If you have found yourself unable to access the HMRC VAT portal due to problems with two-step security then follow our step by step guide to recovering your account…

Often, your two-step security code is sent to a mobile phone and unless the holder of the mobile reports back with the security code, the taxpayer is not getting in.

This issue can be triggered by an employee leaving the business and taking their personal mobile with them or, if it is a business mobile, the contract may be cancelled or inactive.

When an employee is dismissed or leaves suddenly, there is usually a procedure for collecting any company equipment and records before the departure, but asking for details of the HMRC gateway two-step security access may not have been included in the exit process.

Always make it a matter of routine IT policy to change the HMRC log-in password regularly, especially when an employee who had access leaves the business.

The HMRC gateway is a business-critical risk – although often it is not seen as such – but without access to the gateway, the business cannot file VAT or other returns. Additionally, if unauthorised people can get access, they could change bank details or issue refunds to themselves.

Receiving security codes

For a taxpayer, using a landline telephone (such as your reception) makes sense, and then whether the line is staffed at the office or remotely, the security code will be received and can be passed on to the person who requested the code.

A mobile may be the only viable option for a smaller business but you should consider who holds the mobile and how they can be contacted if they are not in the office or working from home. Don’t forget that while the two-step security may seem an annoyance, it is the last gateway to accessing your VAT account (and other taxes) and an unauthorised person could change the bank details or address and submit a VAT refund to their designated bank.

There is also an authenticator app that offers another route for receiving the security code.

Resetting access

If you have forgotten and have no record of the user ID and/or password, there is an automated process that takes you through some questions about the business and, if these are answered correctly, you can reset access.

Don’t forget that Government Gateway contains a lot of details about the business, payroll, VAT, taxes, and this information needs to be protected, which is why HMRC don’t necessarily make it easy to reset things.

There is no simple online way to change the two-step security code – the only method is to contact HMRC. HMRC offers a live telephone helpline and a live web-chat helpline which will be in effect from June 2022.

HMRC will need to confirm your identity and will ask a number of security questions. You will usually be asked three or four questions and if you can answer them correctly, you will pass the identity checks.

You could be asked the following:

  • Confirm VAT number
  • Confirm the date you were registered for UK VAT (effective date of registration)
  • The last VAT return period you filed
  • The Box 5 value on that last VAT return
  • Name of a director (shareholder) of the business
  • Address of the business.

HMRC will never ask for bank details but they may ask on what date you last paid HMRC or the last date HMRC refunded VAT to the business.

Once you pass the security checks and the HMRC representative is happy they are speaking to the business, then HMRC will remove the existing telephone number from the system.

You then log in to Government Gateway as normal but once you enter the user ID and password, it will then ask you to set the method for two-step security and it is here that you can then enter a new number or opt for authenticator app access, you will then be sent a code to the telephone or app to confirm things are as expected and then you can access your VAT account as normal.