HMRC is introducing Multi-Factor Authentication (MFA) for agents signing in to HMRC online services. This applies to Government Gateway and Agent Services Account access. 

HMRC has confirmed that MFA for agent accounts is being rolled out in 2026.

What this means for BrightPay

There are no changes required in BrightPay as a result of this HMRC update.

BrightPay itself has not changed, and most HMRC-connected features in BrightPay will continue to work as normal. HMRC has also stated that there are no changes to its software channels such as Transaction Engine APIs, and that the application authorisation journey for software is not changing .

What is affected?

RTI submissions

RTI submissions such as FPS, EPS and CIS300 are not affected.

These submissions use HMRC’s Transaction Engine API, and HMRC has confirmed there are no changes to this software channel as part of the MFA rollout .

HMRC authorisation in BrightPay

The HMRC connection and authorisation process used by BrightPay does not require any BrightPay update as part of this change.

HMRC has confirmed there are no changes to the software application authorisation journey .

Coding notices

Coding notices are the main area where some agents may notice a difference.

When BrightPay connects to HMRC to retrieve coding notices, HMRC may ask you to complete MFA during sign-in. If this happens, the MFA step will appear on HMRC’s own login page in your browser, not inside BrightPay.

Once you complete the HMRC sign-in and MFA step, coding notices should continue to retrieve as normal.

Important to know

If you see an MFA prompt, this is coming from HMRC — not BrightPay.

BrightPay does not trigger, manage or control HMRC’s MFA process. This is part of HMRC’s own account security changes for agents .

What do I need to do?

You do not need to make any changes in BrightPay.

However, you should make sure your HMRC MFA is set up and working before your next payroll run or before retrieving coding notices.

HMRC recommends that agents:

• check whether MFA is already set up on their account
• confirm their existing MFA contact details are up to date
• consider using an authenticator app as the main method for receiving codes
• set up a backup authentication method

HMRC has also warned that if MFA was set up previously using old contact details, access codes may be sent to those saved details when MFA is activated .

If you are not receiving your MFA code

If HMRC is asking for MFA and you are not receiving the code, you will need to update your MFA settings with HMRC or contact HMRC directly.

HMRC recommends checking and updating MFA settings in advance to avoid disruption .

FAQs

Q. Has BrightPay changed?

A. No. BrightPay has not changed. This is an HMRC security update for agent sign-in.

Q. Are RTI submissions affected?

A. No. RTI submissions are unaffected by this HMRC MFA change because HMRC has confirmed there are no changes to the relevant software channels .

Q. Do I need to update BrightPay?

A. No update to BrightPay is required for this HMRC change.

Q. Why am I being asked for MFA when retrieving coding notices?

A. This is because HMRC may now require MFA when you sign in to access agent services. The prompt will appear on HMRC’s login page in your browser, not in BrightPay .

Q. Is this a BrightPay issue?

A. If the MFA prompt appears on HMRC’s sign-in page, this is part of HMRC’s own login process, not a BrightPay bug.

Summary

• BrightPay has not changed.
• No BrightPay update is required.
• RTI submissions are unaffected.
• HMRC authorisation for software is unchanged .
• You may see MFA when retrieving coding notices, but this happens on HMRC’s login page.
• If you have problems receiving MFA codes, you will need to check your HMRC MFA settings or contact HMRC directly .