frustrating that I was forced to set up two step authentication but to then have to provide all this personal data as well seemed a step too far and certainly meant a quick log in to check some information became something I wished I hadn't bothered with.
I really don't understand the purpose of two step authentication. The 12 digit login provided by HMRC is hardly memorable or easily found by someone wanting to access the account, nor is the password which has been set up by the account holder - unless of course you have the full login saved on your computer which is definitely not sensible.
Sending an access code to your mobile phone or your landline might seem like a more secure option but how can you receive the code if you don't have any mobile reception? We work with a lot of businesses who don't have mobile reception and even in our own office there often isn't any mobile reception. You can choose to receive your access code to your landline - but what if you want to access your account at work and you have provided your home number or vice versa?
Two step authentication will soon be forced upon businesses for VAT and PAYE. For now you can choose to opt out by selecting "Not Now" but when this is no longer an option we will just have to do it. But I am wondering how you can log on to file your VAT return if you left your phone at home, you lost it, you changed your number or you don't have mobile reception? How can someone else file your VAT return on your behalf because you are seriously ill in hospital? Someone else can't log in with your details because they don't have your phone and they can't register as your agent because you are too ill to authorise them to act as your agent. I have been in this very situation on more than one occasion where the person doing the accounts and submitting the VAT return is seriously ill and unable to be contacted and I have prepared and submitted the return for them so that the deadlines aren't missed.
Changing your details can only be possible once logged in but you can't log in if you don't have your original phone number. I'm not sure what will happen then!
I don't believe this two step authentication provides any extra security, just frustration for business owners and their bookkeepers and accountants. Many business owners do not want to access their accounts themselves and provide their access details to someone they trust. Whilst these trusted advisors can be set up as an agent it is not always that simple. It takes time to apply for and receive authority and sometimes the business owner needs to have an answer now or a VAT return needs to be submitted now. Access to PAYE records has never been available for agents so currently we have to log in using our clients' access information to review their record. We do this regularly as we have found RTI submissions have not been uploaded or are different to what has been submitted, payments have not been shown or HMRC are chasing for monies owed which are not. Regular review is part of our service and has proved valuable to our clients. They would not want to do it themselves and if they did they would certainly find it quite complicated to follow!
It is vital that we continue to have access to our clients records with their permission so that we can provide the level of service which they want. We are professionals and if our clients trust us then HMRC should also trust us to keep the log in details secure.
There are lots of scenarios where two step authentication is going to cause a real problem and I hope this can be kept at bay for as long as possible. I recommend you choose "Not now" for as long as you can and hopefully until there is a workable solution to the scenarios I have set out above.