Advisers defy mandatory two-step verification

HMRC 2-step verification causes problems for agents
iStock_Security code_Warchi
Share this content

HMRC’s intention to make two-step verification (2SV) mandatory for individual and business taxpayers from September has prompted further grumblings from accountants about the practicality of the digital security infrastructure.

An Any Answers thread on the subject last week included the text of an email from HMRC explaining, “From September 2017, HMRC will make it a requirement for all businesses using their online tax accounts to register for 2 Step Verification (2SV) – if not already using it.”

When logging in from September, tax account users will be asked to register for the security mechanism. “The result of this minor change means greater security for customers and a safer experience when using our online services,” HMRC said.

The 2SV process involves giving HMRC a mobile number when a tax account is created, to which it sends a six-digit verification code whenever anyone attempts to log in to that account.

The point of 2SV is to protect personal tax data, but as part of that process HMRC wants to stop agents from using client IDs to log into their online records. But as kevinringer and many other AccountingWEB contributors have warned, agents will continue to go direct to client accounts because HMRC is not giving them access to data they need to see, such as how payments have been allocated against the client’s different tax liabilities.

The AccountingWEB conversation revolved around how agents would cope with the flood of client ID codes sent to mobiles at their firms as they circumvented the tax department’s security apparatus. One solution suggested was to get a pay-as-you-go mobile to receive the texts, while alan.rolfe recommended using a virtual mobile number text to email service.

These convoluted arrangements will be necessary “until HMRC gives us access to the information we need”, Kevin Ringer told AccountingWEB. “The only alternative they are offering is to write in, which is a waste of time and HMRC resources.”

2SV is coming for agents too, but more slowly. At the moment, those wanting to connect their software to HMRC’s application programming interfaces (APIs) will need to activate 2SVs to do so, and eventually the security regime will hold the key to online agent services. The authorisation process will only be required on an occasional basis for agents, and not every time they log in.

Previously, however, Ringer raised the alarm about confusion and security controls around 2SV after he received a spate of access codes for his business tax account while on holiday.

When he contacted the HMRC helpdesk, he had to go through an endless, repeating loop of security checks with helpdesk staff who were unable to trace the source of the texts (which later appeared to have been generated by a colleague accessing the account).

“My concern is HMRC has no procedure for investigating these cases and no security hotline,” he said.

About John Stokdyk

AccountingWEB’s global editor has been with the site since 1999 and likes to spend his time studying accountants’ technology habits. When not nerding out, you can find him exploring obscure indie music and searching for the perfect organic sourdough loaf from his base in Brighton, UK.


Please login or register to join the discussion.

10th Aug 2017 09:20

the 2SV process is a major ball ache and frankly unnecessary

clients already have a secure set up in place and need an activation code for all services before they can be used properly anyway. is that no longer secure on its own?

This is yet another example of HMRC trying to play god and focusing their attention in the wrong place, this makes it harder for clients and harder for their appointed agents.

Perhaps if standards hadn't slipped so badly and work was carried out correctly at HMRC, or their helpline advisers knew what they were talking about, or atleast showed a bit of cooperation, there wouldn't be a need for agents to login to their clients accounts to see how they've messed it up

what HMRC really needs to do is to have an adequate number of staff in place and give them the proper training that they need to prevent the constant stream of [email protected]#k ups that we see coming from them.

This all costs our clients extra in our fees and is a waste of time, personally I would rather not have to charge our clients for sorting out a mess they haven't made themselves

Thanks (9)
10th Aug 2017 10:22

What is going to happen in firms with large numbers of staff, or multiple sites ? Would there be one communal mobile phone ? What if 2 or 3 staff members logged it in at roughly the same time - you wouldn't know whose code was whose, would you ?
Perhaps they need to come up with a dongle thing like the banks do, or something like Google Authenticator or a similar app each staff member could use on their own mobiles.
How much fraud can really take place and what could fraudsters achieve anyway ?

Thanks (4)
By SXGuy
to Barkster
10th Aug 2017 11:15

Do you not already have seperate user logins under one account via gateway? I'm sure I've noticed that option. Then all staff will hold their own login and I guess link to their own verification process.

Thanks (0)
to Barkster
10th Aug 2017 13:26

Barkster wrote:

How much fraud can really take place and what could fraudsters achieve anyway ?

Really?! Good god. Complacency about cyber fraud will be, and already is, one of the biggest dangers we all face over the next 20 years. It is the reason people still use passwords like "password" or "12345". Only the other day, the RBS boss was castigated for suggesting customers might need to take some responsibility if they are tricked into sending money to online scammers.

And we all know the reaction if HMRC's systems were compromised? Even a few refunds being redirected elsewhere would soon lead to a mass outrage about incompetence, how HMRC can't be trusted, and how no-one should continue to use the digital systems. Imagine what the phone lines and post will be like then. You can imagine the headlines now.

But, to hell with all of that if it isn't completely convenient for us...

Thanks (2)
to Wild Billy
10th Aug 2017 15:29

Surely the answer with fraudulently redirected refunds is to take us out of the equation altogether - let the client register their bank details directly with HMRC and we just tick if a refund is required or not. Or stick to cheques ! Much like reissuing a UTR, it would only ever be sent to the clients registered address (or registered bank).

Thanks (1)
10th Aug 2017 10:59

Retirements beckons more strongly every day a new initaive from HMRC is announced.

Now if I can get enough pension together .....

Thanks (4)
to richardterhorst
10th Aug 2017 11:58

Richard I have already made that decision. Every time HMRC changes something its a nightmare. I was hoping that the extra security log in mobile rubbish wouldn't happen until after I escaped at Xmas!!!!

Thanks (3)
10th Aug 2017 11:04

Good luck with that !

Don't be sad - you're just being replaced with a free app on a mobile phone which takes photos of receipts and miraculously turns them into a set of accounts and a tax return.

What could possibly go wrong with that ??!!

Thanks (8)
10th Aug 2017 11:17

I don't have any mobile signal where I work. What am I supposed to do, apart from move?

Thanks (2)
By catlady
to St Bruno
10th Aug 2017 11:24

They do allow landlines just get a call from an American voice reading out your code!

Thanks (2)
By Briar
to catlady
10th Aug 2017 17:34

and if your answermachine is on, it doesn't wait for the tone .. Aagh!

Thanks (1)
By Briar
to St Bruno
10th Aug 2017 17:42

I have 3 mobiles - O2, EE and Voda - EE sometimes works in the office, O2 never works in the office but does work elsewhere, I have to go outside and move 5o yards away to get a Voda signal. EE seems to have the best coverage but it doesn't always. The joys or working in the Lake District and Yorkshire Dales (good leisure though). This also applies to clients so if the access code has gone to their mobile, sometimes I cannot contact them.

Hence I have resisted 2SV so far.

And the internet speed is crap too (1mps upload today)

When will HMRC (and others) realise that we in the sticks don't have full use of modern technology?

Thanks (2)
10th Aug 2017 11:45

ahh technology - the answer to all of the worlds ills....

Thanks (3)
10th Aug 2017 12:31

Of course, another reason why MTD will fall flat on its back.
It now really is time to forget MTD and go full strength with Agent Strategy, which in my opinion was shelved to make way for this MTD crap.

Thanks (2)
10th Aug 2017 13:03

The whole problem with these HMRC verification methods is that any crook worth their salt is more than able at assimilating the necessary data before signing a person up - P60s can be got hold of and passport numbers from various dark web sources.

Whoever it is that devises these systems does not have the necessary capability to think like a criminal (nor do many other law enforcement agencies, come to that). In order to make a more secure system you need a white-hat hacker equivalent and some ex-cons that are 'going straight' and prepared to lend their experience.

With social media, you have people volunteering the responses to many security questions in public *with their name*! Phishers frequently post on (for example) Facebook a question such as "Which was your first school"/"what was your first pets name". The innocent imbeciles on there then reply! Of course, those charged with preventing fraud don't consider these sort of things anything more than a bit of fun.

The only real way to make this sort of thing more robust is a hardware option with maybe quarterly ROM upgrades through an invite only link. No system will be 100% but that is better than what we have now.

Thanks (4)
10th Aug 2017 16:45

Thanks Catlady. You mean they actually allow something other than their preferred choice? Stunning!

Thanks (0)
11th Aug 2017 16:58

They need to hold out for an extra step,

"Well the crowd cleared away
And I began to pray
And the water fell on the floor
And I'm telling you, son
Well, it ain't no fun
Staring straight down a forty-four
Well, he turned and screamed at Linda Lou
And that's the break I was looking for
Well, you could hear me screaming a mile away
I was headed out toward the door

"Oh, won't you
Gimme three steps, gimme three steps, mister
Gimme three steps toward the door?
Gimme three steps, gimme three steps, mister
And you'll never see me no more"

Thanks (0)
17th Aug 2017 13:07

I recently encountered a major problem with this 2SV process, when a client's mother died who did all their bookkeeping, so the security texts went to her mobile phone.
I offered to help out to get VAT and CIS returns filed online but there was no way to get in and update the user & mobile records and HMRC were totally unhelpful & uncooperative even though I was registered as the clients agent . I eventually got passed to a bereavement department ( never knew HMRC had such a thing) but as it wasn't the client that had died they couldn't help either.
In the end I had to ask a very recently beavered husband to turn his wife's mobile on, which I felt awful about. I was then able to get in and make all the necessary changes.
Yes you can set up the accountant/agent here with their own access codes and phone number as well as the client having their own codes.
Something both we and HMRC need to think about as I can think of many scenarios where a brick wall will be hit with all this so called progress.

Thanks (0)