Multi-Factor Authentication (MFA) for GST: Complete Setup Guide Before April 2025 Deadline
Why MFA is now mandatory, registration process, authenticator app setup, backup codes management, and troubleshooting common login issues
Written by
CA Ashama Rajawat
GSTN has made Multi-Factor Authentication (MFA) compulsory for ALL taxpayers. Without MFA setup, you won't be able to login to the GST portal after March 31, 2025.
What is MFA and Why is it Mandatory?
MFA adds an extra security layer beyond just username and password. You need two factors to login: something you know (password) + something you have (phone/authenticator app).
- •Increasing cyberattacks: 15,000+ GST accounts compromised in 2024
- •Fake ITC claims: Hackers filing false returns, claiming lakhs in refunds
- •Data breaches: Passwords leaked on dark web, MFA prevents unauthorized access
- •Global standard: Income tax portal already has MFA since 2023
Step-by-Step MFA Setup Guide
Login to GST Portal
- Visit gst.gov.in
- Login with current username/password
- You'll see MFA setup prompt
Download Authenticator App
Choose one of these apps (free):
- Google Authenticator (Most popular)
- Microsoft Authenticator
- Authy (Cloud backup support)
Scan QR Code
- GST portal shows QR code on screen
- Open authenticator app → Add account → Scan QR
- App generates 6-digit code (changes every 30 seconds)
Enter OTP to Verify
- Enter 6-digit code from app into GST portal
- Click "Verify and Enable MFA"
- Success message appears
Save Backup Codes (CRITICAL!)
Portal generates 10 backup codes. SAVE THEM!
- Download PDF or screenshot
- Print and store securely
- Each code can be used once if you lose phone
How Login Works After MFA Setup
Enter Username & Password
Same as before
Get OTP from Authenticator App
Open Google Authenticator, copy 6-digit code
Enter OTP in GST Portal
Code valid for 30 seconds only
Access Granted
Logged in successfully
Backup Codes: Your Lifeline
- Lost your phone
- Phone stolen or broken
- Authenticator app deleted accidentally
- Switched to new phone (forgot to transfer)
- Login with username/password
- Click "Use Backup Code" instead of OTP
- Enter one of your 10 backup codes
- Code works ONCE only, then becomes invalid
Contact GST Helpdesk (1800-103-4786) with GSTIN, mobile, email for manual MFA reset.
Common MFA Issues & Solutions
Cause: Time sync issue.
Solution: Go to authenticator app settings → Time correction for codes → Sync now.
Cause: Took too long to enter.
Solution: OTP changes every 30 seconds. Enter immediately after generating.
Solution: Use backup code to login, then re-setup MFA with new phone.
Solution: Use backup code to login, re-setup MFA by scanning QR code again.
What Happens if You Don't Setup MFA?
April 1, 2025 onwards: Cannot login to GST portal
Cannot file GSTR-1, GSTR-3B returns
Late filing penalties
Risk of GST registration suspension
GST compliance disrupted = business operations impacted
Best Practices for MFA Security
- Use Google Authenticator or Microsoft Authenticator (most reliable)
- Print backup codes and store in office safe
- Don't share OTP/backup codes with anyone (not even CA)
- Before changing phone, transfer authenticator app data
- Keep backup codes in 2 places (office + home)
Conclusion
MFA setup takes just 5 minutes but is mandatory from April 1, 2025. Don't wait until the last minute—setup now to avoid login issues during return filing deadlines. Download Google Authenticator, scan QR code on GST portal, save backup codes, done. This small step protects your GST account from hackers and ensures uninterrupted compliance.