Canadians’ personal tax returns are typically due towards the end of April, usually by the third or fourth week of the month.
During this time, a lot of CRA security codes will be issued to Canadians who need to reset their passwords, log into old accounts, or create new accounts with the CRA.
A CRA security code is a temporary, unique code that’s sent to Canadian taxpayers by the CRA. This code can either be sent via text or email, and is used as a form of two-factor authentication.
Below, I’ll explain a bit more about why the CRA uses these security codes, when you’ll need to use a CRA security code, and show you how to create a new CRA My Account using your code.
In short, your CRA security code helps keep your account safe by ensuring that it’s really you who’s logging into your account. Each CRA security code is an 8-digit number that’s randomly generated and temporarily linked to your CRA My Account.
This code is often used to help verify your identity when logging into your account or making important changes to your CRA account.
Once the code has been used for its intended purpose, it’s invalidated and recycled to be used as a code for other CRA taxpayers.
The CRA security code is a type of two-factor authentication (or 2FA) that’s designed to cut down on fraud and identity theft. Whenever you’re creating a new CRA My Account, for example, you’ll be asked to provide a contact phone number and/or email address.
To verify that your phone number or email address is legitimate (and isn’t a bot account), the CRA will send a security code to the provided number or email address. You’ll be given a limited amount of time to enter this code into the CRA’s system before the code is automatically invalidated.
This code does several things, including:
- Verifies your phone number working
- Verifies your email address is working
- Verifies that the phone or email in question is owned by a real person
- Ensures that the person is who they say they are by only allowing for a limited time window in which to enter the code
Can two-factor authentication be bypassed or hacked? Sure.
However, the hacker or fraudster in question would not only have to have all of your personal identification information but would need to have access to your email or cell phone as well.
The likelihood of this scenario happening is pretty rare, which is why the CRA uses security codes to authenticate its platform users.
In 2020, the CRA and taxpayers were victimized by a major hacking attack. The attack compromised over 5,000 Canadian taxpayer accounts, leaking their private information to the attackers.
As a result, the CRA has spent considerable effort to rebuild its outdated system and create a more secure environment for its users.
Although the CRA has used security codes for years to verify new accounts, the system is now requiring users to input security codes for a number of different actions, including:
- Submitting documents
- Modifying your personal information (name, address, job, etc.)
- Adding or removing tax representatives and accountants from your account
- Registering a dispute with the CRA
- Applying for child benefits
- Setting up direct deposit for your tax refund and tax credits
- Filing GST/HST rebates
- Requesting a CPP ruling
Any action that you take that could significantly impact your finances, or that changes the personal information on your account will now require CRA online users to verify their identities with two-factor authentication.
Wondering how to set up your CRA My Account and use your CRA security code to verify your account? Here’s a simple step-by-step guide on how to use your CRA security code to start filing and paying your taxes online.
Assuming that you don’t already have a CRA My Account, you’ll need to register for a new one. Thankfully, this process is relatively easy since the government of Canada keeps records of all of its residents.
To register for your first account, you’ll need to provide the following information:
- Your full legal name
- Your social insurance number (SIN)
- Your postal code
From here, the CRA will be able to look up your account and start the sign-up process. If you’re having difficulty with this step, then you may need to call a CRA agent and speak to them over the phone, as your taxpayer records may not be correct.
Once the CRA is able to verify your personal identity using your SIN, name, and postal code, you’ll be prompted to create a unique username and password.
You’ll use this account information to log into your account, so it’s a good idea to save your password somewhere safe, to avoid having to reset it in the future.
After verifying your username and password, you’ll be asked to set up several security questions and personal answers. In the event that you lose your password or are unable to receive a CRA security code, you’ll use these questions and answers to verify your identity with a CRA representative.
When setting up your security questions, I recommend choosing questions and answers that only you (and possibly those closest to you) know.
For example, if your public Facebook page states where you went to primary school, it’s not a good idea to select, “Where did you attend primary school?” as a security question.
After setting up your CRA security questions and answers, you’ll usually be asked to complete a final two-factor authentication. An 8-digit CRA security code will either be texted to your phone number or emailed to your registered email address.
You’ll then enter this code into the CRA form to verify your identity. After this, you should be able to fully access your account.
The CRA’s online platform is usually pretty quick. After it’s sent, your CRA security code should arrive via text or email within a couple of minutes.
If more than five minutes have passed, then you may need to request an additional code to be sent to you. Apart from errors on the CRA’s end, some of the reasons why you may have trouble receiving your code could include:
- You have poor cellular service
- Your wifi connection isn’t working properly
- Your email inbox needs to be refreshed
- Your phone’s SIM card is glitching, and your phone needs to be restarted
If you’ve tried to troubleshoot the issue using these methods, then the email address or phone number you have on file with the CRA may be incorrect. In this case, you’ll need to contact the CRA and speak to a representative on the phone to verify your account and regain account access.
CRA security codes are 8-digit numerical codes that are designed for one-time use. Each security code that you receive from the CRA will be completely unique and different from the previous code you received.
Sign-In Partner and Provincial Partner for CRA
When using the Canada Revenue Agency (CRA) services online, you also have the option to sign in with a Sign-In Partner (SecureKey Concierge).
Sign-In Partners: Sign-In Partners are financial institutions that have partnered with SecureKey Technologies to enable their customers to use their online credentials (e.g., card numbers or usernames and passwords) to access Government of Canada services. There are several financial institutions acting as sign-in partners, including:
- BMO Financial Group
- CHOICE REWARDS MasterCard
- RBC Royal Bank
- National Bank of Canada
- TD Bank Group
- Desjardins Group
Provincial Partners: These are digital ID services provided by some provinces to their residents, which can also be used to access federal services. Only the province of British Columbia offers this service through their BC Services Card.
The CRA uses a security code to help authenticate users’ identities and prevent hacks like the one we saw in 2020. So far, this simple method of two-factor authentication has done a good job of that, as there haven’t been any major hacks in the past few years.
Interested in learning more about how to become a tax expert in Canada? The first step is to become a chartered CPA (certified personal accountant).
Keep on reading to see my step-by-step career path on how to become a CPA in Canada next!