Generic Implementation Guidelines

The following implementation guidelines must be adhered to when integrating this feature:

• The SP will be provided with separate client credentials dedicated to the Facial Biometric Transaction Confirmation feature.

• This feature is available to Verified Residents and Verified Visitors of UAE PASS.

• The service provider must ensure that the correct user identifier (EID/Mobile/Email) is passed in the Authorization request as username parameter to ensure that the Facial Biometric TC request is triggered for the correct user.

• Upon successful completion of the request and receipt of a successful response from UAE PASS, the service provider must ensure that it is the intended user who has completed the Facial Biometric TC feature.

This can be achieved by following the steps below:

1. Invoke the Authorization request and obtain the authorization code after successful Facial Biometric TC confirmation from the user.

2. Invoke the UAE PASS token request and obtain the access token.

3. Invoke the User Info API and retrieve the user information.

4. Compare the user attributes received in the User Info response against the User Info response received during UAE PASS Authentication session.

5. Strongly recommended to validate against the Sub and Emirates ID values. Service provider must make sure that this validation is performed against the already logged in user's information.

6. Once the intended user is verified, the service provider can proceed with the transaction flow.

7. If the validation is failed, Service provider must break the user journey.