CRA's unusable two-factor authentication

Oh no, this has disaster written all over it! Another poorly thought-out IT innovation from the CRA will undoubtedly see many Canadians locked out of their tax account and unable to reach the overloaded CRA help lines at the peak time of the year. Great thinking at the CRA as usual!

This new 2FA applies whether you use a direct CRA login or a Sign-In Partner (bank login). Of course the banks already have their own 2FA, so this is just adding another time-consuming and costly layer of inconvenience.

It apparently applies every single time you access your CRA account - there is no option to authorize a specific browser once only.

I don't see anything about VoIP land lines. Could they not receive the voice call authorization? Of course that will cost you money per call with some of them.

There is currently no mechanism for changing the phone number, and probably no way to recover if your initial attempt fails because the CRA's system can't work with the phone number you gave them.

Guaranteed their overloaded system will be unable to keep up at peak times, not to mention the reliance on other services like cell carriers. This will undoubtedly leave people waiting and fuming at the login prompt, unsure if their 2FA code is ever coming, or if they should try again, or the system is just down today, or their phone carrier has a problem...

They say you can't disable 2FA for your account online, but "Contact us" if you want to do that. The specific contact number isn't given, but it's probably 1-800-959-8281 (security issues). You have to enter your 2FA code to speak to them... just kidding!

@bubak ....this is nothing new though. I mean when was the last time you logged into 'My Account' before today? I ask because I log in at least once a month and not just tax time, and the 2FA has always been there. Since the pandemic, however, the only restriction on the site is the inability to change your banking deposits/address and other personal details.

I just logged in now as I read your post, and had no issues, and even disabled the 2FA because I'm using my personal work laptop this time. Another thing anyone encounters is if you log-in on a machine that you haven't used before, you will be met with security question validation. Once you answer correctly, you can opt not to be asked a question next time.

Note: and I did this last month, you can call them up and agents will rectify details on your account over the phone, as long as you meet the questions they ask with the right answer. I'll highly suggest people log into their accounts often and not just tax time.

bubak wrote: ↑ CRA has imposed SMS two-factor authentication for their MyAccount online service.
https://www.canada.ca/en/revenue-agency ... vices.html

It does not allow opting out.

It does not allow you to change your phone number once you give them one.

It does not allow VOIP land lines.

It does not allow international phone numbers.

It does not allow e-mail.

So the only way to get tax information now is to go in person to a Tax Services Office. Oh, but those are closed due to Covid. So there's no way to get or submit tax documents now.

They allow telephone call option over VOIP.

"At this time, Voice over Internet Protocol (VoIP) text message is not supported. If you are using VOIP, select the telephone call option."

No issues here.

Just signed into several CRA accounts 2-3 days ago and no prompt for 2fa.

Guess they are rolling out slowly.

How easy would it have been to allow changing number in same process as username or password... or even allow email that they have on file with tax return??

This plus the convoluted MCSA!!

Kimmychow wrote: ↑ @bubak ....this is nothing new though. I mean when was the last time you logged into 'My Account' before today? I ask because I log in at least once a month and not just tax time, and the 2FA has always been there. Since the pandemic, however, the only restriction on the site is the inability to change your banking deposits/address and other personal details.

I just logged in now as I read your post, and had no issues, and even disabled the 2FA because I'm using my personal work laptop this time. Another thing anyone encounters is if you log-in on a machine that you haven't used before, you will be met with security question validation. Once you answer correctly, you can opt not to be asked a question next time.

Note: and I did this last month, you can call them up and agents will rectify details on your account over the phone, as long as you meet the questions they ask with the right answer. I'll highly suggest people log into their accounts often and not just tax time.

I last logged in just last week and there was no 2FA.

How do you disable the 2FA? Their FAQ says you can't.

bubak wrote: ↑ How do you disable the 2FA? Their FAQ says you can't.

It says you can't disable 2FA online. Call them.

A few more data points:

- I can still sign in to my account as usual through my banking login, no prompt to set up 2FA yet

- I can't sign in to my CRA ccount using the Brave privacy protection browser, even with Shields Down for the CRA web site - it's just too careless with cross-site cookies.

- No investment or banking T slips from anyone yet. I suppose this is going to be another year where banks and financial institutions are even later and more haphazard in filing slips with the CRA.

I just logged into CRA My Account and I wasn't asked anything about 2FA. It was just the same ID, password, and verification question as usual.

If they actually do force 2FA on people, it will end up being a disaster to the extent that Trudeau will get involved. It won't work all the time. People will get locked out. They'll be waiting for days on hold with the CRA to get it fixed.

At least do something smart and give us TOTP app support (Google Authenticator, etc.,) so we can be in charge of our own security. Stop handing over our security to incompentent phone companies who open you up to SIM Swap Scams.

I am amazed the Nexus Card portal has legit 2fa via app of choice for years now. The cra site, the student loan site, omg I can't handle it getting any worse. Slow. Loads half the time you login correctly. Randomly signs out. Just complete crap and now here's another way to make it more problematic. Ty for heads up.

bubak wrote: ↑ CRA has imposed SMS two-factor authentication for their MyAccount online service.
https://www.canada.ca/en/revenue-agency ... vices.html

It does not allow opting out.

It does not allow you to change your phone number once you give them one.

It does not allow VOIP land lines.

It does not allow international phone numbers.

It does not allow e-mail.

So the only way to get tax information now is to go in person to a Tax Services Office. Oh, but those are closed due to Covid. So there's no way to get or submit tax documents now.

This is a a but of an exaggeration.

First, VOIP land line is a contradiction. VOIP is virtural by definition. VOIP numbers are allowed although you are likely limited to voice and not SMS.

Second, you can change the number used. You just have to call since there is no online recovery process.

Third, submit via mail then.

Kasakato wrote: ↑ First, VOIP land line is a contradiction. VOIP is virtural by definition.

Not OP, but the wording may seem contradictory but in practice it might not. VOIP numbers usually show up as a landline when looked up, like any other actual landline.
As such, it’s not expected that landlines can accept SMS, as they don’t show up as wireless numbers. They can take voice calls fine.

Can they at least turn the address change function back on now?

Someone on Reddit posted that they received a message from the CRA that the 2FA is being globally disabled due to the number of complaints, and will re-evaluate before rolling it out again next year. (source)

BTW, the CRA web site is getting increasingly browser-picky this year. I can't log in with Brave or Firefox at all. And last week when I tried to download CRA T-slips to my tax package, it let me log in, but refused to download on Win7 with any browser due to "expired token". I had to switch to Win10, where the same browser version would download the T slips.

Jucius Maximus wrote: ↑ Someone on Reddit posted that they received a message from the CRA that the 2FA is being globally disabled due to the number of complaints, and will re-evaluate before rolling it out again next year. (source)

Thanks for this information. Few days ago, I was prompted to sign up for 2FA while logging into my CRA account. Last few days, I noticed that I have not been prompted to input the SMS code while logging in and I was wondering what happened. So after reading your post, now I know that they got rid of it (for now).