Research and analysis

Research exploring how businesses manage access to HMRC online services — report

Published 29 January 2026

Qualitative research with small and mid-sized businesses to understand experiences of managing access to HM Revenue and Custom’s (HMRC) online services, focusing on identity verification, authentication, and login credentials.

HM Revenue and Customs (HMRC) Research Report 844.

Research conducted by Verian between March and April 2025. Prepared by Verian (Joanna Bolton, Lucy Williams) for HMRC.

Disclaimer: The views in this report are the authors’ own and do not necessarily reflect those of HMRC.

1. Executive summary

1.1 Background and methodology

HMRC has an ambition for businesses to view their tax affairs and report relevant information through its online services. Its success depends on the effective management of login credentials and access, as well as robust identity verification and authentication processes.

Credentials, identity verification and authentication systems directly impact customers’ ability to access and use HMRC services. When these processes are unclear or inefficient, they can introduce complexity and increase the need for customer support.
To explore these challenges, HMRC commissioned research to understand how small and mid-sized businesses currently manage credentials for its online services, their experiences with the existing HMRC identity verification and authentication processes, and their expectations for the future.

In total, 43 in-depth qualitative interviews took place via an online platform or by telephone with small and mid-sized businesses. Interviews were 45 to 60 minutes long and all fieldwork was carried out between 5 March and 4 April 2025. Interviews were conducted with the person responsible for finance within the business.

1.2 Key findings

Use of online services

The key findings about the use of HMRC online services were as follows:

• among the interviewed smaller businesses with up to 50 employees, one member of staff tended to manage HMRC services, and this was generally the company founder, or a business or finance director

• among the interviewed mid-sized businesses with 50 or more employees, more than one member of staff tended to manage HMRC services, and this was commonly a finance or office management team

• where more than one member of staff managed services, each member of staff typically had responsibility for different taxes and tasks

• businesses commonly felt that managing HMRC online services was easy, but there were challenges with navigating and understanding the website and helplines, leading businesses to rely on agents for support

Multi-factor authentication

Multi-factor authentication is a security process that requires users to provide 2 or more verification factors to gain access to an account. HMRC requires users to provide a password and an authentication code, which can be received by text, voice call or authenticator apps.

The key findings about HMRC multi-factor authentication were as follows:

• multi-factor authentication was familiar to participants as they completed it for a range of other services and organisations (such as online banking), and they saw it as a routine, important and proportionate security process

• participants could face issues receiving multi-factor authentication codes, such as if there is no phone signal or phones cannot be accessed

• access issues were also faced when only one personal number was provided for multi-factor authentication and that person left the company without adding a different number

• participants were positive about the use of biometrics for multi-factor authentication, particularly fingerprint and face scans, but wanted a choice about whether they used it or not

Identity verification

Identity verification provides assurance that the person accessing HMRC services is who they claim to be. This is done by providing 2 different types of evidence from the following list: passport information, driving licence information,  answering questions about Self Assessment, payslip or P60 details, or credit reference history.

The key findings about HMRC identity verification were as follows:

• participants generally reported positive experiences of identity verification

• it was a familiar process and they completed similar processes for other services and organisations

• providing alternative information for identity verification, that was not passport and driving licences, was reported to be more challenging

• there were concerns that there are not enough evidence options as participants may not have a driving licence, UK passport, not claim tax credits or have a P60

• receiving a PIN in the post could fragment user journeys and businesses could be unclear of the security benefits

Login credentials and access

HMRC login credentials consist of a Gateway ID and password.

The key findings about HMRC login credentials and access were as follows:

• some interviewed businesses reported sharing credentials (rather than each employee having unique credentials) because it was easy to manage, as well as flexible to workforce changes

• some of these participants shared an office work phone to log into HMRC accounts

• credentials were stored in a variety of ways, including by internet browsers, in emails, and written down (kept on a desk or locked in a drawer) by businesses who shared credentials

• relying on a single set of credentials could block access to services if multi-factor authentication codes cannot be received, such as if the phone multi-factor authentication is linked to is lost or stolen, or that person leaves the business

2. Background and research design

2.1 Background

HMRC is undergoing a major transformation to become a ‘digital-first’ organisation by 2030, aiming for at least 90% of customer interactions to take place digitally. A key part of this ambition is improving the Business Tax Account, which enables businesses to manage their tax affairs and self-serve online. This direction is outlined in HMRC’s Transformation Roadmap, which sets out plans to simplify processes, enhance digital services, and modernise the tax administration system.

The success of this vision depends on robust identity verification and authentication processes for HMRC customers, as well as effective management of login credentials and access (detailed definitions of authentication and identity verification are provided below). These customers include businesses and their representatives, such as accountants.

Identity verification and authentication processes directly affect customers’ ability to use HMRC services. When these processes are unclear or inefficient, they can introduce complexity and increase the need for customer support.

To explore these challenges, HMRC commissioned research to understand how small and mid-sized businesses currently manage credentials for its online services, their experiences with the existing HMRC identity verification and authentication processes, and their expectations for the future.

This insight forms the foundation for identifying opportunities to improve the user experience of HMRC’s online services. This will enable businesses to manage access securely and efficiently for those who need it.

2.1.1 Definition of authentication

Authentication confirms that a returning user is the same individual who was previously verified; it involves supplying correct credentials and completing multi-factor authentication. Credentials consist of a Gateway ID and password and multiple staff members may need to use credentials to access a business’s HMRC services.

Multi-factor authentication is a security process that requires users to provide 2 or more verification factors to gain access to an account. HMRC requires users to provide a password and an authentication code, which can be received by text, voice call or authenticator apps.

2.1.2 Definition of identity verification

Identity verification provides assurance that the person accessing HMRC services is who they claim to be. This is done by providing 2 different types of evidence from the following list: passport information, driving licence information, answering questions about Self Assessment, payslip or P60 details, or credit reference history.

2.2 Research questions

The overall aim of this research was to understand how small and mid-sized businesses currently manage login credentials and access to HMRC’s online services, as well as their expectations for improved identity verification and authentication services.

The research questions covered 3 areas:

Current practices

• who requires access to HMRC services?
• how are staff and intermediaries granted access to services?
• what pain points are encountered accessing services?

Preferences for future identity verification and authentication services

• what do businesses need from identity verification and authentication services?
• how would businesses prefer identity verification and authentication to work to meet those needs?
• what would the processes ideally look like?

Identity verification and authentication for representatives

• how do businesses manage their HMRC login credentials and access when working with an agent?

2.3 Research methods

The research consisted of 43 in-depth qualitative interviews with small and mid-sized businesses. An initial hypothesis workshop with HMRC stakeholders helped shape the sample design and interview materials. Interview data was analysed using a process-driven and interpretative qualitative approach.

2.3.1 Hypothesis workshop

A hypothesis workshop was held in February 2025 with a range of HMRC stakeholders. The aim of the workshop was to identify gaps in existing insight, hypothesise potential pain points for businesses, and determine how the research could be most useful to HMRC.
Insights from the workshop informed the final sample design and shaped the research materials used in the mainstage interviews with businesses.

2.3.2 Interviews with businesses

Following the workshop, in-depth interviews were carried out with small and mid-sized businesses.

In total, 43 qualitative interviews took place via an online platform or by telephone. Interviews were 45 to 60 minutes long and all fieldwork was carried out between 5 March and 4 April 2025. Interviews were conducted with the person responsible for finance within the business.

Sampling was primarily based on characteristics hypothesised to drive differences in businesses’ experiences, drawing on learning from the initial hypothesis workshop. Criteria were divided into primary and secondary quotas, based on perceived likelihood to drive variations in experience. Primary criteria included business size, how long the company had been trading, tax complexity, and use of agents for financial services (see Table 1 below, for full sampling information see Appendix 1).

Table 1: Primary sampling criteria, quotas and achieved sample

Criteria	Achieved sample
Business size: 0 to 9 employees	23
Business size: 10 to 49 employees	10
Business size: 50 to 249 employees	10
Years trading: Under 1 year	10
Years trading: 1 to 3 years	10
Years trading: Over 3 years	23
Tax complexity: Low complexity	10
Tax complexity: High complexity	33
Use of financial service agents: Outsources one or more services	37
Use of financial service agents: Does not outsource	6

2.3.3 Analysis

The qualitative analysis process was process-driven and interpretative.

The process driven element used a matrix mapping framework technique, in which data was coded and systematically summarised into an analytical framework organised by issue and theme. The framework was developed to reflect the research objectives, the discussion guide and the themes which emerged from brainstorm sessions.

The second analysis element, which was interpretative, focused on identifying features and patterns within the data, mapping the range and nature of data, finding associations, defining concepts, creating types, and undertaking sub-group analysis. This process created descriptive accounts and explanatory data, which came not only from aggregating patterns but by weighing up the salience and dynamics of issues and searching for structures within the data that have explanatory power. Researcher analysis sessions were used to support interpretation of the data, during which the research team came together to discuss and test emerging themes and insights.

2.4 How to read this report

Findings from this report reflect the range of experiences of those who participated in the research. It is important to note that qualitative research uses small sample sizes and therefore findings are not representative of the experiences of businesses as a whole and are not presented in percentage or statistical terms.

Anonymous verbatim quotes from participants are used throughout the report to illustrate key findings from businesses of different sizes (for example, 0 to 9 employees).

3. Use of HMRC online services

This chapter covers the use of HMRC online services in general, including both the Business Tax Account and other services. It explores the ways in which services are used and managed, as well as overall experiences of HMRC online services.

3.1 Overall usage

The Business Tax Account was the key service used across businesses, as well as the Personal Tax Account for sole traders. Use of other HMRC online services, such as the HMRC Excise, Import and Export Service, or the Customs Declaration Service, was much more limited.

HMRC online services were used for a range of reasons, including completing administration related to VAT, checking payroll information, paying tax and checking repayment plans.

The role of the person who set up HMRC online services varied by business size. In smaller businesses with up to 50 employees, it tended to be the business founder who set up the services. In mid-sized businesses with 50 or more employees, it was commonly someone working in finance.

The number of people responsible for managing HMRC online services also varied by business size. While just one member of staff tended to have oversight in smaller businesses, more than one person had this role in mid-sized businesses. This included the business founder and various members of the finance or office management team.

The frequency that businesses logged in to HMRC services reflected the nature of the taxes being paid. For example, businesses reported that the Construction Industry Scheme (CIS) and paying Pay as You Earn (PAYE) taxes require monthly submissions, while other taxes require annual information submissions. Outside of this, businesses reported logging in more frequently when they wanted to monitor repayment plans, or when setting up the services, in order to check they were set up correctly.

3.2 Experiences of managing services

Businesses commonly felt that managing HMRC online services was easy. This included adding taxes, which was said to be relatively straightforward, despite it being time-consuming to provide the required information to add new taxes to services (such as reference numbers and codes).

While managing services could be easy, there were pain points experienced. Participants described that knowing where to access information and taxes on the website was not always straightforward and that they needed to click through multiple webpages to reach the required information. They also thought that a certain level of financial confidence and knowledge was needed to set up and use services. Language could also be unclear and overly technical, such as the use of ‘Government Gateway’ rather than ‘user ID’ when logging on to services. Participants further said that the time taken to add taxes to services could be problematic. For example, if businesses had deadlines, such as adding VAT to a Business Tax Account before the VAT threshold was passed, they needed to access services quickly. They were prevented from doing this by needing to wait to receive PINs sent via post.

These challenges were notably experienced by individuals tasked with managing tax administration without being specialists, such as company founders, those without the support of an agent, and individuals with neurodivergence.

Case study: Difficulties setting up and managing a Business Tax Account because of the technical language

Ravi’s construction business is a limited company. He is the only full-time employee, but he uses subcontractors. He manages the tax account himself without the help of an agent.

Ravi felt that the Business Tax Account requires a level of financial knowledge to be able to add relevant taxes and discuss issues with HMRC.

For example, Ravi was automatically and incorrectly added to the Construction Industry Scheme when he created his Business Tax Account. He said this was because he provided incorrect information about how many employees his company has when setting up the account. This was because HMRC did not specify who counted as an employee and therefore it was not clear to those without prior knowledge of tax administration that this did not include subcontractors.

As a result, Ravi incorrectly counted his subcontractors as employees and was fined for not submitting a Construction Industry Scheme return.

“[HMRC] seem to want you to already know what information they want. So sometimes it’s quite hard…because you don’t fully understand and HMRC use acronyms…” (0 to 9 employees)

3.3 Use of agents

Businesses commonly used agents to support managing services and overcoming these pain points. Processes for granting agents access to their tax administration information were said to be simple and primarily consisted of having a PIN sent via the post. However, businesses were not always clear about what information agents had access to, but assumed it would only be necessary information, and they generally trusted their agents to use this information correctly.

There were reports of businesses sharing their credentials with their agents, rather than agents logging in through the agents’ services account. In such cases, businesses shared credentials and multi-factor authentication codes with agents through email, secure systems, or messaging applications. They felt that giving them full access via this route was secure because they trusted their agents.

4. Authentication

This chapter explores HMRC’s multi-factor authentication process, which confirms returning users are the same users who have previously been verified.

Multi-factor authentication is a security process that requires users to provide 2 or more verification factors to gain access to an account. HMRC requires users to provide a password and an authentication code, which can be received by text, voice call or authenticator apps.

This chapter includes participants’ overall perceptions and experiences of multi-factor authentication and the different routes available, experiences of multi-factor authentication for accounting software linked to HMRC services, and participants’ views on the potential use of biometric data for HMRC multi-factor authentication in the future.

4.1 Overall perceptions of multi-factor authentication

Multi-factor authentication was a familiar process, which participants said meant it felt routine and easy to complete. For example, participants said multi-factor authentication was very common when logging in to online banking and computer programmes.

Multi-factor authentication was also perceived to be a necessary and proportionate HMRC security measure against hacking and fraud. Even when participants were unclear about the exact nature of threats to HMRC services, they felt cybercrime and fraud were generally becoming more prevalent and sophisticated, making HMRC multi-factor authentication important. Some participants thought it would be beneficial to add an additional layer of biometric multi-factor authentication. However, others who perceived nominal risk to account hacking said they would prefer not to complete multi-factor authentication to minimise user burden.

“Because tax is so important (it can be big sums of money and… it’s a government service), I feel a lot more open to multi-factor authentication and happy that HMRC do it.” (0 to 9 employees)

4.2 Perceptions of the different multi-factor authentication routes

HMRC currently offers 3 routes to receive codes for multi-factor authentication. These are: text, voice call and authenticator apps.

4.2.1 Text message

Text was generally the preferred route for receiving multi-factor authentication codes among the participants. This route was described as easy and convenient for several reasons:

• texts typically arrive quickly and participants said that this was something they appreciated about HMRC multi-factor authentication (which was not always the case when carrying out multi-factor authentication for other organisations)
• using text to authenticate was familiar, and something participants did regularly for multi-factor authentication with banks, online payment systems and other organisations
• phones could pre-populate the access code from text messages, which reduced the time and effort of multi-factor authentication

“[Using texts], it’s seamless. It works really fast. I have never once failed to receive a code; it’s done in an instant.” (10 to 49 employees)

Despite text being the preferred route, issues were faced if there was no phone signal, or phones could not be accessed. For example, one participant said they could not turn their phone on when working in the Middle East for security reasons, which meant they could not access HMRC online accounts.

Issues were also faced when only one personal number was linked to the account and that person left the company without adding a different number. In such cases, multi-factor authentication codes could not be received and therefore a business was not able to access their online account.

Finally, the process for adding or changing a number for multi-factor authentication codes was reported to be unclear and time-consuming (as it could require redoing identity verification steps). This is outlined in the case study below.

Case study: Difficulties updating and adding a phone number for multi-factor authentication

Lore runs an accounting business, and she is a sole trader. She manages her HMRC online services, but her day-to-day work also involves supporting clients to manage their HMRC services.

Lore said that clients have been unclear how to update their mobile number for multi-factor authentication and as a result, she had spent time working out how to do this.
Through exploring this issue, she became aware of the importance of having 2 numbers added to services in case someone is unable to use their primary number to receive a code (for example, if a phone is stolen). As a result, she has now added her partner’s number.

She thinks it would be helpful for HMRC to advise every business to do this when setting-up services, so everyone has a trusted alternative number.

“I’ve never felt it was that clear on the website [how to add another number], but I actually learnt how to do it through helping other clients when they got stuck.” (0 to 9 employees)

4.2.2 Voice call

Voice call was less commonly used for multi-factor authentication codes but having it as an option was appreciated, particularly for those less ‘tech-savvy’. Overall, voice call was a less popular option because:

• it takes more time to receive the code and requires listening to an explanation of the purpose of the call because a code is provided
• codes need to be remembered or written down, which requires effort
• someone might not be in a suitable location to receive calls, such as a quiet office
• calls can be missed, especially if a phone is on silent mode

“I try to avoid that method [call] as it’s slower…With a call I have to wait for the call and listen to an explanation.” (0 to 9 employees)

Like texts, issues could also arise if only one number was linked to an account and that number needed to be changed or updated.

4.2.3 Authenticator app

Participants had used 2 different types of authenticator apps to carry out multi-factor authentication for accessing HMRC online services:

1. third-party authenticator apps they already had for other services
2. the HMRC app, to generate codes for logging in on their computer

The findings in this section refer to the first type of third-party authenticator app as participants focused their feedback on these apps rather than the HMRC app.

This research found that those who used authenticator apps also used them for other services, so they were familiar with how they worked. They said they provided codes quickly and could be easy to set up. Apps could also facilitate access to HMRC online services for those who shared log in credentials, as they can be set up to allow multiple colleagues to receive access codes on their phones.

However, participants reported experiencing a range of issues when using apps for non-HMRC services, which could lead participants to avoiding using them for HMRC services. Participants said that apps used too much of their limited personal phone storage and provided a ‘clunky’ user experience — such as not working if they had not been backed-up when getting a new phone. Participants also experienced difficulties setting up multi-factor authentication on different apps and found that the access codes timed out too quickly. Overall, these issues, combined with the ease of use of text messages for multi-factor authentication, meant text remained the preferred choice.

“I have a couple of platforms I use with an authenticator app, and I find them a little bit more clunky, so the text message works well for me.” (0 to 9 employees)

4.2.4 Using accounting software

Across the sample, businesses linked a range of accounting software to HMRC online services and authentication steps varied.

Some businesses said they needed to complete multi-factor authentication periodically for the linked software and that their software would prompt them to complete HMRC multi-factor authentication to maintain the connection. However, others said they did not need to complete multi-factor authentication for linked software at all.

Despite this variation, participants did not think changes were needed to multi-factor authentication for linked accounting software as they did not consider there to be a significant threat of hacking posed by linked software.

4.3 Perceptions of the use of biometric data

Participants were asked what they thought about the potential for HMRC to expand its use biometric data for multi-factor authentication, specifically fingerprint and face scans and voice recognition.

4.3.1 Overall views

Biometrics for multi-factor authentication were familiar to participants who had used it for other services, such as online banking. Examples included fingerprint and face scans, and videos of users face and voices. Biometrics had also been used for the HMRC app and authenticator apps to sign in to HMRC online services.

Views were generally positive about the potential for HMRC to use biometrics for multi-factor authentication, as they were seen as secure, as well as being quicker and easier than receiving codes.

“I love when I can access so much stuff quickly with my face. What I generally just don’t like is ones that require me to remember loads of PINs.” (50 to 249 employees)

Participants raised some potential concerns about the use of biometric data for multi-factor authentication. Participants said providing biometric data to HMRC could feel invasive, as the data is more personal than sharing phone numbers to receive multi-factor authentication codes, and they worried that biometric data might be stored and accessible to other members of staff. Participants also felt biometric data might not always work reliably, with different concerns for the types of biometric data, as covered in detail in section 4.3.2.

As a result of their concerns, participants wanted any HMRC use of biometric data to be ‘tried and tested’. In addition, they wanted the option to choose whether they use biometrics and transparency about how biometric data is stored and who can access it.

4.3.2 Views of different technologies

Fingerprint scans: participants considered the use of fingerprint data for multi-factor authentication to be very secure as fingerprints are hard to replicate.

While this method was preferred over voice recognition, participants raised that not all devices have fingerprint technology, which is a barrier to use for multi-factor authentication. In particular, participants said fingerprint technology is uncommon on laptops and PCs, which many use to access HMRC services.

Face scan: participants were very familiar with using face scans to log in to phones and multi-factor authentication for apps. It was also considered secure because banks use it for their accounts, which contain important financial information.

Like fingerprint scans, participants were less clear on how face scans would work on laptops and PCs. Participants also raised potential questions about the reliability of the technology when appearances change – for example, if someone grows facial hair or is in poor lighting. In addition, participants thought the technology held some potential ‘in theory’ risks from hackers – for example, the possibility of holding a phone to someone’s face to complete multi-factor authentication.

Voice recognition: participants said voice recognition technology was less commonplace, though some were familiar with it through banking.

Voice recognition was seen as less secure than fingerprint or face scans. This was because it was thought that artificial intelligence could be used to copy voices and participants were unsure if technology was advanced enough to be reliable and detect all voices, such as those with accents.

5. Identity verification

This chapter looks at identity verification, which is the process that provides assurance that the person accessing HMRC services is who they say they are. This is done by providing 2 different types of evidence from the following list: passport information, driving licence information,  answering questions about Self Assessment, Pay slip or P60 details, or credit reference history.

This chapter explores participants’ overall experience and perceptions of HMRC identity verification, their perceptions of the need for identity verification, as well as specific experiences of the GOV.UK ID Check app, providing identity verification evidence and receiving PINs.

5.1 Overall experience and perceptions of identity verification

Despite identity verification requiring some effort from users to collate the required information, it was commonly reported to be an easy and quick process, with participants saying their identity was verified quickly or instantly.

HMRC identity verification also often felt familiar, routine, and therefore pain free because it was similar to identity verification for other services. For example, participants described providing passport and driving licence information, and receiving PINs in the post, for bank services. This familiarity meant that participants often struggled to distinguish HMRC identity verification from other non-HMRC identity verification completed, even when they had done HMRC identity verification recently.

There were also spontaneous mentions from participants in businesses operating over 5 years that identity verification had improved.

“There was a little bit of getting up and down to get my different documents. It was nothing that was tedious. It wasn’t hard. It was only walking into another room in the house.” (0 to 9 employees)

“I’ve opened so many services and now [identity verification] is a very routine kind of task to do.” (0 to 9 employees)

5.2 Perceptions of the need for identity verification

Overall, participants were pleased HMRC conducts identity verification checks to protect against fraud and were content to complete the checks. They said that as other services (such as banks) conduct identity verification checks, they would be concerned if HMRC did not, as HMRC services hold similar personal and financial information. Even participants who did not perceive there to be a high risk of fraud with HMRC services were content to complete identity verification, as it was felt to be a standard requirement when setting up new services.

“I think it’s very important to make sure that the end user is who they say they are, especially when it’s such important information. So, I’m happy to do a bit of work and spend a bit of time my side confirming I am who I am.” (0 to 9 employees)

There were, however, mixed views about the security benefits of receiving a PIN in the post. On the one hand it was seen as good practice to confirm addresses, but participants also questioned why it was needed if identities had already been verified through identity verification check. In addition, there were reports of receiving more than one PIN in the post when adding new taxes, and participants were unclear of the security benefits of this if addresses had already been verified through previous PINs.

“Why couldn’t they just add another tax without this need to verify [the address] again?” (10 to 49 employees)

5.3 Experiences providing evidence

Participants discussed passport and driving licence details as the most commonly submitted form of evidence for identity verification, as they were easily accessible. Driving licences were often to hand in a purse or wallet and pictures of passports were frequently saved on phones.

Providing alternative evidence that was not passport or driving licence details was reported to be more challenging. Pain points described included entering P60 information, as it could be difficult to identify what information was needed where, due to numerous similar looking strings of numbers on P60s. P60s could also be difficult to access if not kept from previous employers.   

Participants also found it difficult to remember the information needed or find it in emails or documentation when completing credit reference questions, for example, when phone contracts started. There was confusion about which date was needed for the Self Assessment questions, and whether it referred to payment dates or when HMRC received payments. Additionally, name changes could create issues due to inconsistent evidence requirements (see case study below).

Some participants also mentioned they would prefer it if the information used for verification was not personal, as HMRC services are for businesses rather than personal affairs.

Additionally, concerns were raised about the limited range of acceptable information, as some participants may not have a driving licence, a UK passport, claim tax credits, or possess a P60.

Case study: Example of having difficulties getting a new name verified

Stephan is a CEO of a company with 10 to 49 employees. Since setting up the Business Tax Account, he has got married and changed his last name.

Stephan provided his new passport and driving licence to HMRC, which stated his new name to verify his name change. Stephan said some taxes in his business tax account now shows his new name, but others do not (such as VAT).

Stephan has contacted HMRC about this and HMRC requested additional documentation for identity verification (a Deed Poll) to correct the taxes in his old name. Stephan does not have this documentation and is unclear why some taxes need additional documentation.

Stephan has contacted HMRC by webchat and telephone to resolve this issue, however a resolution has not been reached. As a result, he has now asked his agent to manage this on his behalf.

“There’s some tax areas that are in my new name, so you would think they [HMRC] communicate between all the tax service and obviously they don’t.” (10 to 49 employees)

Case study: Difficulty being verified if certain documentation is not held

Diego runs a business with 3 employees. He has a Spanish passport. He also does not have a driving licence or P60 as he has been long-term self-employed. This limited his choices of information he could use for identity verification.

He felt that as he has indefinite leave to remain in the UK, HMRC should accept his Spanish documentation.

“If you’re giving me the right to reside in the UK despite not being a citizen, why not be consistent and then let me log into my government services using my passport.” (0 to 9 employees)

5.4 Experiences of the GOV.UK ID Check app

The GOV.UK Check app can be used for HMRC identity verification to provide passport information and allows users to provide passport information without needing to enter it manually. This research did not set sample quotas for those who had used the GOV.UK ID Check app. As a result, the findings in this section are based on a small number of interviews and are therefore only indicative.

Participants said that the app could be easy to use and familiar due to clear instructions and prior experience with similar applications for other services, such as banking.

“[The app] was so easy. It was really, really good. I was impressed.” (50 to 249 employees)

Despite this, there were participants who said their identity had not been successfully verified using the app, resulting in calls to HMRC to find solutions. In addition, some participants also noted the need to take multiple pictures of passports to get lighting and angles correct. There was also some reluctance to download another app onto their phone which could take up their limited storage.

The GOV.UK ID Check app was considered a robust method for identity verification as it scans passport chips and takes pictures, helping to detect fake or stolen documentation.

5.5 Experiences receiving PINs in the post

Participants reported that the need to receive PINs in the post meant that setting up services cannot be completed in a single session, which delays gaining access to services or taxes. This can feel burdensome, as it fragments the user journey. It can also be frustrating for those wanting to carry out tax administration on the same day.

“If I remember rightly, it took around a week for that to come. So again, when you’re trying to deal with something on the day and you’ve put some time aside, you don’t want to have to go back to it a week later.” (0 to 9 employees)

Participants said that access to services could be delayed further if post is delayed, which participants felt was common. For example, one participant said it took 3 weeks to receive their PIN. Additional delays could occur if PINs were sent to old addresses or expired when they were not used within a certain time frame.

Participants suggested PINs could be sent via email to avoid these issues and reflect a more ‘modern’ approach.

“I just feel like in today’s times, we really shouldn’t have to wait for codes to be posted.  There must be a better way to do it via e-mail or something like that.” (0 to 9 employees)

6. Credentials

Login credentials and access include a gateway ID and a password.

The chapter outlines businesses’ experiences using credentials to log in to HMRC services, as well as the different ways businesses use and store credentials.

6.1 Experience logging in to HMRC services

Providing credentials and logging in was broadly seen as straightforward. This was facilitated by internet browser autofill, since Gateway IDs are not as memorable as email addresses. Businesses recognised autofill might not be as secure as inputting credentials each time, but those who used it did not think it posed a notable threat.

“[Logging in], it’s not too bad because all my passwords are saved on my phone, which probably isn’t the best security aspect.” (0 to 9 employees)

Businesses valued being able to stay logged in for 7 days as it avoided the time and effort of providing credentials. However, there was a suggestion this feature did not always work, and participants described needing to provide credentials within the 7-day window when opting to stay logged in for 7 days. There were also reports of businesses being automatically logged out while using HMRC online services, which businesses said was frustrating as they needed to re-enter credentials.

Participants said logging in was harder where an individual had multiple IDs because it was not clear from the ID itself which account it was associated with. Participants reported having multiple IDs where they used both personal and business services, or multiple businesses service.

6.2 Models for how credentials were used

There were a variety of models for how credentials were used by the interviewed businesses. Some businesses used unique credentials (where each person logging into HMRC services has their own Government Gateway ID and password) and some shared credentials.

6.2.1 Unique credentials

Unique credentials were used in 2 different ways:

1. where one member of staff had credentials and only they accessed HMRC services
2. where several members of staff accessed HMRC services and each had their own unique credentials

One member of staff having credentials

One person logging in with unique credentials was commonly reported by participants, particularly among smaller businesses (up to 50 employees) and sole traders. This person was typically the business founder or finance director. Credentials were often stored using internet browser autofill, saved in emails, or written down and either kept on a desk or locked in a drawer.

Participants reported that having only one staff member with unique credentials could result in lost access to HMRC services. This occurred if a personal phone was used for multi-factor authentication and that person left the company without setting up someone else with credentials or updating the multi-factor authentication phone number. In such cases, businesses said they either contacted the former staff member (see case study below) or HMRC, and that in some cases could take 2 to 3 months for HMRC to resolve. One business noted that these pain points had led them to ensure that 2 or more staff always have unique credentials.

Case study: Issues experienced when one person has unique credentials

Anna is the finance director in an organisation with 50 to 249 employees.

When Anna first joined, she had a handover with her predecessor before they left the company. After they had left, she realised that they had not created her credentials for all the HMRC services.

As a result, she had to contact the old employee to ask for their credentials and multi-factor authentication code so she could log in to create her own credentials. She felt lucky to have their phone number but wondered what she would have done without it.

When a new colleague recently started to support with tax administration, Anna was keen to set up with their own personal credentials to avoid the same issue happening again.

“It was only me for a while and now Francesca joined I got the 2 of us [set up with credentials]. I think something we need to never do is just go down to one person again.”

Several members of staff having unique credentials

Multiple staff having unique credentials was common among the interviewed businesses with 50 or more employees. In these cases, a central finance team or a founder typically granted access and set up new credentials for others. Credentials were generally stored in the same ways as when only one person had unique access — via internet browsers, emails, or written down and kept on a desk or in a locked drawer.

Having unique credentials was seen as a way to ensure accountability, as participants felt actions could be traced back to individuals. However, there were concerns that too many people with unique credentials could pose a security risk. Participants noted that a drawback of this approach was that access to HMRC services was delayed as staff needed to wait for a PIN in the post to create their unique credentials.

Example of the benefits of several members of staff using their own unique credentials

Catrina works in the treasury team for an international company with around 200 employees. The head office is outside the UK.

There are 5 people with unique credentials to the business tax account, 2 in the UK and 3 in the Head Office. She said the only drawback to creating unique credentials was needing to wait for a PIN in the post.

Catrina thought having unique credentials was important for ensuring accountability and security across a large organisation, as all actions can be traced back to individuals.

Catrina said she was acutely aware of the need for security measures around the tax account given her perceived potential risk of hacking.

“I think especially with tax and payments [it’s important to have unique credentials]. Tax is such a sensitive area, [there is] reputational risk. It has to be the responsibility of each individual that has access.” (50 to 249 employees)

6.2.2 Shared credentials

Sharing login credentials among multiple staff members was a common approach across the interviewed businesses of various sizes. For example, in smaller businesses with up to 50 employees, one person was typically responsible for tax administration and would share credentials with a company founder or director who might occasionally need to access HMRC services. In mid-sized businesses (50 or more employees), credentials were often shared among several staff members who collectively managed tax administration.

Credentials were shared in a variety of ways, including through password-protected spreadsheets containing Gateway IDs and passwords, browser autofill, company messaging groups, and email. Similarly, multi-factor authentication codes were shared in different ways. In some cases, codes were sent to a shared business mobile phone kept in the office, accessible to relevant staff.

“There’s a separate phone that sits on the desks; it’s for these kinds of things. So, if I’m on holiday, that phone is in the office.” (50 to 249 employees)

Another method involved one person receiving multi-factor authentication codes on their personal or business mobile and then sharing the code with others via messaging applications. Some interviewed businesses also used authenticator apps that allowed multiple staff members to access multi-factor authentication codes on their own devices.

Overall, businesses felt that sharing credentials in this way was easy to manage and familiar, noting that they already shared credentials for other platforms. This approach was seen as flexible and adaptable, particularly in accommodating workforce changes such as the use of contractors or staff turnover. While businesses acknowledged that this method might not be as secure, they generally trusted their staff and did not perceive it as a significant risk.

“For us it works well. I think if the business was mid-sized then I think there would be more concern about security. The thing is if anything happens in our business, it’s either going to be the director or me and…well, both of us are honest people. Neither of us are trying to do anything underhand.” (10 to 49 employees)

However, businesses recognised that sharing credentials might not be practical or secure enough for mid-sized organisations with many staff involved in tax administration. A particular concern was when multi-factor authentication was linked to a personal phone number. If that person left the business, it could result in the company being unable to receive multi-factor authentication codes and therefore losing access.

Example of the benefits of shared credentials

Giana works in the finance team for a company with between 50 to 249 employees. She is a contractor. The company has 8 legal entities in total and there are different HMRC services for each. As a result there are many sets of credentials.

Overall, 3 people regularly log into the HMRC services. They share credentials and store them in a password protected spreadsheet. Her internet browser also stores credential IDs for her to select.

The team have a shared company mobile phone that is used for multi-factor authentication and is kept in the office.

Giana felt that this approach works for her team, as creating individual credentials would be an inefficient use of time because they have high staff turnover. However, Giana said she recognises that this approach is less secure. 

“From a security and a control perspective you would change our approach for the longer term, but it’s just the position that we’re in at the minute [with high staff turnover]. But, for now, the ease of use and how it works is fine.” (50 to 249 employees)

7. Conclusion

Interviewed businesses generally found the management of credentials, authentication and identity verification to be a smooth and straightforward experience.

They felt that managing HMRC online services could be easy and providing credentials and logging in was generally straightforward. Multi-factor authentication and identity verification was familiar to participants because they completed these processes for a range of other services and organisations (such as online banking). As a result, businesses saw multi-factor authentication and identity verification as a routine, important and proportionate security process and were happy to complete it for HMRC services.

However, this research also highlights a number of pain points experienced by businesses.

Use of HMRC online services

• the language used on HMRC services could feel unclear and overly technical, particularly for those without financial or tax knowledge
• information was often difficult to locate on the HMRC pages of GOV.UK
• the time it takes to add taxes to services could cause issues for businesses, especially when working to tight deadlines

Multi-factor authentication

• issues accessing accounts were reported when only one personal number was set up to receive multi-factor authentication codes
• the process for adding or changing a number could feel unclear and time-consuming
• participants noted that they may be unable to log in if they do not have phone signal or access to their phone to receive multi-factor authentication codes
• participants were generally positive about using biometrics for multi-factor authentication but wanted the option to choose whether or not to use biometric data and expressed concerns about its reliability and how data is stored

Identity verification

• there were concerns about the limited range of information that could be provided for identity verification

• providing certain types of evidence for identity verification (particularly when not using passport or driving licence information) was more difficult, as the questions could feel unclear or ambiguous

• pain points were experienced when verifying changed names, as different taxes had different identity verification requirements

• some participants preferred if the information used for verification was not personal information

• receiving a PIN in the post fragmented the user journey and participants were unclear of the security benefits

• PINs being delivered to old addresses could cause delayed access to services

Login credentials and access

• some interviewed businesses reported sharing credentials among staff rather than setting up unique credentials for each user

• relying on a single set of unique credentials created pain points when the associated multi-factor authentication was linked to a personal phone number, particularly if that individual left the company

• the ‘remember me for 7 days’ option was reported to be unreliable, with businesses being logged out of services while actively using them

8. Appendix 1 – Sampling criteria, quotas and achieved sample

Criteria	Achieved sample
Business size: 0 to 9 employees	23
Business size: 10 to 49 employees	10
Business size: 50 to 249 employees	10
Years trading: Under 1 year	10
Years trading: 1 to 3 years	10
Years trading: Over 3 years	23
Tax complexity: Low complexity	10
Tax complexity: High complexity	33
Use of financial service agents: Outsources one or more services	37
Use of financial service agents: Does not outsource	6
Previous experience of accessing HMRC online services: Positive	18
Previous experience of accessing HMRC online services: Neutral	10
Previous experience of accessing HMRC online services: Negative	15
Tax confidence: Confident	17
Tax confidence: Neutral	12
Tax confidence: Not confident	14
How business primarily interacts with HMRC’s online services: Through GOV.UK	27
How business primarily interacts with HMRC’s online services: Through accounting software	15
How business primarily interacts with HMRC’s online services: Other	1
Time company has been trading for: Under 1 year	10
Time company has been trading for: 1 to 3 years	10
Time company has been trading for: 3 or more	23