The advice explains HMRC’s use of short message service (SMS) text messages as a way of activating two-step verification.

This is an additional security feature which helps to prevent someone else from accessing an individual’s digital account, even if they have their user ID and password.

When activating two-step verification, HMRC will send an access code via SMS to the taxpayer’s nominated mobile phone number, which the individual will need to complete the set-up. These SMS messages will never ask the individual to provide personal or financial information.

HMRC says this means that once taxpayers have activated two-step verification, the only way to access the account will be with the government gateway user ID, password and access to the phone which has been registered.

The phone number that individuals register for two-step verification is stored securely, used only for this purpose, and is not shared with anyone else, HMRC’s guidance says.

HMRC says it  is planning ways of increasing the number of users who can benefit from two-step verification.

After activating two-step verification, each time the individual logs in, HMRC will send an access code via SMS to the registered mobile phone number, which will be needed to complete the log-in process. These SMS messages will never ask the recipient to provide personal or financial information.

If an individual no longer has access to the mobile phone registered for two-step verification, they will need to ring the online services helpdesk and verify their identity to deactivate it. They can then register their new mobile number for two-step verification when they log in the next time.

HMRC’s updated advice on identifying genuine HMRC contact and phishing emails and text messages is here