Introducing Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) adds an extra layer of security by requiring more than just a password to log in. This helps protect member data, reduce fraud risk, and align with industry best practices.

MFA will apply to all members and non-members accessing CPA Australia portals, apps and services. Tuition providers will also be impacted, with special arrangements for shared accounts.

MFA will be rolled out commencing mid-December 2025, following user acceptance testing (UAT). Communication will be provided in advance to allow time to prepare.

You’ll enter your username and password as usual. Then you’ll be prompted to verify using your chosen MFA method – e.g. SMS, authenticator app, or email.

Yes. When you register, you’ll be prompted to set up one or more authentication methods. On selection of a method, the browser remembers your selection of choice.

You can use backup codes or a secondary method if you set one up. If all options fail, contact the CPA Australia contact centre for support.

MFA works on both iOS and Android devices globally.

Yes, you can update your MFA settings in your account preferences (e.g. switch from SMS to authenticator app). Guidance will be provided in the Quick Reference Guides (QRGs).

No. Communication preferences are managed separately. Disabling SMS for MFA does not affect SMS communications for marketing or notifications.

Tuition providers will need to use a shared email domain (e.g. [email protected]) or a supported Gmail account to receive MFA codes. This ensures shared accounts can still authenticate securely.

Alternative methods such as email MFA will be available, but CPA Australia suggests using the OTP method.

First, check your username and password, then try your MFA method again. If problems persist, use an alternate method. If all else fails, contact Member Services.

Password resets can take up to 15 minutes to sync across systems. Try again after waiting. If it still doesn’t work, call the contact centre.

The technology and security team will track login failures, MFA challenges, and suspicious activity through system alerts. The contact centre will also escalate recurring issues.