Personal Finance

CRA's unusable two-factor authentication

  • Last Updated:
  • Feb 24th, 2021 2:16 pm
Tags:
None
[OP]
Deal Addict
Jul 15, 2009
2141 posts
1270 upvotes

CRA's unusable two-factor authentication

CRA has imposed SMS two-factor authentication for their MyAccount online service.
https://www.canada.ca/en/revenue-agency ... vices.html

It does not allow opting out.

It does not allow you to change your phone number once you give them one.

It does not allow VOIP land lines.

It does not allow international phone numbers.

It does not allow e-mail.

So the only way to get tax information now is to go in person to a Tax Services Office. Oh, but those are closed due to Covid. So there's no way to get or submit tax documents now.
53 replies
Deal Addict
Jan 21, 2018
4349 posts
4404 upvotes
Vancouver
Oh no, this has disaster written all over it! Another poorly thought-out IT innovation from the CRA will undoubtedly see many Canadians locked out of their tax account and unable to reach the overloaded CRA help lines at the peak time of the year. Great thinking at the CRA as usual!

This new 2FA applies whether you use a direct CRA login or a Sign-In Partner (bank login). Of course the banks already have their own 2FA, so this is just adding another time-consuming and costly layer of inconvenience.

It apparently applies every single time you access your CRA account - there is no option to authorize a specific browser once only.

I don't see anything about VoIP land lines. Could they not receive the voice call authorization? Of course that will cost you money per call with some of them.

There is currently no mechanism for changing the phone number, and probably no way to recover if your initial attempt fails because the CRA's system can't work with the phone number you gave them.

Guaranteed their overloaded system will be unable to keep up at peak times, not to mention the reliance on other services like cell carriers. This will undoubtedly leave people waiting and fuming at the login prompt, unsure if their 2FA code is ever coming, or if they should try again, or the system is just down today, or their phone carrier has a problem...

They say you can't disable 2FA for your account online, but "Contact us" if you want to do that. The specific contact number isn't given, but it's probably 1-800-959-8281 (security issues). You have to enter your 2FA code to speak to them... just kidding! :)
Last edited by Scote64 on Feb 13th, 2021 10:26 am, edited 1 time in total.
Deal Addict
User avatar
Sep 10, 2005
4625 posts
1942 upvotes
GTA
Yup. I deal with my parents CRA accounts and one of their accounts got the notice to enable it a few months ago. Haven't cared to look at the mentioned limitations but it seemed like a beta process at the time since it clearly wasn't fully rolled out
Banned
Jan 14, 2021
59 posts
106 upvotes
@bubak ....this is nothing new though. I mean when was the last time you logged into 'My Account' before today? I ask because I log in at least once a month and not just tax time, and the 2FA has always been there. Since the pandemic, however, the only restriction on the site is the inability to change your banking deposits/address and other personal details.

I just logged in now as I read your post, and had no issues, and even disabled the 2FA because I'm using my personal work laptop this time. Another thing anyone encounters is if you log-in on a machine that you haven't used before, you will be met with security question validation. Once you answer correctly, you can opt not to be asked a question next time.

Note: and I did this last month, you can call them up and agents will rectify details on your account over the phone, as long as you meet the questions they ask with the right answer. I'll highly suggest people log into their accounts often and not just tax time.
bubak wrote: CRA has imposed SMS two-factor authentication for their MyAccount online service.
https://www.canada.ca/en/revenue-agency ... vices.html

It does not allow opting out.

It does not allow you to change your phone number once you give them one.

It does not allow VOIP land lines.

It does not allow international phone numbers.

It does not allow e-mail.

So the only way to get tax information now is to go in person to a Tax Services Office. Oh, but those are closed due to Covid. So there's no way to get or submit tax documents now.
Jr. Member
Mar 7, 2011
102 posts
89 upvotes
They allow telephone call option over VOIP.

"At this time, Voice over Internet Protocol (VoIP) text message is not supported. If you are using VOIP, select the telephone call option."

No issues here.
Deal Fanatic
Feb 4, 2015
6418 posts
2815 upvotes
Canada, Eh!!
Just signed into several CRA accounts 2-3 days ago and no prompt for 2fa.

Guess they are rolling out slowly.

How easy would it have been to allow changing number in same process as username or password... or even allow email that they have on file with tax return??

This plus the convoluted MCSA!!
.......
July 13, 2017 to October 25, 2018: BOC raised rates 5 times and MCAP raised its prime rate next day each time.

2020: BOC dropped rates 3 times and MCAP waited and waited to drop its prime rate to include all 3 drops.
[OP]
Deal Addict
Jul 15, 2009
2141 posts
1270 upvotes
Kimmychow wrote: @bubak ....this is nothing new though. I mean when was the last time you logged into 'My Account' before today? I ask because I log in at least once a month and not just tax time, and the 2FA has always been there. Since the pandemic, however, the only restriction on the site is the inability to change your banking deposits/address and other personal details.

I just logged in now as I read your post, and had no issues, and even disabled the 2FA because I'm using my personal work laptop this time. Another thing anyone encounters is if you log-in on a machine that you haven't used before, you will be met with security question validation. Once you answer correctly, you can opt not to be asked a question next time.

Note: and I did this last month, you can call them up and agents will rectify details on your account over the phone, as long as you meet the questions they ask with the right answer. I'll highly suggest people log into their accounts often and not just tax time.
I last logged in just last week and there was no 2FA.

How do you disable the 2FA? Their FAQ says you can't.
Deal Addict
Jan 21, 2018
4349 posts
4404 upvotes
Vancouver
bubak wrote: How do you disable the 2FA? Their FAQ says you can't.
It says you can't disable 2FA online. Call them.

A few more data points:

- I can still sign in to my account as usual through my banking login, no prompt to set up 2FA yet

- I can't sign in to my CRA ccount using the Brave privacy protection browser, even with Shields Down for the CRA web site - it's just too careless with cross-site cookies.

- No investment or banking T slips from anyone yet. I suppose this is going to be another year where banks and financial institutions are even later and more haphazard in filing slips with the CRA.
Deal Addict
Oct 13, 2006
2304 posts
785 upvotes
Burnaby
sms doesnt work 90% of the time, even after hitting resend i receive nothing and the number is correct. now ive been locked out because you can only request sms 3 times. joke system.
Deal Addict
Jan 19, 2017
4085 posts
2322 upvotes
Scote64 wrote: It says you can't disable 2FA online. Call them.

A few more data points:

- I can still sign in to my account as usual through my banking login, no prompt to set up 2FA yet

- I can't sign in to my CRA ccount using the Brave privacy protection browser, even with Shields Down for the CRA web site - it's just too careless with cross-site cookies.

- No investment or banking T slips from anyone yet. I suppose this is going to be another year where banks and financial institutions are even later and more haphazard in filing slips with the CRA.
It is the same for me & family members that no 2FA is required. I tried both Using Sign-In Partners & Using a CRA user ID and password. We all signed up before 2020. I think the 2FA is required for people who signed up for CRA Myacct recently, especially after CERB was paid, due to too many frauds.
Deal Addict
Jan 19, 2017
4085 posts
2322 upvotes
bubak wrote: CRA has imposed SMS two-factor authentication for their MyAccount online service.
https://www.canada.ca/en/revenue-agency ... vices.html

It does not allow opting out.

It does not allow you to change your phone number once you give them one.

It does not allow VOIP land lines.

It does not allow international phone numbers.

It does not allow e-mail.

So the only way to get tax information now is to go in person to a Tax Services Office. Oh, but those are closed due to Covid. So there's no way to get or submit tax documents now.
When did you sign up the acct?
Deal Expert
User avatar
Aug 18, 2005
20035 posts
4595 upvotes
Burlington-Hamilton
I just logged into CRA My Account and I wasn't asked anything about 2FA. It was just the same ID, password, and verification question as usual.

If they actually do force 2FA on people, it will end up being a disaster to the extent that Trudeau will get involved. It won't work all the time. People will get locked out. They'll be waiting for days on hold with the CRA to get it fixed.

At least do something smart and give us TOTP app support (Google Authenticator, etc.,) so we can be in charge of our own security. Stop handing over our security to incompentent phone companies who open you up to SIM Swap Scams.
What if there were no hypothetical questions?
Deal Addict
User avatar
Aug 3, 2009
1986 posts
446 upvotes
Nova Scotia
I am amazed the Nexus Card portal has legit 2fa via app of choice for years now. The cra site, the student loan site, omg I can't handle it getting any worse. Slow. Loads half the time you login correctly. Randomly signs out. Just complete crap and now here's another way to make it more problematic. Ty for heads up.
Deal Addict
Jan 19, 2017
4085 posts
2322 upvotes
amplified wrote: sms doesnt work 90% of the time, even after hitting resend i receive nothing and the number is correct. now ive been locked out because you can only request sms 3 times. joke system.
It is the same for my friend. No text was sent to her phone. She has to use the voice option, instead of the text option.
Deal Expert
Mar 25, 2005
21793 posts
2592 upvotes
bubak wrote: CRA has imposed SMS two-factor authentication for their MyAccount online service.
https://www.canada.ca/en/revenue-agency ... vices.html

It does not allow opting out.

It does not allow you to change your phone number once you give them one.

It does not allow VOIP land lines.

It does not allow international phone numbers.

It does not allow e-mail.

So the only way to get tax information now is to go in person to a Tax Services Office. Oh, but those are closed due to Covid. So there's no way to get or submit tax documents now.
This is a a but of an exaggeration.

First, VOIP land line is a contradiction. VOIP is virtural by definition. VOIP numbers are allowed although you are likely limited to voice and not SMS.

Second, you can change the number used. You just have to call since there is no online recovery process.

Third, submit via mail then.
Deal Addict
Dec 25, 2017
2086 posts
1511 upvotes
Kasakato wrote: First, VOIP land line is a contradiction. VOIP is virtural by definition.
Not OP, but the wording may seem contradictory but in practice it might not. VOIP numbers usually show up as a landline when looked up, like any other actual landline.
As such, it’s not expected that landlines can accept SMS, as they don’t show up as wireless numbers. They can take voice calls fine.
Deal Addict
User avatar
Mar 30, 2004
3882 posts
1128 upvotes
Can they at least turn the address change function back on now?
Deal Expert
User avatar
Aug 18, 2005
20035 posts
4595 upvotes
Burlington-Hamilton
Someone on Reddit posted that they received a message from the CRA that the 2FA is being globally disabled due to the number of complaints, and will re-evaluate before rolling it out again next year. (source)
What if there were no hypothetical questions?
Deal Addict
Jan 21, 2018
4349 posts
4404 upvotes
Vancouver
BTW, the CRA web site is getting increasingly browser-picky this year. I can't log in with Brave or Firefox at all. And last week when I tried to download CRA T-slips to my tax package, it let me log in, but refused to download on Win7 with any browser due to "expired token". I had to switch to Win10, where the same browser version would download the T slips.
Deal Addict
Feb 24, 2008
1981 posts
554 upvotes
Jucius Maximus wrote: Someone on Reddit posted that they received a message from the CRA that the 2FA is being globally disabled due to the number of complaints, and will re-evaluate before rolling it out again next year. (source)
Thanks for this information. Few days ago, I was prompted to sign up for 2FA while logging into my CRA account. Last few days, I noticed that I have not been prompted to input the SMS code while logging in and I was wondering what happened. So after reading your post, now I know that they got rid of it (for now).

Top