E-Signatures for Accounting Firms — IRS Compliance, Form 8879, KBA, and the Best Tools in 2025
The IRS allows remote e-signatures on tax documents — but the rules around when Knowledge-Based Authentication is required, and when it isn't, are genuinely confusing. This guide explains exactly what is required and what tools meet those requirements.
On this page
- The two categories of IRS e-signature
- What Knowledge-Based Authentication actually is
- What happens when a client fails KBA
- The IRS requirements for a compliant e-signature system
- Tool categories that meet (and don’t meet) the requirement
- Tools that meet the IRS standard for remote signing
- Tools that do not meet the IRS standard
- Practical tool selection for small firms
- E-signatures in the broader document workflow
- The Form 8879 workflow, end to end
When the IRS expanded its e-signature guidance in 2020 and again in 2023, it created something that did not exist before: a legitimate, compliant way for tax preparers to get client signatures on authorization forms without a wet ink signature or an in-person meeting. That is genuinely useful. But the guidance also created a compliance minefield that many small firms have navigated mostly by luck, using tools that may or may not actually meet the IRS requirements for remote signatures.
This guide covers what the IRS actually requires for electronically signed tax documents, where the Knowledge-Based Authentication (KBA) requirement applies, where it does not, what happens when a client fails KBA, and which categories of tools meet the compliance standard.
IRS e-signature guidance has evolved — older information may be incorrect
The IRS remote e-signature policy was temporary during 2020–2021 COVID accommodations, then made permanent for certain document types in 2022, then expanded further in 2023. Blog posts or continuing education materials from before 2023 may reflect superseded policy. This guide reflects the rules as of mid-2026.
The two categories of IRS e-signature
Understanding what is and is not required starts with understanding that the IRS distinguishes between two situations:
Category 1: Taxpayer-authorized forms signed remotely by a client who is not present This includes Form 8879 (IRS e-file signature authorization), Form 8878 (for extensions), and similar authorization forms where the taxpayer is signing and the preparer is the recipient. For these, the IRS requires an e-signature solution that includes identity verification — which in practice means Knowledge-Based Authentication (KBA) for fully remote signing.
Category 2: Documents signed in person or by a client with an established identity Where the client has a pre-existing authenticated relationship with the firm, or where signing occurs in person with a government ID present, KBA is not required. The IRS has also indicated that multi-factor authentication combined with other verification methods can satisfy the requirement in some circumstances.
The practical implication: for the majority of small firm remote client relationships, Form 8879 signed outside an in-person meeting requires a KBA-capable e-signature solution.
93%
of tax returns filed electronically require an IRS Form 8879 or equivalent taxpayer authorization — making e-signature compliance a near-universal requirement for CPA and tax preparer practices
Source: IRS Statistics of Income, 2025What Knowledge-Based Authentication actually is
KBA is an identity verification method that asks the signer to correctly answer questions derived from their personal history — questions that only the actual person should be able to answer. The questions are generated in real time from credit bureau and public records data and typically cover:
- Previous addresses and how long the person lived there
- Names of family members (derived from records)
- Vehicle ownership history
- Loan or mortgage information
- Names of neighbours or associates from previous addresses
The signer typically has 90 seconds to answer five questions, with a required pass rate (usually 3 of 5 or 4 of 5 correct). The session is logged, and the result — passed or failed — is stored as part of the audit trail.
KBA is not the only identity verification method
The IRS has indicated that compliant e-signature solutions may use alternative identity verification methods (government ID scan + facial recognition, for example) in lieu of KBA, provided the method meets NIST 800-63 Level of Assurance 2 standards. Some newer e-signature tools use this approach. Check with your specific tool provider about their compliance documentation.
What happens when a client fails KBA
This is the scenario almost no competitor blog covers — and it is the one that catches practitioners off guard.
KBA failure happens more often than expected. Common reasons:
- The client recently moved and their address records have not updated
- The client has a thin credit file (no mortgages, few loans, short address history)
- The client lives in the same address as a family member with a similar name (records confusion)
- The client is elderly and the questions reference a period they do not clearly remember
- The client has a recent name change (marriage, divorce) that creates record inconsistency
When a client fails KBA, the e-signature session is invalidated. The IRS guidance is clear: you cannot proceed with the remote e-signature after a failed KBA attempt. Your options at that point are:
Options when a client fails KBA
Retry with a different tool
Some KBA systems allow one retry (usually after a waiting period). Other tools — particularly those using ID verification rather than KBA — may produce a different result because they query different data sources.
Switch to in-person signing
The client comes in (or comes to a notary) with a government-issued photo ID. In-person signing with ID verification does not require KBA under IRS guidance.
Use the physical signature alternative
Print Form 8879, mail it to the client, have them sign with wet ink and mail or fax it back. Compliant, but slow — and not appropriate for clients in a time-sensitive filing situation.
DocuSign or equivalent with completed identity verification
If the client has previously completed identity verification with DocuSign Identity (or equivalent), subsequent signing sessions for the same client can leverage that prior verification depending on the tool’s policy and IRS interpretation.
The practical answer for most small firms: have one non-KBA option (in-person with ID, or the wet signature fallback) ready for the 5–15% of clients who fail KBA. Do not design your workflow assuming all clients will pass.
The IRS requirements for a compliant e-signature system
The IRS requires that e-signature solutions used for tax documents meet all of the following:
IRS e-signature system requirements (Rev. Proc. 2021-47 and subsequent guidance)
- Identity verification of the signer (KBA or equivalent NIST LOA-2 method)
- Audit trail documenting who signed, when, from what IP address, and that identity verification was completed
- Tamper-evident technology — the signed document must be sealed such that any post-signature modification is detectable
- Signed documents must be retrievable for the required retention period (generally three years from the return due date, or return date if later)
- The taxpayer must receive a copy of the signed authorization form
- The preparer must retain a copy of the signed form and the identity verification record
Requirements that are notably absent: the IRS does not require that e-signatures be completed through any specific tool or platform. Any tool that meets the above requirements is compliant. The IRS also does not require that Form 8879 be signed first — the preparer can present the completed return to the client for review and then collect the signature, as long as all requirements are met.
Tool categories that meet (and don’t meet) the requirement
Tools that meet the IRS standard for remote signing
Purpose-built tax e-signature solutions — DocuSign for Tax, SafeSend Returns, RightSignature with KBA, Filevine Signature. These platforms include built-in KBA, audit logging, and tamper-evident sealing specifically configured for IRS compliance. They are more expensive than general e-signature tools ($20–$60/month per user range) but compliance is not something you configure — it is built in.
Practice management platforms with integrated e-signature — TaxDome, Canopy, and some versions of Drake Tax include e-signature features with KBA. Compliance quality varies by platform version and whether KBA is correctly configured. Review your specific platform’s compliance documentation, not their marketing page.
DocuSign Standard with Identity Verification add-on — DocuSign’s base plan does not include KBA and is not IRS-compliant for Form 8879 remote signing. The Identity Verification add-on adds KBA capability. This is a meaningful distinction that many firms get wrong.
Tools that do not meet the IRS standard
HelloSign / Dropbox Sign — No KBA capability. Compliant for many business signatures, not compliant for remote IRS authorization forms.
Adobe Sign (Base plan) — Similar to HelloSign — no KBA on the base plan. Adobe Acrobat Sign Business plan with identity verification enabled may qualify.
Any e-signature tool without KBA or equivalent identity verification — General e-signature tools that generate a legally binding signature but do not verify identity do not meet the IRS standard for remote tax authorization forms. This includes many of the more affordable e-signature tools marketed to small businesses.
Email-based “digital signatures” — A client typing their name in an email, or a scanned wet signature sent via email, does not constitute a compliant e-signature under IRS guidance.
Using a non-compliant tool creates real risk
If a return signed via a non-compliant e-signature method is challenged by the IRS — for any reason — the lack of a compliant authorization form creates a compliance problem that is separate from any underlying return issue. This is a real risk, particularly for clients who later dispute a return or where a fraud investigation is triggered. Use compliant tools.
Practical tool selection for small firms
For a 1–10 person accounting firm in 2025, the realistic options are:
E-signature tool landscape for small accounting firms
$0–$15/mo
non-compliant tier
HelloSign, DocuSign Essentials, Adobe Sign Free. Fast and easy, but not IRS-compliant for Form 8879 remote signing without KBA add-ons.
$25–$50/mo
compliant standalone
DocuSign with Identity Verification, RightSignature with KBA. IRS-compliant for remote signatures. Works alongside any practice management tool.
$50–$150/mo
integrated in practice management
TaxDome, Canopy, SafeSend. E-signature is part of a broader portal/workflow platform. Best for firms wanting integrated document + signature management.
The evaluation framework for choosing:
- Does it include KBA or NIST LOA-2 equivalent identity verification? If no, it is not compliant for Form 8879 remote signing.
- Is the audit trail exportable and stored for the required retention period? If you need to prove compliance in three years, can you produce the audit log?
- Does it integrate with your practice management or document collection workflow? Isolated signing tools that require a separate document delivery step add friction for both you and the client.
- What happens when a client fails KBA? Does the platform have a fallback path?
The practical answer for most small firms: have one non-KBA option (in-person with ID, or the wet signature fallback) ready for the 5–15% of clients who fail KBA. Do not design your workflow assuming all clients will pass. Ensuring your electronic signing tools are compliant is part of a broader security program required by law. You can run through our free FTC Safeguards Compliance Checker to verify that your firm meets the federal data security standards.
E-signatures in the broader document workflow
Form 8879 is the most compliance-sensitive signature in a tax practice — but it is one of many documents that benefit from e-signature capability. Engagement letters, extension authorizations, consent forms for disclosure, and information release authorizations can all be delivered and signed electronically. For more context on client data protection, read our complete guide on FTC Safeguards Rule Compliance for Accounting Firms.
Signatures and document collection work better together
Quire handles the document collection side of the equation — the source documents your client needs to provide before you can prepare their return. Delivering your document request and engagement letter through the same secure portal link sets expectations and reduces the number of separate channels your client has to manage.
The Form 8879 workflow, end to end
The correct sequence for a compliant remote signing process:
Compliant Form 8879 remote signing workflow
Prepare the return
Complete the tax return and generate Form 8879 with the completed data. The client signs the 8879 after reviewing the return — not before.
Deliver the return for review
Send the client the complete return for review through your secure delivery method. Give them adequate time to review — at minimum 24–48 hours for a simple return, longer for complex returns.
Send the signing request with identity verification
Send the Form 8879 through your KBA-capable e-signature tool. The client receives the signing request, completes identity verification, reviews the form, and signs.
Store the signed form and audit trail
Once signed, the platform should automatically store the signed form with the embedded audit trail. Export and retain the identity verification record separately if your platform requires it.
Send the client their copy
The client must receive a copy of the signed Form 8879. Most e-signature platforms send this automatically. Verify this is happening — it is a specific IRS requirement.
File the return
Once Form 8879 is signed and stored, you can proceed to file the return electronically.
E-signature compliance questions
Does the same KBA requirement apply to engagement letters and other non-IRS documents?
No. The KBA requirement is specific to IRS authorization forms (Form 8879 and similar). For engagement letters, consent forms, and other non-IRS documents, the ESIGN Act and UETA apply — which require only that the signature be intentional, attributable to the signer, and documented in an audit trail. KBA is not required for these documents, which is why you can use a lower-cost general e-signature tool for them.
Can I use DocuSign's standard plan for engagement letters and a different tool for Form 8879?
Yes. This is a common and compliant setup: a less expensive e-signature tool for general firm documents (engagement letters, consent forms), and a KBA-capable tool specifically for IRS authorization forms. The operational complexity is the cost of this approach — two tools, two workflows, two places to look for signed documents. For many small firms, the simplicity of a single compliant tool is worth the modest additional cost.
What is the IRS retention requirement for signed Form 8879?
The IRS requires that Form 8879 be retained for three years from the date the return was due or the date the return was filed, whichever is later. For a return filed on April 15, 2026, the 8879 must be retained until at least April 15, 2029. Many firms retain tax-related records for seven years as a blanket policy.
Does this guidance apply to state tax returns as well?
State e-signature requirements vary by state and generally follow federal guidance closely, but not identically. Most states that have adopted UETA (the majority of US states) accept e-signatures under similar conditions to the federal standard. Check your specific state’s guidance, particularly for states with separate taxpayer authorization forms for e-filed state returns.
Stay close
Secure document collection, start to finish
Quire handles the document delivery and secure return path — so signed forms and collected documents travel through an encrypted, audit-logged channel, not an email thread.
See all featuresRelated posts
FTC Safeguards Rule Compliance for Accounting Firms in 2026
The updated FTC Safeguards Rule has been in full effect since June 9, 2023. Tax preparers, CPAs, and bookkeepers are covered. Civil penalties reach $50,120 per violation. This is what compliance actually requires.
Read article →Secure Document Collection for Accounting Firms
Email is not a secure document transport. Accounting firms handling sensitive financial data need collection infrastructure that meets compliance requirements without adding client friction.
Read article →