Month: November 2020

Government of Canada Quietly Rolls Out Multi-Factor Authentication


I don’t quite know when, but the Government of Canada seems to have quietly rolled out multi-factor authentication (MFA) on its CRA portal. I expect this happened at sometime within the last week, at least for me it did. The only information I found on their website is detailed in this post.

This new service, named GCVerify, is a phone/SMS-based MFA solution that is now required after logging in to your CRA Account with either your GCKey credentials or Sign-In Partner.

If it’s the first time that you’ve logged in since the implementation you’ll be walked through setting up MFA by providing your phone number. You’ll receive a code via telephone call or SMS to confirm your identity.

InfoSec Check

Identity Validation

This identity validation confirms that your phone number should be associated with your username.

You should never allow anyone to access your telephone or text messages. A threat actor with access to your text messages can bypass text message based two-factor authentication (2FA) very easily. If given the choice, you should use a 2FA application such as Google Authenticator.

After your setup you’ll be prompted to enter a one-time passcode every time that you login to CRA account. This includes both Personal and Business accounts.

Multi-factor Authentication page on the Government of Canada CRA Login
Multi-factor Authentication page as seen during the Government of Canada CRA Login

The Personal Information Collection Statement page, has also been updated (third paragraph) to reflect the changes, although the information itself leaves little to be desired. I’ve copied the specific paragraph that talks specifically about multi-factor authentication, below.

We have a multi-factor authentication process for our online services. We collect the telephone number (landline or cell), method of delivery of the one-time passcode (telephone call or Short Message Service (SMS)) and language of choice to receive the one-time passcode that you provide when enrolling in multi-factor authentication. We share this information with the third party responsible for generating and sending you the code. The code you enter is also shared with the third party to ensure it matches before allowing you access to our online services.

It doesn’t specifically mention which vendor, however, when I dug through the Public Works and Government Services Canada website, I came accross a tender notice title: Invitation to Qualify (ITQ) Identity and Access Management (IdAM) Software Solution, posted 2020/06/22, that has several mentions of multi-factor authentication. A bit of an assumption but I wasn’t able to find anything that was any more relevant. It lists N7030:ADP Software as the Goods and Services Identification Number (GSIN).

This is definitely a step forward, but hopefully not a stopping point for the Government of Canada. As mentioned, phone-based and SMS-based MFA does have it’s own issues, but at least it’s something, right? The fact that it’s enforced on each and every login is great, and the tokens definitely timeout, although I’m unsure of how long that timeout is. But, you can’t currently manage any part of that service, so if you want to update your telephone number you will have to contact the CRA helpdesk at 1-800-959-8281.

And no, you can’t disable it. But, I wouldn’t suggest that you did anyway.

Additional Resources:

Multi-factor authentication to access CRA login services

Introducing $7 Business Website Hosting

Server Racks

Your website is a target. It’s a target for both your clients to find information about your business, and those who wish to do your business and its interests harm. This has never been more true than in 2020. Covid-19 has sent many businesses to a work-at-home model and so many people are living their lives at home more.

Rogue Security envelops the C.I.A. triad in every product and service that we develop, and our Business Website Hosting service was no exception. This focus on ConfidentialityIntegrity, and Availability ensures that your business website is accessible, and secure, from the ground up.

Website Hosting Made Simple

Using WordPress Toolkit you can get your business website up and running quickly. WordPress Toolkit is a cPanel plugin allowing you to install, update and manage your WordPress installation without logging into it. The AutoSSL requests and installs a Let’s Encrypt signed SSL Certificate for any of your domain names quickly and easily, at no additional cost!

Warrantied SSL Certificates are also available for purchase.

Always Available and Protected

Our priority is keeping your website available to your current and future customers. We provide a 99.99% uptime guarantee, with approximately 1 minute of downtime per week for maintenance restarts. We know security. The OWASP (Open Web Application Security Project) ModSecurity™ CRS (Core Rule Set) is a set of rules that protect our servers and increase the amount of protection greatly.

The Tools You Need

With complete access to cPanel you have all of the tools that you need to build a beautiful, accessible website for your business.

Sign-Up Now

Please contact for more information and to sign-up.