Language selection

Government of Canada / Gouvernement du Canada

Search

Sign in

Sign in

Security measures to protect taxpayer information from external threats

The protection of taxpayer information is of the utmost importance for the Canada Revenue Agency (CRA). In today’s increasingly digital world, the CRA continually takes steps to safeguard sensitive information against ever-evolving threats.

Ongoing security enhancements

Multi-factor authentication

The CRA uses Multi-factor authentication (MFA) throughout its sign-in services as a mandatory enhanced security measure. When prompted to enroll in MFA, users can select either the telephone, third-party authenticator app or passcode grid option.

Individuals need to enter a one-time passcode to access the CRA sign-in services when they sign in. Each code is good for a single sign-in session.

Mandatory email address on file

To help prevent taxpayers’ online accounts from unauthorized access, My Account users are required to have an email address on file with the CRA. Individuals that do not currently have an email address on file will be prompted to provide one upon sign in.

This security feature sends individuals email notifications when important changes are made on their account, such as changes to their address, direct deposit, or credential information (such as user ID and password). Email notifications act as an account alert for potential unauthorized access. Canadians who receive these notifications, but have not authorized any changes, should contact the CRA immediately.

Taxpayers should be cautious of any communication that claims to be from the CRA and requests personal information such as a social insurance number (SIN), credit card number, bank account number, or passport number.

The CRA will not give or ask for personal or financial information by email and ask you to click on a link.

For more information on how to recognize CRA-related scams, visit Scams and fraud.

Related topics

Personal Identification Number

As an added security measure, taxpayers can set a unique Personal Identification Number (PIN) for their account in order to identify themselves quickly and securely when calling the CRA on the individual income tax and benefits enquiries lines.

Captcha

To help distinguish between human users and web robots, Captcha was implemented in all CRA portals. This security feature requires individuals to identify specific images before being granted access to our digital services.

Maximum one credential

New users can only register one credential with the CRA (either a CRA user ID and password or a Sign-In Partner). This prevents users from registering a new credential if they already have at least one on file. Provincial partners are not affected by this limit.

At risk CRA user ID and password revocations

To help prevent incidents of unauthorized access and to safeguard taxpayers’ information, the CRA conducts routine checks and analyses to identify CRA user IDs and passwords that may have been obtained by unauthorized parties. These CRA user IDs and passwords may have been obtained through sources external to the CRA, such as email phishing schemes or third party data leaks.

CRA user IDs and passwords identified as being at risk, are revoked. Instructions are made available to affected individuals through email notification on why their credentials have been revoked, which includes instructions on how to regain access to their CRA account.

Inactive credential suspensions and revocations

The CRA suspends and revokes credentials after a prolonged period of inactivity. This eliminates the risk of unused or forgotten credentials being misused by bad actors to gain unauthorized access to taxpayer accounts.

Expanded character limit for passwords

The CRA account sign-in credential allows passwords to be between 8 to 64 characters. This range gives users the option to create longer and stronger passwords, and is more flexible for those that use password manager software.

Identity Protection Services

In addition to the ongoing security enhancements above, the CRA created the Identity Protection Services (IPS) program to better help suspected identity theft victims. The program also responds to suspicious account activity to protect individuals and their information before identify theft occurs.

The IPS program reviews all cases of potential identity theft, dealing directly with identity theft victims, to make sure that their online account is restored and remains protected from unauthorized activity.

Page details

Date modified: