Tax professionals filing electronically need to get IRS form 8879 or form 8878 signed by their clients. However, traditional e-signature services do not support the IRS electronic signature requirements, specifically the knowledge-based authentication (KBA) requirement for electronic signatures performed remotely. This requirement is provided both in the latest IRS guidance and in IRS Publication 1345.
Encyro E-Sign now provides an easy to use electronic signature option, with an SMS (text-message) based KBA step that meets IRS guidelines.
Meeting IRS Requirements
An electronic return originator (ERO) has two options to get forms 8879 or 8878 signed remotely by the client:
- Remote hand-written signature: When you opt to use hand-written signatures, also known as wet signatures, clients must sign paper copies. They may send you a scanned copy of the signed page, such as using your Encyro upload page. Using your upload page from a smartphone lets the client click a picture of the signed paper document and attach easily. (IRS Pub. 1345 explicitly states that wet-signed copies may be delivered to you electronically and no special requirements apply to the signature in this case.)
- Remote electronic signature: This requires knowledge based authentication (KBA). Specifically, your client signing the e-file authorization form should answer a question that only they know the answer to.
Remote Electronic Signatures: How to Use KBA?
Jump directly to instructions for sending an e-sign request for Form 8879.
The traditional approach to KBA, used to be to have the signer answer questions based on their credit reports. This had three problems:
- Answering the KBA questions is hard for clients: KBA compliant identity verification typically involves answering 4 or more personal information questions selected from credit records or similar sources. Each question and the entire set needs to be answered within a specific time limit. No more than 2 or 3 failed attempts are allowed and answering even one question wrong marks the entire set of 4 (or more) questions as a failed attempt. So another 4 (or more) new questions need to be answered correctly after a failed attempt. Such a process is often followed for getting access to your credit report and you can try out how hard it is by attempting to request a free credit report from any of the major credit bureau websites.
- It is not very safe: With over 140 million credit reports stolen in large scale incidents including the Equifax breach, and given that the KBA system used by the IRS itself was hacked, credit report based KBA may not really protect anyone.
- Expensive: E-signature services that do support credit report based KBA are very expensive. For instance, Signix charges $300/month. DocuSign requires their custom enterprise plan (price not listed on the website) and then charges extra for each e-signature request that uses KBA.
An Easier Option: Encyro E-Sign
Encyro E-Sign makes the process much easier by providing SMS (text-message) based secret codes for the KBA step. Here is how it works: you send an e-sign request using Encyro E-Sign with the KBA option enabled. All you need to provide is your client's verified cellphone number. The process complies with IRS Pub. 1345 requirements.
The signature process is easy for your client too. They get an email with a link to review and sign. When they click that link, they are informed that a text message will be sent to them. If they agree, a secret code is sent to their cellphone. (Sending a text requires explicit consent from the client, and Encyro takes care of that step for you.) They enter the secret code on the signing page and proceed to sign electronically. You receive the signed document in your Encyro account, and also get an email notification that the signature was completed.
The Encyro E-Sign process also lets you configure:
- automated reminders,
- a signing sequence for multiple signers (ERO, filer, spouse, others),
- signature request expiry,
- advanced security options,
- signature types (typed, hand-drawn, mouse-drawn), and
- your branding in emails and on signing pages.
The signed file contains an audit trail with all required signature events, and an option to check if the file has been tampered with after signing.
If you do not have an Encyro account, sign up for a free trial today (no credit card needed) to try out the above, or check pricing. If you already have an Encryo account, try sending a KBA enabled e-sign request using these instructions.
Does Encyro E-Sign with secret codes meet IRS KBA requirements? Don't I need credit report based checks?
Even though Encyro E-Sign KBA does not involve the frustrating client experience involving credit report based questions, it meets with IRS requirements for Forms 8879 and 8878.
IRS Pub. 1345 has two sets of requirements.
- First, certain transaction details should be recorded: a digital image of the signed form, date and time of the signature, taxpayer's computer IP address, login identification, and the method used to sign. Encyro automatically records this information.
- The second set of requirements is that the tax payer's identity be verified in compliance with National Institute of Standards and Technology (NIST) Special Publication 800-63 Identity Assurance Level 2 (IAL2).
- SP 800-63 (Sec 5.3.2) specifically states that "The CSP SHALL only use information that is expected to be known only to the applicant and the authoritative source, to include any information needed to begin the KBV process. Information accessible freely, for a fee in the public domain, or via the black market SHALL NOT be used." This implies that credit report based questions (given the Equifax data breach involving 147 million people's credit reports and the more recent Experian 2020 data breach still being investigated), will NOT satisfy the NIST requirements because that information is likely to be obtainable on the black market. However, since traditional KBA services only offered the credit report based option, IRS makes an allowance to let you use that method. This allowance does not mean it’s the preferred method.
- Methods preferred by NIST 800-63 include: "The CSP SHOULD perform KBA by verifying knowledge of recent transactional history in which the CSP is a participant. The CSP SHALL ensure that transaction information has at least 20 bits of entropy." The method used by Encyro E-Sign falls under this category and provides the 20 bits of entropy.
- The "transaction" mentioned above could be a secret piece of information (with at least 20 bits of entropy) exchanged with the tax payer. Encyro automatically generates the secret code (with required entropy) and sends it to the tax payer. (Sending a manually generated code, as recommended by some other e-sign services, will not meet these requirements because it is very hard to ensure that it has the required entropy and expiry characteristics.)
- To make sure that your transaction took place with the actual tax payer, you should only provide a verified phone number for the tax payer. For instance, you may know the tax payer from previous years and may have talked with them both in person and using the phone number to be used. You may request a copy of their recent phone bill showing their address (so you know it’s the same person who you are preparing the tax return for) via the Encyro upload page. We recommend that you combine the collection of a verified phone number with your usual process to collect the tax payer's SSN, address, and ID (driver's license etc.) documents. Trust us, it will be much easier than making clients go through the hassle of credit report based KBA.
Pub. 1345 also requires you to record the tax payer's name, address, date of birth, and address. You probably already collect that information even if not using electronic signatures.
Remote Wet Signatures
The IRS guidance specifically states that hand-written signatures (wet-signature) even when performed remotely and sent to the ERO by email or an Internet-based service, are not considered electronic signatures. As a result the KBA requirements do not come into play.
The idea is to first send the prepared form 8879 securely to the client, but without adding road blocks such as signing up for a portal account or remembering their old password from the last year. The client prints their form and sends you a picture from their smartphone, again securely, but without having to enter any passwords. The process works in the following two steps:
Prepare the form 8879 or 8878 using your tax or accounting software as you normally do. To send it securely, without requiring clients to deal with account signups and passwords, send it using Encyro. Login to your Encyro account (sign up here to get an account if you do not have one), and compose a new message. If you use the Encyro Outlook Addin, you can send a secure message from Outlook itself.
Attach the 8879 (or 8878) and enter the client's email address (the form itself will not be sent to the email address, but a secure message notification will be). You may customize the following template for your Encyro secure message content:
Please download, print and sign the attached IRS Form 8879. Your signature is required to submit your tax return on time. Once signed, please see my other email with Subject "Step 2: Return your signed 8879".
Send a plain-text email to the client (secure message is not required because this email does not contain sensitive data) asking them to access your Encyro upload page from their smartphone and upload a photo of the signed 8879 form. If you do not have an Encyro upload page yet, signup here for a free trial and once logged in, click on "My Upload Page" to create one (more details). An Encyro upload page allows a client to send you a secure message without a password but does not give access to any previously stored data (see example).
You may customize the following email template to email your client:
Please open this email on your smartphone and visit my upload page: https://www.encyro.com/<yourUploadAddress>.
Then click the "Browse or Take Photo" button to take a clear picture of the signed form 8879. Click Submit. This ensures that your form is sent securely (kindly do not email the signed form because email is not secure).
Remember to replace the upload page address in your email with your Encyro upload page address.
The table below summarizes the steps:
|Step 1||Login to Encyro and send the 8879 to your client with a secure message asking them to print and sign.||Accesses message with one click (no password needed unless they have an Encyro account). Client prints and signs.|
|Step 2||Send an email (not encrypted) asking client to upload the signed 8879 securely on your upload page from their smartphone camera||Client accesses your email on a smartphone, clicks the upload page link and takes a picture of their signed form to upload securely.|
You have two options for setting the IRS form 8879 signed remotely:
- Remote Electronic Signatures: Use this if you have a verified cellphone number for your client. Client will not need to print the form and can sign on the computer (see instructions).
- Remote Wet Signatures: Use this option if your client has a printer (instructions above). This option is also useful if your state does not allow electronic signatures for e-filing the state return (e.g., New York). In that case, since you will be using wet signatures for the state return e-file authorization, it would be easier to just use the same process for the federal return as well.
Both options will work for a no-touch tax return workflow. You save valuable time and do not have to track paper documents in snail-mail.