How can I comply with IRS remote electronic signature requirements for forms 8879 and 8878? Is Encyro E-Sign KBA valid for IRS compliance? Do I need credit report based KBA?
Why Access Codes (KBA)?
Access codes by text-message (SMS) help strengthen the identity of the person signing the document. The signer must receive a secret code on their verified mobile phone number, proving that they have access to that device (something a remote hacker cannot easily get). This adds an additional check on top of the email or password based identification.
This check can help comply with requirements for certain electronic signatures such as IRS remote electronic signature requirements for forms 8879 and 8878 (as given in IRS Publication 1345), FDA's 21-CFR-Part 11 (that requires two types of authentication before signing), and any others where the signer identity must be verified.
KBA for IRS Form 8879/8878
IRS Pub. 1345 has the following requirements for electronic signatures on Forms 8879 and8878, when the signature is not performed in your presence:
- The signature process must record certain information such as the signer's IP address, time of signing, and type of signature. Encyro automatically records such information required by the IRS for the electronic signature step.
- The identity of the signer should be verified in compliance with National Institute of Standards and Technology (NIST) Special Publication 800-63 Identity Assurance Level 2 (IAL2).
- Credit report based KBA: SP 800-63 (Sec 5.3.2) specifically states that "The CSP [credential service provider] SHALL only use information that is expected to be known only to the applicant and the authoritative source, to include any information needed to begin the KBV process. Information accessible freely, for a fee in the public domain, or via the black market SHALL NOT be used." This implies that credit report based questions (given the Equifax data breach involving 147 million people's credit reports and the more recent Experian 2020 data breach still being investigated), will NOT satisfy the NIST requirements because that information is likely to be obtainable on the black market. However, since traditional KBA services only offered the credit report based option, IRS makes an allowance to let you use that method. This allowance does not mean it’s the preferred method.
Methods preferred by NIST 800-63 include: "The CSP SHOULD perform KBA by verifying knowledge of recent transactional history in which the CSP is a participant. The CSP SHALL ensure that transaction information has at least 20 bits of entropy."
- Encyro E-Sign's KBA (secret code by text-message) falls under this preferred category. The "transaction" mentioned above is the secret piece of information (with at least 20 bits of entropy) exchanged with the tax payer. Encyro automatically generates the secret code (with required entropy) and sends it to the tax payer. (Sending a manually generated code, as recommended by some other e-sign services, will not meet these requirements because it is very hard to ensure that it has the required entropy and expiry characteristics.)
- The AICPA has recommended this method in their letter to the IRS. Page 4, Sec II of the AICPA letter urged the IRS to mention this previous transaction based identity check explicitly for Form 8879. (Since the NIST SP 800-63 is written for security experts and not tax professionals, having the IRS mention this identity check option in Pub 1345 explicitly will make it easier for tax professionals to interpret the guidance.)
Important: To make sure that your transaction took place with the actual tax payer, you should enter only a verified phone number for the tax payer when creating the Encyro E-Sign request. For instance, you may know the tax payer from previous years and may have talked with them both in person and using the phone number to be used. You may request a copy of their recent phone bill showing their address (so you know it’s the same person who you are preparing the tax return for) via the Encyro upload page.
We recommend that you combine the collection of a verified phone number with your usual process to collect the tax payer's SSN, address, and ID (driver's license etc.) documents.
Pub. 1345 also requires you to record the tax payer's name, address, date of birth, and address. If unable to obtain a verified phone number for the signer or if you do not have the filer's date of birth, you may use the option for remote wet signatures via Encyro.
How to enable access codes by text (KBA) on your signature request?
Note: Using KBA requires an Encyro Pro membership. You may start a free trial via your Settings page. If you already started an e-sign request before switching to Encyro Pro, click Save Draft and you may return to it later after changing your membership settings. (To simulate KBA with a free Encyro Essentials account, see this section.)
The key difference in preparing your signature request, compared to signature requests without KBA, is that at the "Configure and Send" stage, just below the signer's email addresses, you would check the box "Require access code by text-message..." and enter a verified mobile phone number for each signer subject to KBA requirements.
(Notes: To re-use the request, see how to save as a template. Also, skip adding the box for the ERO signature if not required for your form.)
- Login to your Encyro account and click on E-Sign. (Get a free trial, or contact us for a trial extension if you used up your trial earlier.)
- Click Browse and Upload. In the file dialog, select the Form 8879 that you wish to get signed.
- Click on Signature in the left pane. There is no need to hold the click.
- Move your mouse to the first signature area and click once. A signature box will be placed there.
- You will also get a popup to add the signer details: simply insert a role, such as "Filer" and click Save. You could add the email and name instead of the role, or add the email address a little later in the process.
- Click on any of the corners to re-size the box. To move the box if needed, click and hold inside the box and move your mouse.
- Click again where another person needs to sign, such as in the spouse's signature area. Another signature box will be placed there.
- To change the signer, click inside the signature box, then click Change Assigned, and then click Add New.
- In the popup, add the role "Spouse". Click Save.
- Click on the new entry that appears in the list of signers to assign the signature box to the new signer.
- The signature box will change color. Click Close.
- Click again in the signature area for the ERO. A third signature box will be added.
- Click inside the signature box and change the signer as before, to assign it to yourself.
- While the date is not required (because its automatically recorded with the electronic signature), you may add the date field to make the form look nicer.
- Click on Date in the left pane and then click in the date area on the form.
- Change the signer that the date box is assigned to.
- If the 8879 was not fully prepared, you may add other fields to be completed.
- Click on Text for any text to be completed during signing.
- If you want to add some text now, before sending it to the signers, click on Insert Text and then click where you want to insert an annotation. The Insert Text box can be moved by clicking on its top left corner.
- Once all the boxes have been added, click Next in the left pane.
- On the next screen, click Sign In Order. For example, if you will sign first, click and hold the crossbar in the Drag column. Drag your entry to the top of the list. Alternatively, you may edit the numbers shown in the order column. Two signers may be assigned the same number if you want to allow them to sign in parallel.
- If you have a verified cellphone number for each of the tax filers, click the checkbox next to Require access code by text-message.
- You may click Skip next to your entry as KBA is not needed for the ERO.
- Enter the mobile phone numbers for all taxpayers.
- Optionally, you may add details in the email text box.
- Click Send. That's it!
Save a Template for Sending Again
You do not have to repeat these steps for each new 8879 request: see how to save a template (you will only need to provide the new PDF file, signer emails, and phone numbers: the template will re-use the signature boxes, KBA settings, and any other configurations such as reminders).
Remote Wet Signature via Encyro
A wet signature should be used if you do not have a verified cellphone number or date of birth for the taxpayer(s) who need to sign the 8879. In this case, the signer will need to print the form for signing. However, the transaction can still be completed remotely and in compliance with IRS Pub. 1345 requirements.
The steps are:
- Send a secure message with the form attached. Say something like "Please print and sign the attached 8879 form. Look for my second email for how to submit."
Send a plain email (not a secure message), saying something like: "Please open this email on your smartphone and visit my upload page: https://www.encyro.com/<yourUploadAddress>.
Then click the "Browse or Take Photo" button to take a clear picture of the signed form 8879. Click Submit."
- You may additionally add "This ensures that your form is sent securely (kindly do not email the signed form because email is not secure)."
IRS publication 1345 clearly states that the KBA requirements do not apply to hand-written signatures, even when the signed document is delivered via electronic means.
Sending a Secret Code with an Encyro Essentials (free) membership
While sending automated access codes by text message requires an Encyro Pro membership, you may use the following workaround to manually send a secret code by text:
- When creating the e-sign request, insert an extra field to input a secret code. You could add this field near the bottom of a page within the document to be signed.
- Then, manually think of a secret code and send it in a text message from your cellphone to the signer.
The signer will use the information from your text message to answer the knowledge based question (secret code field) in your document.
Do note that
- The manually generated secret code would likely not have 20 bits of entropy and 10 minutes expiry time required to meet the US NIST 800-63 Level 2 identity assurance requirements.
- You will have to manually verify that the signer entered the correct code in the signed form.