I don’t quite know when, but the Government of Canada seems to have quietly rolled out multi-factor authentication (MFA) on its CRA portal. I expect this happened at sometime within the last week, at least for me it did. The only information I found on their website is detailed in this post.
This new service, named GCVerify, is a phone/SMS-based MFA solution that is now required after logging in to your CRA Account with either your GCKey credentials or Sign-In Partner.
If it’s the first time that you’ve logged in since the implementation you’ll be walked through setting up MFA by providing your phone number. You’ll receive a code via telephone call or SMS to confirm your identity.
After your setup you’ll be prompted to enter a one-time passcode every time that you login to CRA account. This includes both Personal and Business accounts.
The Personal Information Collection Statement page, has also been updated (third paragraph) to reflect the changes, although the information itself leaves little to be desired. I’ve copied the specific paragraph that talks specifically about multi-factor authentication, below.
We have a multi-factor authentication process for our online services. We collect the telephone number (landline or cell), method of delivery of the one-time passcode (telephone call or Short Message Service (SMS)) and language of choice to receive the one-time passcode that you provide when enrolling in multi-factor authentication. We share this information with the third party responsible for generating and sending you the code. The code you enter is also shared with the third party to ensure it matches before allowing you access to our online services.
It doesn’t specifically mention which vendor, however, when I dug through the Public Works and Government Services Canada website, I came accross a tender notice title: Invitation to Qualify (ITQ) Identity and Access Management (IdAM) Software Solution, posted 2020/06/22, that has several mentions of multi-factor authentication. A bit of an assumption but I wasn’t able to find anything that was any more relevant. It lists N7030:ADP Software as the Goods and Services Identification Number (GSIN).
This is definitely a step forward, but hopefully not a stopping point for the Government of Canada. As mentioned, phone-based and SMS-based MFAÂ does have it’s own issues, but at least it’s something, right? The fact that it’s enforced on each and every login is great, and the tokens definitely timeout, although I’m unsure of how long that timeout is. But, you can’t currently manage any part of that service, so if you want to update your telephone number you will have to contact the CRA helpdesk at 1-800-959-8281.
And no, you can’t disable it. But, I wouldn’t suggest that you did anyway.
