How Companies House Authentication Code Works to Prevent Director Fraud in 2026

The Companies House authentication code is a 6-character alphanumeric security credential that restricts access to a company’s online filing account. It prevents unauthorised changes by ensuring only verified individuals can submit or alter official company records, reducing director fraud and identity misuse.

What is a Companies House authentication code, and how does it function?

The authentication code acts as a digital signature for Companies House filings. It verifies that a user submitting documents is authorised, ensuring only approved individuals can update company data, file accounts, or change director information within the UK company register.

The code is issued when a company is incorporated or upon request. It is unique to each company and linked directly to its Companies House profile. This creates a controlled access layer between public company data and private administrative control.

Every time a filing is submitted online, the system requires the authentication code. Without it, Companies House rejects the submission automatically. This ensures that only individuals with verified access credentials can perform critical actions.

The system operates similarly to a password but is specifically tied to legal compliance. It protects sensitive filings such as director appointments, address changes, and financial submissions. This restriction reduces unauthorised alterations that often lead to fraud.

Why is the authentication code critical for preventing director fraud?

The authentication code prevents director fraud by blocking unauthorised filings that could appoint fake directors, change registered addresses, or redirect company control. Without the code, fraudsters cannot legally submit documents that alter company ownership or governance structures.

Director fraud often begins with unauthorised access attempts. Fraudsters target publicly available company data and attempt to manipulate filings. The authentication code creates a barrier that stops these attempts at the submission stage.

Fraudulent activities typically involve three actions: appointing fake directors, removing legitimate officers, and changing registered office addresses. Each of these actions requires authentication. Without the code, Companies House systems reject the filings.

The UK government reports that identity-based business fraud accounts for a significant portion of corporate crime. Authentication codes directly reduce this risk by enforcing access control at the point of filing.

When businesses fail to secure their authentication code, the risk increases sharply. Unauthorised access can result in reputational damage, financial loss, and compliance breaches.

How do fraudsters attempt to bypass Companies House protections?

Fraudsters attempt to bypass protections by intercepting authentication codes, exploiting weak internal controls, or impersonating directors. These tactics rely on human error, unsecured communications, or outdated company records rather than system vulnerabilities within Companies House itself.

The most common method involves intercepting mail. Companies House sends authentication codes via post. If a registered office address is outdated or poorly managed, fraudsters can access sensitive documents.

Another tactic involves social engineering. Fraudsters impersonate company officials and request authentication codes from employees or service providers. This method relies on weak internal verification processes.

Digital vulnerabilities also play a role. Businesses that store codes in unsecured systems expose themselves to internal breaches. Shared access without proper controls increases the likelihood of misuse.

Three primary fraud methods include:

• Intercept physical mail containing authentication credentials

• Impersonate directors to request access information

• Exploit unsecured storage systems holding sensitive company data

Each method targets operational weaknesses rather than technical flaws in Companies House systems.

What happens if your authentication code is compromised?

If the authentication code is compromised, unauthorised individuals can submit filings, alter company records, and potentially take control of business operations. Immediate action is required to request a new code and prevent further fraudulent activity.

A compromised code allows full access to online filings. Fraudsters can change director details, update shareholder structures, and modify registered office addresses. These changes can occur quickly and without immediate detection.

The consequences extend beyond administrative disruption. Financial fraud can follow if criminals redirect correspondence or gain control over the business identity. Legal complications arise when incorrect filings appear on official records.

Companies House provides a recovery process. Businesses can request a new authentication code, which invalidates the previous one. This step restores control but does not automatically reverse fraudulent filings.

Ongoing monitoring becomes essential after a breach. Companies must review recent filings and verify all submitted changes to ensure accuracy.

How can businesses securely manage their authentication code?

Businesses secure authentication codes by restricting access, storing them in encrypted systems, and regularly reviewing authorised personnel. Strong internal controls ensure that only verified individuals handle sensitive filing credentials.

Effective management begins with access control. Only directors or authorised administrators should handle the authentication code. Limiting access reduces exposure to internal misuse.

Secure storage is equally important. Codes stored in encrypted password managers reduce the risk of digital breaches. Avoid storing code in plain-text documents or shared folders.

Regular audits strengthen protection. Businesses must review who has access and remove permissions when roles change. This ensures outdated access does not become a vulnerability.

Three essential security practices include:

• Restrict access to verified directors or compliance officers

• Store codes in encrypted credential management systems

• Audit access permissions every 90 days

When these controls are enforced, the risk of compromise decreases significantly.

Businesses seeking structured protection often implement dedicated Business Fraud Protection Services that integrate monitoring, access control, and compliance safeguards into a single framework.

How does Companies House PROOF enhance authentication security?

Companies House PROOF (Protected Online Filing) restricts specific filings to online submission only, requiring authentication codes for all changes. This eliminates paper-based fraud risks and ensures all updates pass through secure digital verification channels.

PROOF prevents certain forms from being submitted via post. This removes a major vulnerability where fraudsters could send forged documents. Digital-only submission ensures that authentication is always required.

The service focuses on high-risk filings. These include director appointments, registered office changes, and PSC updates. Each of these actions can significantly impact company control.

By enforcing online-only submissions, PROOF strengthens accountability. Every action is tied to an authenticated session, creating a traceable record of changes.

For a deeper explanation of this system, see What Companies House PROOF Is and Does It Really Protect Your Business, which breaks down how digital-only filing improves fraud resistance.

What are the limitations of the authentication code system?

The authentication code system relies on secure handling by users, making it vulnerable to human error. It does not verify identity in real time, meaning possession of the code alone grants access regardless of who submits the filing.

The system does not include biometric verification or multi-factor authentication by default. This means the code acts as a single-layer security mechanism. If compromised, it provides full access.

Another limitation involves distribution. Codes are sent via post, which introduces risk if addresses are outdated or accessible to unauthorised individuals.

There is also no automatic alert system for all changes. Businesses may not immediately detect fraudulent filings unless they actively monitor their records.

To mitigate these gaps, companies implement layered security systems that include monitoring, alerts, and identity verification processes beyond the authentication code itself.

Also explore,

What to Do If Your UK Company Has Been a Victim of Registration Fraud 

Business Fraud Protection Services for UK Limited Companies Compared 

How does Business Fraud Protection strengthen authentication security?

Business Fraud Protection strengthens authentication security by adding monitoring, identity verification, and access controls around Companies House processes. It detects suspicious filings, validates user actions, and prevents unauthorised changes before they impact company records.

Authentication codes provide a foundational layer of security. Business Fraud Protection builds on this by introducing proactive safeguards. These systems monitor filings in real time and flag anomalies.

Identity verification adds another layer. It ensures that individuals submitting filings are validated against official records. This reduces reliance on a single credential.

Access management tools track who interacts with company data. This creates accountability and reduces internal risk exposure.

Solutions like Business Fraud Protection services integrate these controls into a unified system, ensuring continuous protection rather than reactive recovery.

For businesses evaluating prevention strategies, 

Stop Business Registration Fraud Before It Starts with MCR Protection

 outlines how proactive safeguards reduce fraud risks at the registration stage.

My Company Registration delivers structured fraud prevention frameworks that align with UK compliance standards. These frameworks combine authentication security with monitoring and verification systems to protect business identities effectively.

The Companies House authentication code plays a critical role in protecting UK businesses from unauthorised filings and director fraud. It acts as a gatekeeper for company record changes, ensuring only authorised individuals can submit official documents.

Its effectiveness depends on secure handling, controlled access, and complementary safeguards. When combined with structured protection systems, it forms a reliable defence against identity-based corporate fraud.

My Company Registration provides Business Fraud Protection solutions that strengthen authentication security through monitoring, verification, and compliance-focused controls. This approach reduces risk while maintaining full regulatory alignment.

Frequently Asked Questions

What is Business Fraud Protection, and how does it work?

Business Fraud Protection is a set of controls that monitor, verify, and secure company records against unauthorised changes. My Company Registration applies identity validation, filing monitoring, and access controls to reduce risks linked to Companies House fraud.

How does Business Fraud Protection prevent director fraud in the UK?

Business Fraud Protection prevents director fraud by verifying who submits filings and detecting suspicious changes, such as new director appointments or address updates. My Company Registration uses structured monitoring and authentication checks to block unauthorised submissions before they are processed.

Do I still need Business Fraud Protection if I have a Companies House authentication code?

The authentication code provides basic access control but does not verify identity or detect misuse. Business Fraud Protection adds monitoring, alerts, and validation layers, which My Company Registration uses to reduce risks that a single credential system cannot address.

What are the main risks of not using Business Fraud Protection services?

Without Business Fraud Protection, companies face higher risks of unauthorised filings, identity theft, and reputational damage. My Company Registration highlights that fraud incidents often involve director changes, registered office updates, and intercepted authentication codes.

How quickly can Business Fraud Protection detect suspicious company activity?

Business Fraud Protection systems can detect suspicious filings in near real time by monitoring Companies House updates continuously. My Company Registration implements alert-based tracking that identifies unusual changes as they occur, allowing faster response and mitigation.