The Home Office has recently warned sponsor licence holders to be on alert for threats to Sponsorship Management System (SMS) account security, following an increase in phishing emails. It's also introducing a new Multi‑Factor Authentication (MFA) login process for access to the SMS. Your key personnel with sponsor licence access should carry out SMS account hygiene checks now and ensure they're following the Home Office's SMS best practice guidance.
The new MFA measure is being put in place to combat scammers who want to gain access to your SMS account. One example of how they do this is by sending phishing emails purporting to be the Home Office warning of compliance action unless the user logs in. For help identifying phishing emails and a list of recommended steps to take if you receive one, read our previous article.
What's the Home Office's current SMS best practice guidance?
The Home Office sends regular updates about account security, and in June 2026, they reminded sponsors to follow their SMS best practice guidance:
- Always log into SMS from.gov.uk
- Never share your SMS password or user ID with anyone
- Never share your personal information such as your date of birth with anyone
- One user = One ID
- Never click on links in emails
- Regularly review Level 1 and Level 2 users and deactivate where appropriate
- Contact us if you receive an email you don't believe is genuine –
businesshelpdesk@homeoffice.gov.uk
If you haven't done so already, incorporate this guidance into your day-to-day process when dealing with the SMS.
What's Multi Factor Authentication (MFA)?
The Home Office plans to introduce MFA as an extra layer of security to the SMS login process. Its aim is to reduce the risk of unauthorised access, even where a password has been compromised. It helps protect your personal and sponsorship-related information held in the SMS.
Once enabled, you'll be asked to enter:
- Your SMS user ID;
- Your password;
- Your date of birth; and
- A one-time passcode sent to the mobile number or email address registered in your user details within your SMS account.
A one-time passcode will be required every time you log in.
At the time of writing, there's no timeframe confirmed for the MFA rollout.
What should you do now?
- Make sure you implement the Home Offices SMS best practice guidance
Phishing emails and other scams remain a threat. Once MFA is rolled out, it'll reduce the risk, but it won't remove it entirely. Follow the Home Office's guidance and any updates to it.
- Log into the SMS and make sure all details are accurate
The details of your key personnel should always be up-to-date, but it's a good idea to perform hygiene checks ahead of the introduction of MFA. If personal details held on the SMS are out of date, MFA won't work.
Getting locked out of the SMS could prevent you from assigning Certificates of Sponsorship, prevent compliance with reporting duties, and cause headaches for HR teams managing sponsored workers.
This goes without saying, but make sure you deactivate inactive users. Take care when doing this. You should have at least one Level 1 user on your licence at all times.
- Review your Level 2 user arrangements
Once MFA becomes live, sponsors will no longer be able to add Level 2 users, although Level 1 users can still be added as needed. To ensure continuity of access for Level 2 users, you may wish to convert them into Level 1 users if they're eligible now or remove them completely.
Need more help?
If you have questions about your key personnel, sponsor licence management or compliance, please contact a member of our immigration team.
