Here are the high-level requirements to keep in mind while planning your design. The most important point is that applicants must not receive any indication of the verification result, either directly or indirectly.

👍

After your solution meets our security best practices, Intellicheck provides authentication into a staging and production environment.

👻 Keep Verification Results Hidden

Do not reveal verification results (from Intellicheck or your own) with the applicant during any aspect of the transaction. Your workflow must use the returned ID data to autofill a form where applicable―even if the ID is identified as fraudulent. Only share verification results with your authorized employees on a need-to-know basis.

🔐 Build a Secure System Architecture

All workflow logic and decision logic must be performed on your system servers and never within code that runs on the applicant device. Do not reveal Signals (including Intellicheck signals) on the applicant device.

⛔ Build a Secure Workflow

Your workflow should obscure the decision logic. It should prevent an applicant from guessing how a verification result might have altered the workflow. Do not reveal the success or failure of individual steps. Each transaction must continue to completion, regardless of intermediate results. Provide generic messages regarding approval or disapproval.

🚪 Limit Applicant Retries

Do not allow more than three retries. Each retry is a new transaction that starts from the beginning and includes the entire workflow.

🔬 Sanitize Browser Logs

During the certification demo meeting, we will review your browser log messages. In particular, we review the browser console and how it shows our response data in your app. Ensure the app does not indirectly reveal verification results in the console.

Checklist

Here's a summary checklist for the cert demo meeting.

✅ Beginning-to-end workflow is prepared.

✅ Positive result scenario is prepared.

✅ Negative result scenario is prepared.

✅ Verification results are hidden.

✅ Secure architecture and workflow is in place.

✅ Applicant does not see success or failure indications.

✅ No more than three retries are allowed.

✅ Browser logs do not reveal verification results.