I don’t quite know when, but the Government of Canada seems to have quietly rolled out multi-factor authentication (MFA) on its CRA portal. I expect this happened at sometime within the last week, at least for me it did. The only information I found on their website is detailed in this post.
This new service, named GCVerify, is a phone/SMS-based MFA solution that is now required after logging in to your CRA Account with either your GCKey credentials or Sign-In Partner.
If it’s the first time that you’ve logged in since the implementation you’ll be walked through setting up MFA by providing your phone number. You’ll receive a code via telephone call or SMS to confirm your identity.
InfoSecCheck
This identity validation tells CRA that your telephone number has a trusted relationship to your username (which you’ve already logged in to as, with your password). If someone were to get access to your telephone number and intercept or view your calls and SMS, they could effectively access your MFA passcodes. A common tactic is for a malicious actor, who already has your username and password, to login to your account. They then send you an SMS purporting to be the business (in this instance, Government of Canada) asking that you provide them with the passcode that was sent to your phone to verify your identity to unlock services, access additional resources, or any other statement that might prompt you to provide them with that code. You’ve been social engineered and now that code is in the hands of the attacker. Never give out your MFA passcodes.
After your setup you’ll be prompted to enter a one-time passcode every time that you login to CRA account. This includes both Personal and Business accounts.
The Personal Information Collection Statement page, has also been updated (third paragraph) to reflect the changes, although the information itself leaves little to be desired. I’ve copied the specific paragraph that talks specifically about multi-factor authentication, below.
We have a multi-factor authentication process for our online services. We collect the telephone number (landline or cell), method of delivery of the one-time passcode (telephone call or Short Message Service (SMS)) and language of choice to receive the one-time passcode that you provide when enrolling in multi-factor authentication. We share this information with the third party responsible for generating and sending you the code. The code you enter is also shared with the third party to ensure it matches before allowing you access to our online services.
It doesn’t specifically mention which vendor, however, when I dug through the Public Works and Government Services Canada website, I came accross a tender notice title: Invitation to Qualify (ITQ) Identity and Access Management (IdAM) Software Solution, posted 2020/06/22, that has several mentions of multi-factor authentication. A bit of an assumption but I wasn’t able to find anything that was any more relevant. It lists N7030:ADP Software as the Goods and Services Identification Number (GSIN).
This is definitely a step forward, but hopefully not a stopping point for the Government of Canada. As mentioned, phone-based and SMS-based MFA does have it’s own issues, but at least it’s something, right? The fact that it’s enforced on each and every login is great, and the tokens definitely timeout, although I’m unsure of how long that timeout is. But, you can’t currently manage any part of that service, so if you want to update your telephone number you will have to contact the CRA helpdesk at 1-800-959-8281.
And no, you can’t disable it. But, I wouldn’t suggest that you did anyway.
Your website is a target. It’s a target for both your clients to find information about your business, and those who wish to do your business and its interests harm. ...
The Internet has changed, and so has how the majority of us use it. According to Google there are 1,197,982,359 websites in the World as of January, 2021. When the [...]
