Free KBA: is there such a thing?

Bigfoot, the Loch Ness monster, free KBA e-signatures. What do all these three have in common? Despite claims to the contrary, they don’t exist in real life.

Free KBA: is there such a thing?

KBA is short for knowledge-based authentication and is required for electronic signature of Form 8879. Some companies claim that they offer free KBA e-signatures. Is it possible or are you being lied to?

In short: free KBA doesn’t exist.

Why? Let us explain.

What is KBA?

According to the IRS article on IRS e-file Signature Authorization

How should the software perform identity verification? As part of identity verification, the software may create what is known as a “soft inquiry” in the credit reporting industry. A credit reporting company uses information from the taxpayer’s credit report to generate knowledge based authentication questions. This action may create an entry on the credit report called a “soft inquiry”. Typically, the knowledge based authentication questions address the taxpayer’s personal and financial history. These are usually multiple choice questions such as the name of their mortgage lender, type of car financed, a former address or phone number. The taxpayer is expected to answer the questions correctly. This is not a credit check. However, taxpayers who cannot complete the identity verification check cannot use e-signature.

In other words - ‘knowledge-based’ means that a credit reporting agency is providing a list of personal questions that only the taxpayer would know the answer to, based on the taxpayer’s credit history.

Because this requires access to the credit agency database, you have to pay every time you perform the identity check. Which gets us back to the title of this article - there’s no such thing as free KBA.

But I’ve seen someone offer it for free?

Sometimes you will see KBA offered for free. Where’s the catch?

In the cases we analyzed, the companies that claim to offer “free KBA e-signature” provide what’s known as ‘static knowledge’ authentication. It involves using a piece of customer data (such as taxpayer DOB or last 4 digits of social security number) to authenticate the client.

The problem is that it’s insecure — a hacker who gets access to the account will easily know the taxpayer’s DOB and social security number (because it’s already populated in client files). This is the reason why the IRS specifically requires KBA that produces unique questions from the taxpayer credit report.

In other words, this kind of client authentication is not compliant with IRS regulations and can not be used for e-signing the Form 8879.

But what about SMS codes? Some vendors offer this for KBA. Does that work?

In short, no. There are companies that are selling ‘snake oil’ by advising practitioners that they can avoid using KBA by sending ‘secret codes’ (SMS) to their clients to verify their identity. All this does is prove that the person who has the phone is signing in. It does not verify the ‘identity’ of the individual as per IRS requirements.

For additional clarity, NIST Special Publication NIST 800-63-A elaborates further what kinds of questions should (and should not) be used to demonstrate that the taxpayer is the owner of the claimed information.

The CSP (credential service provider) SHOULD perform KBA by verifying knowledge of recent transactional history in which the CSP is a participant.” Sending an SMS message to someone’s phone does not qualify as ‘transactional history’. Only events recorded in the taxpayers credit report qualify as applicable transactions.

How much does KBA cost?

KBA pricing varies by the provider. TaxDome charges $1 per KBA authentication - the lowest price in the market. Other firms charge more — we compared prices in a previous post.

So next time you see such an appealing offer, it’s either the platform is making up for the cost somehow, or it’s not IRS-compliant and you should stay away from it.