HMRC has confirmed the rollout schedule for mandatory multi-factor authentication (MFA) across all agent accounts. The first deadline is now days away: agents who submit their opt-in request before 30 June 2026 at midnight will have MFA activated on 15 July. Those who take no action will be switched over between 28 September and 15 October 2026, with no advance notice of the exact date. Sources: SME Tax Update, 11 June 2026 (Ross Martin) and the CIOT agent preparation guide.
Context: Two Agent Account Types, Two Separate Targets
MFA applies to two distinct HMRC account types:
- The Agent Services Account (ASA) — the modern portal used for MTD Income Tax, digital client authorisations, and access group management.
- The Online Services for Agents Account (OSA) — the legacy portal covering self-assessment, corporation tax, and other older services.
The rollout runs in three phases (CIOT):
| Opt-in form deadline | MFA activation date |
|---|---|
| 30 June 2026 at midnight | 15 July 2026 |
| 31 July 2026 at midnight | 19 August 2026 |
| No action taken | Between 28 Sept. and 15 Oct. 2026 |
Agents who fall into the mandatory phase will receive no advance notice of their exact activation date. HMRC’s message is unambiguous: be ready by 28 September at the latest.
ERP Impact: Will Automated MTD and RTI Submissions Be Affected?
This is the question most IT directors and finance leaders are asking: will MFA on agent accounts disrupt automated submissions from ERP systems (Sage, IRIS, Xero, Access Group, Brightpearl)?
According to the CIOT, the answer is no — with some important caveats:
“The changes should not affect the existing process of authenticating software used to file returns under MTD.”
MTD-compatible software uses OAuth tokens renewed every 18 months to submit returns to HMRC via API. This software authentication layer is entirely separate from interactive portal logins. MFA governs manual sign-ins to the web portal, not the automated API exchanges between your ERP and HMRC.
Not affected:
- MTD Income Tax submissions from compatible software via OAuth API
- RTI (Real Time Information) payroll submissions sent automatically
- VAT filings via MTD for VAT-certified software
Affected:
- Any manual access by your team or accountancy firm to the HMRC Agent Services Account portal
- Client mandate management in the ASA
- Manual tax status checks or corrections via the OSA
In practice: if anyone at your firm — or an external ERP contractor — regularly logs into the HMRC portal for manual operations, they must configure MFA before 28 September. If they do not, they will be locked out at an unknown date between 28 September and 15 October.
What to Watch For
For accountancy firms and agent practices: The CIOT recommends a minimum of two administrators per agent account to prevent a single point of human failure from blocking access. The decision between individual and shared credentials should be made now, before activation.
For IT directors managing an ERP with HMRC integration: Check with your software vendor that OAuth tokens are current. An expired token at the wrong moment — unrelated to MFA — can cause a service interruption on MTD or RTI submissions.
For UK ERP vendors (Sage, IRIS, Access Group, Xero): None of the major vendors have published specific bulletins on MFA compatibility at this stage. The CIOT position is that API flows are unaffected, but it is worth checking with your vendor’s support team if your filing process includes manual steps interleaved with automated ones.
For further reading on HMRC compliance, see our Making Tax Digital Income Tax UK guide and our analysis of MTD Income Tax adoption in 2026.
