From April 1, 2026, all users of Caixa Geral de Aposentações (CGA), known as CGA Direta, will have to use two-factor authentication to access the service. This measure applies to workers and pensioners as well as companies and other collective entities, ensuring greater security when accessing the portal.
Since December 2025, workers and pensioners have already required this procedure to enter CGA Direta, but until now the obligation did not extend to legal entities. The decision aims to protect users’ sensitive data and reduce the risk of unauthorized access.
According to the same source, until March 31, 2026, there is a moratorium only for legal entities, which can optionally adhere to reinforced authentication.
From April onwards, however, all users trying to access CGA Direta will be required to introduce a second verification factor, reinforcing the protection of sensitive data and minimizing the risks of unauthorized access.
How two-factor authentication works
The process maintains the already known first step: the user enters the username and access key. Only then does the second security factor come into play, which consists of the introduction of a unique code sent by SMS to the registered cell phone.
Without this code, it is not possible to access the portal. The same source warns that, if the cell phone is not at hand, access to the system will be impossible.
What is CGA Direta and what is it for
CGA Direta functions as a digital interaction platform between users and Caixa Geral de Aposentações, aimed at active workers and pensioners in the public sector.
The portal offers a variety of services, including pension simulators, payment calendars, electronic forms to communicate relevant events, requests for clarification by email, issuing income declarations to the IRS and consulting legal information.
It also allows you to submit applications, request certificates and update personal data, among other operations, eliminating the need for physical trips to CGA facilities.
Enhanced security and recommendations for users
This change follows a similar movement already implemented on the Social Security Portal and the Finance Portal, which also introduced reinforced authentication. The second factor is mandatory to protect sensitive data and reduce the risk of fraud.
According to , all users must confirm that their registered contacts are up to date and that they have permanent access to the indicated mobile phone, so as not to be prevented from accessing the portal when the new rule comes into force.
Also read:
