Knowledge-based Authentication, Compliance, and Tax Season: What Your Accounting Firm Needs to Know

Tim Sines

Three people are gathered around a brown wooden table covered with various charts and documents. One of them is using a calculator, while a third person is working on a laptop

As the 2024 tax season approaches, we know your workload is about to start ramping up—but your worries about compliance, data privacy, and cybersecurity for your clients don’t need to increase as well. But if you are concerned, you have good reason. For accounting firms, security is essential: With large amounts of sensitive client data, financial information, and personal identification details, it is vital that this data is protected from unauthorized access and potential data breaches. 

Additionally, keeping firm data secure online is critical to staying in line with IRS compliance requirements in light of the expansion of online tax filing and eSignatures. 

One part of compliance is deploying appropriate security measures, especially during tax season. While there are numerous steps that accounting firms should take, don’t overlook the importance of protocols such as knowledge-based authentication (KBA).

KBA can help to prevent unauthorized access and ensure the security and integrity of sensitive financial information. In fact, KBA is specifically required by the IRS to complete IRS e-file signature authorization forms, such as 8879 and 8878. 

Read on to learn about knowledge-based authentication and why it is an important feature for accounting firm software. Discover its role in compliance for tax season and IRS e-file signature authorization, as well as how Mango can support your firm with robust security measures during tax season and beyond.

What is knowledge-based authentication

Knowledge-based authentication or KBA is a method of verifying an individual’s identity by asking them to provide information that only they are likely to know. This information is typically stored in the form of “security questions,” which the user must answer to prove their identity. There are two main types of KBA: Static KBA and dynamic KBA, each with distinct methods and use cases. 

Static KBA

Early KBA implementations focused on static questions, known as "shared secrets," which users preselected during account setup. These questions often relied on basic personal information that does not change over time. Today, static KBA is still used by banks, financial services, and email providers, particularly for password resets and account recovery scenarios.

Some examples of static KBA queries include: 

  • Date of birth 
  • Social Security number 
  • Name of first pet 
  • Make and model of first car 
  • Mother’s maiden name 

Static KBA is favored for its simplicity and cost-effectiveness. It's quick to set up and use, making it convenient for both users and companies. However, it has notable security flaws. The answers to static KBA questions are often based on easily obtainable information, such as data found on social media or in public databases. This makes static KBA susceptible to fraud and hacking. Users might also forget their answers or select ones that are too easy to guess, further reducing security.

Dynamic KBA

Dynamic KBA is an advanced method that generates out-of-wallet questions in real time based on a user's personal and historical data. These questions are not easily guessed or found in a wallet, making them more secure. 

The system collects and analyzes personal data from sources such as credit reports, DMV registrations, and transaction histories. This information, tied to specific times and events, is used to create unique questions, which are customized and randomized each time. The individual must answer these questions correctly within a set timeframe to verify their identity, ensuring that only the true individual can pass the authentication process.

Some examples of dynamic KBA or out-of-wallet queries are:

  • Amount of last mortgage payment
  • Name of the financial institution where they took out a loan
  • Year they bought their current home
  • Addresses they have lived in the past
  • Color of the car registered in their name when they lived in [city] in [year]

Dynamic KBA offers enhanced security by using diverse non-public data sources to create hard-to-guess questions. But, it can be time-consuming and complex to implement, requiring reliable data sources. Additionally, the questions may be tough even for legitimate users to answer, leading to potential frustration and higher abandonment rates during the authentication process. However, its effectiveness outweighs the disadvantages. That’s why dynamic KBA is commonly used in high-security environments such as access to banking systems, online tax filing, and sensitive healthcare records.

Whether it’s static or dynamic, KBA should ideally be used in conjunction with other security measures, such as strong password policies and multi-factor authentication, to provide sufficient defense against unauthorized access and potential data breaches.  

Why is KBA an important feature for accounting firm software? 

Security and privacy of sensitive financial information are mission-critical for accounting firms. KBA, particularly dynamic KBA, provides a vital level of security for accounting firm tax software when sending documents securely and making eSignature requests. The use of KBA signatures also helps safeguard information from unauthorized access, which could have severe consequences for both the firm and its clients.

Additionally, advanced KBA can help to protect against identity theft and other types of cybercrime by making it more difficult for attackers to gain access to sensitive information. For example, during tax season, when clients e-file their returns through the accounting firm's software, KBA generates questions such as the client's previous year's tax refund amount. Since the answers cannot be easily found through social media or public databases, this ensures that only the legitimate client can complete the e-filing process.

Aside from generating dynamic questions and integrating with multiple data sources, dynamic KBA often includes additional security measures, such as time limits for answering questions and a combination of multiple verification factors. These make KBA an effective tool against sophisticated cyber threats.

What is KBA’s role in compliance for tax season?

KBA is critical for accounting firms during tax season to ensure best security practices and meet IRS requirements for submitting forms like Form 8879.

Keeping ahead of best security practices 

During tax season, accounting firms deal with a large volume of sensitive financial information, including personal information about clients and confidential business data. Strong security measures are necessary to protect this information and ensure compliance with relevant laws and regulations. 

KBA can support compliance during tax season by helping to ensure that only authorized individuals have access to confidential financial information. By using KBA to verify the identity of users before granting them access to the software, firms can help prevent unauthorized access and protect sensitive data, following relevant laws and regulations.  

Switch to a Secure Client Portal for CPAs with These Essential Tips

If your accounting firm still communicates with clients via text or email, you’re at risk for costly cybersecurity breaches. Protect your practice by switching to a secure client portal.

KBA and Form 8879 

KBA meets the IRS's eSignature standards for forms like Form 8879, ensuring electronic signatures are valid and secure. Form 8879 is an IRS e-file signature authorization form that authorizes e-filing for tax returns. When a taxpayer e-files their tax return, they will be asked to complete Form 8879 and provide personal information, such as their name, address, and Social Security number. This information is used to verify the taxpayer’s identity and ensure that the tax return is signed correctly and authorized.

KBA is required for Form 8879—specifically, it’s needed when electronically submitting the form. (For clients wishing to use a wet signature, KBA requirements do not apply.) 

By requiring taxpayers to provide personal information when signing their tax returns electronically, KBA helps to ensure the security and integrity of the tax filing process and prevent fraud. 

How does IRS e-file signature authorization use KBA? 

The IRS e-file signature authorization allows individuals and businesses to file their tax returns electronically using the IRS e-file system. However, taxpayers must obtain an e-file signature authorization to use this system. This authorization is granted after the individual or business successfully completes a KBA process. 

Once the KBA process is complete and the e-file signature authorization is granted, the individual or business can use the IRS e-file system to file their tax returns electronically. 

Stay secure during tax season with Mango 

Mango’s security features are baked into the software because Mango was made by accountants—for accountants. Our team knows exactly what you need to protect your clients’ sensitive information.  

Robust security features offered in Mango include: 

  • Bank-level SHA-256 encryption algorithm 
  • Secure file sharing straight from your email 
  • Optional client portal for additional password protection 
  • Unlimited secure storage space and file size 
  • Legally binding eSignatures with a digital audit trail 
  • SSL-encrypted payments in our client portal 

Mango’s security defenses are only one part of its resilient practice management system. Get every piece of software you need in one place, so you don’t lose time jumping between different programs. 

Boost your security and set your accounting practice up for tax season success with help from the expert accountants at Mango—schedule a demo with us today. 

7 Crucial Steps to Keeping Your Clients and Firm Secure

In this guide, we provide a straightforward 7-step checklist to help keep your accounting firm compliant with the rules and regulations that govern accountants and their clients.