Government Gateway PAYE for employers entry validation codes

12 December 2017

2 Step Verification (2SV) is a requirement for most businesses accessing HMRC's online services and has prompted discussions over the last few months about the way the access code is sent to users .

2SV protects government credentials from hijack or malware by asking the customer to enter a 6 digit code, sent to a mobile phone or landline, each time they log into their digital services.

This is an area that has initiated dialogue through various channels, including CIPP’s LinkedIn group. There are reports of issues in particular where an office has only one landline, no work mobile phones and several PAYE references to deal with. Many people understandably want to avoid having to use their personal mobile phone for work purposes. One solution that has been set up for one company is an inbox that emails the access code received by SMS to a selected group of team members who can then use the code to access the account.

As per one of HMRC's Tax Agent Blogs many businesses need to delegate account access to members of their staff to handle aspects of their tax. This can still be done with 2SV. Access credentials should not be shared; instead, business users can utilise their administrator and assistant functionality - in their Business Tax Account - to create additional users for individuals requiring access to their account. Each of these credentials will then have its own 2SV.


We asked HMRC if they were looking at the possibility of sending codes via email or if there was an alternative solution in the pipeline? Their response was this:

“Previously, we have looked at email as an option for extra security.  For a number of reasons, we have found that it is not secure enough for us to use as a form of 2-Factor Authentication. However, we do constantly re-evaluate all possible extra security methods based on the changing online security landscape and email is always part of that exercise.

HMRC Extra Security Process has been created to ensure one account is not shared between multiple users.  When setting up extra security, you will be able to create Admin and Delegate accounts so every user will have an account which they can then protect with extra security.

To provide different options for users, we offer Mobile SMS, landline, or the option of an authenticator application. The HMRC App (which we recommend) is available on the Windows, Apple and Google stores for free or you can use one of the many free authenticator applications available for Windows, Android and ISO (such as Google Authenticator).”


If you do encounter issues using 2SV with HMRC, the Online Services Helpdesk is available to assist.