diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index c2c32e463e..73ff2ec7d4 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -36,6 +36,7 @@ jobs:
                 infra:recent-user-activity
                 infra:config-store
                 infra:config-sync
+                infra:credential-store
                 infra:sync
             reportsId: infra1
 
@@ -51,6 +52,7 @@ jobs:
                 infra:images
                 infra:auth-store
                 infra:auth-logic
+                infra:matching
             reportsId: infra2
 
     feature-unit-tests1:
@@ -65,6 +67,7 @@ jobs:
                 feature:alert
                 feature:exit-form
                 feature:select-subject-age-group
+                feature:external-credential
             reportsId: feature1
 
     feature-unit-tests2:
diff --git a/feature/client-api/src/main/java/com/simprints/feature/clientapi/ClientApiViewModel.kt b/feature/client-api/src/main/java/com/simprints/feature/clientapi/ClientApiViewModel.kt
index c829d71410..63f2395485 100644
--- a/feature/client-api/src/main/java/com/simprints/feature/clientapi/ClientApiViewModel.kt
+++ b/feature/client-api/src/main/java/com/simprints/feature/clientapi/ClientApiViewModel.kt
@@ -5,6 +5,8 @@ import androidx.lifecycle.LiveData
 import androidx.lifecycle.MutableLiveData
 import androidx.lifecycle.ViewModel
 import androidx.lifecycle.viewModelScope
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.tokenization.TokenizableString
 import com.simprints.core.livedata.LiveDataEvent
 import com.simprints.core.livedata.LiveDataEventWithContent
 import com.simprints.core.livedata.send
@@ -21,6 +23,9 @@ import com.simprints.feature.clientapi.usecases.GetEnrolmentCreationEventForSubj
 import com.simprints.feature.clientapi.usecases.IsFlowCompletedWithErrorUseCase
 import com.simprints.feature.clientapi.usecases.SimpleEventReporter
 import com.simprints.infra.authstore.AuthStore
+import com.simprints.infra.config.store.models.Project
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
 import com.simprints.infra.config.sync.ConfigManager
 import com.simprints.infra.logging.LoggingConstants.CrashReportTag.ORCHESTRATION
 import com.simprints.infra.logging.Simber
@@ -30,6 +35,7 @@ import com.simprints.infra.orchestration.data.ActionResponse
 import com.simprints.infra.orchestration.data.responses.AppConfirmationResponse
 import com.simprints.infra.orchestration.data.responses.AppEnrolResponse
 import com.simprints.infra.orchestration.data.responses.AppErrorResponse
+import com.simprints.infra.orchestration.data.responses.AppExternalCredential
 import com.simprints.infra.orchestration.data.responses.AppIdentifyResponse
 import com.simprints.infra.orchestration.data.responses.AppRefusalResponse
 import com.simprints.infra.orchestration.data.responses.AppVerifyResponse
@@ -53,6 +59,7 @@ class ClientApiViewModel @Inject internal constructor(
     private val configManager: ConfigManager,
     private val timeHelper: TimeHelper,
     private val persistentLogger: PersistentLogger,
+    private val tokenizationProcessor: TokenizationProcessor,
 ) : ViewModel() {
     val returnResponse: LiveData<LiveDataEventWithContent<Bundle>>
         get() = _returnResponse
@@ -115,6 +122,7 @@ class ClientApiViewModel @Inject internal constructor(
                     sessionId = currentSessionId,
                     enrolledGuid = enrolResponse.guid,
                     subjectActions = coSyncEnrolmentRecords,
+                    externalCredential = enrolResponse.externalCredential?.toAppExternalCredential(tokenizationProcessor, getProject()),
                 ),
             ),
         )
@@ -139,6 +147,7 @@ class ClientApiViewModel @Inject internal constructor(
                     actionIdentifier = action.actionIdentifier,
                     sessionId = currentSessionId,
                     identifications = identifyResponse.identifications,
+                    isMultiFactorIdEnabled = identifyResponse.isMultiFactorIdEnabled,
                 ),
             ),
         )
@@ -161,6 +170,7 @@ class ClientApiViewModel @Inject internal constructor(
                     actionIdentifier = action.actionIdentifier,
                     sessionId = currentSessionId,
                     confirmed = confirmResponse.identificationOutcome,
+                    externalCredential = confirmResponse.externalCredential?.toAppExternalCredential(tokenizationProcessor, getProject()),
                 ),
             ),
         )
@@ -262,4 +272,21 @@ class ClientApiViewModel @Inject internal constructor(
             body = "${action.actionIdentifier}\n$response",
         )
     }
+
+    private fun ExternalCredential.toAppExternalCredential(
+        tokenizationProcessor: TokenizationProcessor,
+        project: Project?,
+    ): AppExternalCredential? {
+        if (project == null) return null
+        val decryptedValue = tokenizationProcessor.decrypt(
+            encrypted = value,
+            tokenKeyType = TokenKeyType.ExternalCredential,
+            project = project,
+        ) as? TokenizableString.Raw ?: return null
+        return AppExternalCredential(
+            id = id,
+            value = decryptedValue,
+            type = type,
+        )
+    }
 }
diff --git a/feature/client-api/src/main/java/com/simprints/feature/clientapi/mappers/response/LibSimprintsResponseMapper.kt b/feature/client-api/src/main/java/com/simprints/feature/clientapi/mappers/response/LibSimprintsResponseMapper.kt
index 9e91614421..fe8243d9b7 100644
--- a/feature/client-api/src/main/java/com/simprints/feature/clientapi/mappers/response/LibSimprintsResponseMapper.kt
+++ b/feature/client-api/src/main/java/com/simprints/feature/clientapi/mappers/response/LibSimprintsResponseMapper.kt
@@ -5,8 +5,8 @@ import androidx.core.os.bundleOf
 import com.simprints.core.DeviceID
 import com.simprints.core.PackageVersionName
 import com.simprints.core.domain.response.AppErrorReason
-import com.simprints.infra.events.event.domain.models.scope.Device
 import com.simprints.infra.orchestration.data.ActionResponse
+import com.simprints.infra.orchestration.data.responses.AppExternalCredential
 import com.simprints.libsimprints.Constants
 import com.simprints.libsimprints.contracts.VersionsList
 import com.simprints.libsimprints.contracts.data.ConfidenceBand
@@ -15,6 +15,8 @@ import com.simprints.libsimprints.contracts.data.Identification
 import com.simprints.libsimprints.contracts.data.Identification.Companion.toJson
 import com.simprints.libsimprints.contracts.data.RefusalForm
 import com.simprints.libsimprints.contracts.data.Verification
+import org.json.JSONArray
+import org.json.JSONObject
 import javax.inject.Inject
 import com.simprints.libsimprints.Identification as LegacyIdentification
 import com.simprints.libsimprints.RefusalForm as LegacyRefusalForm
@@ -32,6 +34,7 @@ internal class LibSimprintsResponseMapper @Inject constructor(
             Constants.SIMPRINTS_DEVICE_ID to deviceId,
             Constants.SIMPRINTS_APP_VERSION_NAME to appVersionName,
             Constants.SIMPRINTS_BIOMETRICS_COMPLETE_CHECK to true,
+            HAS_CREDENTIAL to (response.externalCredential != null),
         ).appendDataPerContractVersion(response) { version ->
             when {
                 version < VersionsList.INITIAL_REWORK -> putParcelable(
@@ -42,6 +45,7 @@ internal class LibSimprintsResponseMapper @Inject constructor(
                 else -> putString(Constants.SIMPRINTS_ENROLMENT, Enrolment(response.enrolledGuid).toJson())
             }
         }.appendCoSyncData(response.subjectActions)
+            .appendExternalCredential(response.externalCredential)
 
         is ActionResponse.IdentifyActionResponse -> bundleOf(
             Constants.SIMPRINTS_SESSION_ID to response.sessionId,
@@ -50,6 +54,11 @@ internal class LibSimprintsResponseMapper @Inject constructor(
             Constants.SIMPRINTS_BIOMETRICS_COMPLETE_CHECK to true,
         ).appendDataPerContractVersion(response) { version ->
             when {
+                response.isMultiFactorIdEnabled -> putString(
+                    Constants.SIMPRINTS_IDENTIFICATIONS,
+                    response.mapIdentificationsWithCredentials(),
+                )
+
                 version < VersionsList.INITIAL_REWORK -> putParcelableArrayList(
                     Constants.SIMPRINTS_IDENTIFICATIONS,
                     response.identifications
@@ -66,12 +75,15 @@ internal class LibSimprintsResponseMapper @Inject constructor(
             }
         }
 
-        is ActionResponse.ConfirmActionResponse -> bundleOf(
-            Constants.SIMPRINTS_SESSION_ID to response.sessionId,
-            Constants.SIMPRINTS_DEVICE_ID to deviceId,
-            Constants.SIMPRINTS_APP_VERSION_NAME to appVersionName,
-            Constants.SIMPRINTS_BIOMETRICS_COMPLETE_CHECK to true,
-        )
+        is ActionResponse.ConfirmActionResponse -> {
+            bundleOf(
+                Constants.SIMPRINTS_SESSION_ID to response.sessionId,
+                Constants.SIMPRINTS_DEVICE_ID to deviceId,
+                Constants.SIMPRINTS_APP_VERSION_NAME to appVersionName,
+                Constants.SIMPRINTS_BIOMETRICS_COMPLETE_CHECK to true,
+                HAS_CREDENTIAL to (response.externalCredential != null),
+            ).appendExternalCredential(response.externalCredential)
+        }
 
         is ActionResponse.VerifyActionResponse -> bundleOf(
             Constants.SIMPRINTS_SESSION_ID to response.sessionId,
@@ -146,6 +158,33 @@ internal class LibSimprintsResponseMapper @Inject constructor(
         actions?.let { putString(Constants.SIMPRINTS_COSYNC_SUBJECT_ACTIONS, it) }
     }
 
+    private fun Bundle.appendExternalCredential(credential: AppExternalCredential?) = apply {
+        if (credential != null) {
+            val credentialJson =
+                JSONObject()
+                    .also {
+                        it.put(SCANNED_CREDENTIAL_VALUE, credential.value)
+                        it.put(SCANNED_CREDENTIAL_TYPE, credential.type)
+                    }.toString()
+            putString(SCANNED_CREDENTIAL, credentialJson)
+        }
+    }
+
+    private fun ActionResponse.IdentifyActionResponse.mapIdentificationsWithCredentials(): String = identifications
+        .map { identification ->
+            JSONObject()
+                .also { json ->
+                    json.put(KEY_GUID, identification.guid)
+                    json.put(KEY_CONFIDENCE_BAND, identification.matchConfidence.name)
+                    json.put(KEY_CONFIDENCE, identification.confidenceScore.toFloat())
+                    json.put(KEY_IS_LINKED_TO_CREDENTIAL, identification.isLinkedToScannedCredential ?: false)
+                    identification.isCredentialVerified?.let {
+                        json.put(KEY_IS_CREDENTIAL_VERIFIED, it)
+                    }
+                }
+        }.run(::JSONArray)
+        .toString()
+
     private fun AppErrorReason.libSimprintsResultCode() = when (this) {
         AppErrorReason.UNEXPECTED_ERROR -> Constants.SIMPRINTS_UNEXPECTED_ERROR
         AppErrorReason.ROOTED_DEVICE -> Constants.SIMPRINTS_ROOTED_DEVICE
@@ -182,5 +221,16 @@ internal class LibSimprintsResponseMapper @Inject constructor(
 
     companion object {
         internal const val RESULT_CODE_OVERRIDE = "result_code_override"
+        internal const val HAS_CREDENTIAL = "hasCredential"
+        internal const val SCANNED_CREDENTIAL = "scannedCredential"
+        internal const val SCANNED_CREDENTIAL_VALUE = "value"
+        internal const val SCANNED_CREDENTIAL_TYPE = "type"
+
+        // TODO [MS-1190] Move implementation to LibSimprints. These constats are copies of com.simprints.libsimprints.contracts.data.Identification
+        private const val KEY_GUID = "guid"
+        private const val KEY_CONFIDENCE = "confidence"
+        private const val KEY_CONFIDENCE_BAND = "confidenceBand"
+        private const val KEY_IS_LINKED_TO_CREDENTIAL = "isLinkedToCredential"
+        private const val KEY_IS_CREDENTIAL_VERIFIED = "isVerified"
     }
 }
diff --git a/feature/client-api/src/main/java/com/simprints/feature/clientapi/usecases/GetEnrolmentCreationEventForSubjectUseCase.kt b/feature/client-api/src/main/java/com/simprints/feature/clientapi/usecases/GetEnrolmentCreationEventForSubjectUseCase.kt
index 6661aa5441..766cabd0d3 100644
--- a/feature/client-api/src/main/java/com/simprints/feature/clientapi/usecases/GetEnrolmentCreationEventForSubjectUseCase.kt
+++ b/feature/client-api/src/main/java/com/simprints/feature/clientapi/usecases/GetEnrolmentCreationEventForSubjectUseCase.kt
@@ -39,7 +39,10 @@ internal class GetEnrolmentCreationEventForSubjectUseCase @Inject constructor(
             ?.fromSubjectToEnrolmentCreationEvent()
 
         if (recordCreationEvent == null) {
-            Simber.e("Couldn't find enrolment for subjectActions", IllegalStateException("No enrolment record found for subjectId: $subjectId"))
+            Simber.e(
+                "Couldn't find enrolment for subjectActions",
+                IllegalStateException("No enrolment record found for subjectId: $subjectId"),
+            )
             return null
         }
 
@@ -47,11 +50,12 @@ internal class GetEnrolmentCreationEventForSubjectUseCase @Inject constructor(
     }
 
     private fun Subject.fromSubjectToEnrolmentCreationEvent() = EnrolmentRecordCreationEvent(
-        subjectId,
-        projectId,
-        moduleId,
-        attendantId,
-        EnrolmentRecordCreationEvent.buildBiometricReferences(fingerprintSamples, faceSamples, encoder),
+        subjectId = subjectId,
+        projectId = projectId,
+        moduleId = moduleId,
+        attendantId = attendantId,
+        biometricReferences = EnrolmentRecordCreationEvent.buildBiometricReferences(fingerprintSamples, faceSamples, encoder),
+        externalCredentials = externalCredentials,
     )
 
     companion object {
diff --git a/feature/client-api/src/test/java/com/simprints/feature/clientapi/ClientApiViewModelTest.kt b/feature/client-api/src/test/java/com/simprints/feature/clientapi/ClientApiViewModelTest.kt
index f01529702e..4fe7c5a89b 100644
--- a/feature/client-api/src/test/java/com/simprints/feature/clientapi/ClientApiViewModelTest.kt
+++ b/feature/client-api/src/test/java/com/simprints/feature/clientapi/ClientApiViewModelTest.kt
@@ -2,8 +2,12 @@ package com.simprints.feature.clientapi
 
 import android.os.Bundle
 import androidx.arch.core.executor.testing.InstantTaskExecutorRule
-import androidx.test.ext.junit.runners.AndroidJUnit4
+import androidx.test.ext.junit.runners.*
 import com.jraska.livedata.test
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.domain.tokenization.asTokenizableRaw
 import com.simprints.core.tools.time.TimeHelper
 import com.simprints.core.tools.time.Timestamp
 import com.simprints.feature.clientapi.exceptions.InvalidRequestException
@@ -16,20 +20,18 @@ import com.simprints.feature.clientapi.usecases.GetEnrolmentCreationEventForSubj
 import com.simprints.feature.clientapi.usecases.IsFlowCompletedWithErrorUseCase
 import com.simprints.feature.clientapi.usecases.SimpleEventReporter
 import com.simprints.infra.authstore.AuthStore
+import com.simprints.infra.config.store.models.Project
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
 import com.simprints.infra.config.sync.ConfigManager
 import com.simprints.infra.orchestration.data.ActionRequest
 import com.simprints.infra.orchestration.data.ActionRequestIdentifier
 import com.simprints.infra.orchestration.data.ActionResponse
+import com.simprints.infra.orchestration.data.responses.AppEnrolResponse
 import com.simprints.logging.persistent.PersistentLogger
 import com.simprints.testtools.common.coroutines.TestCoroutineRule
-import io.mockk.MockKAnnotations
-import io.mockk.coEvery
-import io.mockk.coJustRun
-import io.mockk.coVerify
-import io.mockk.every
+import io.mockk.*
 import io.mockk.impl.annotations.MockK
-import io.mockk.mockk
-import io.mockk.verify
 import kotlinx.coroutines.test.runTest
 import org.junit.Before
 import org.junit.Rule
@@ -80,6 +82,9 @@ internal class ClientApiViewModelTest {
     @MockK
     lateinit var persistentLogger: PersistentLogger
 
+    @MockK
+    lateinit var tokenizationProcessor: TokenizationProcessor
+
     private lateinit var viewModel: ClientApiViewModel
 
     @Before
@@ -107,6 +112,7 @@ internal class ClientApiViewModelTest {
             configManager = configManager,
             timeHelper = timeHelper,
             persistentLogger = persistentLogger,
+            tokenizationProcessor = tokenizationProcessor,
         )
     }
 
@@ -148,7 +154,10 @@ internal class ClientApiViewModelTest {
     fun `handleEnrolResponse saves correct events`() = runTest {
         viewModel.handleEnrolResponse(
             mockRequest(),
-            mockk { every { guid } returns "guid" },
+            mockk {
+                every { guid } returns "guid"
+                every { externalCredential } returns null
+            },
         )
 
         coVerify {
@@ -165,7 +174,10 @@ internal class ClientApiViewModelTest {
     fun `handleIdentifyResponse saves correct events`() = runTest {
         viewModel.handleIdentifyResponse(
             mockRequest(),
-            mockk { every { identifications } returns emptyList() },
+            mockk {
+                every { identifications } returns emptyList()
+                every { isMultiFactorIdEnabled } returns false
+            },
         )
 
         coVerify {
@@ -180,7 +192,10 @@ internal class ClientApiViewModelTest {
     fun `handleConfirmResponse saves correct events`() = runTest {
         viewModel.handleConfirmResponse(
             mockRequest(),
-            mockk { every { identificationOutcome } returns true },
+            mockk {
+                every { identificationOutcome } returns true
+                every { externalCredential } returns mockk()
+            },
         )
 
         coVerify {
@@ -246,6 +261,80 @@ internal class ClientApiViewModelTest {
         viewModel.returnResponse.test().assertHasValue()
     }
 
+    @Test
+    fun `handleEnrolResponse with externalCredential decrypts and includes it in response`() = runTest {
+        val mockGuid = "mockGuid"
+        val expectedCredentialId = "credentialId"
+        val expectedType = ExternalCredentialType.NHISCard
+        val credential = mockExternalCredential(expectedCredentialId, expectedType)
+        val project = mockk<Project>(relaxed = true)
+        setupDecryption(project, "decrypted-value".asTokenizableRaw())
+
+        viewModel.handleEnrolResponse(mockRequest(), mockEnrolResponseWithCredential(mockGuid, credential))
+
+        verify {
+            resultMapper.invoke(
+                match<ActionResponse.EnrolActionResponse> {
+                    it.externalCredential?.id == expectedCredentialId &&
+                        it.externalCredential?.type == expectedType
+                },
+            )
+        }
+    }
+
+    @Test
+    fun `handleEnrolResponse with externalCredential but encrypted decryption returns null credential`() = runTest {
+        val mockGuid = "mockGuid"
+        val expectedCredentialId = "credentialId"
+        val expectedType = ExternalCredentialType.NHISCard
+        val credential = mockExternalCredential(expectedCredentialId, expectedType)
+        val project = mockk<Project>(relaxed = true)
+        setupDecryption(project, mockk<TokenizableString.Tokenized>())
+
+        viewModel.handleEnrolResponse(mockRequest(), mockEnrolResponseWithCredential(mockGuid, credential))
+
+        verify {
+            resultMapper.invoke(
+                match<ActionResponse.EnrolActionResponse> {
+                    it.externalCredential == null
+                },
+            )
+        }
+    }
+
+    private fun mockEnrolResponseWithCredential(
+        mockGuid: String,
+        credential: ExternalCredential?,
+    ): AppEnrolResponse = mockk {
+        every { guid } returns mockGuid
+        every { externalCredential } returns credential
+    }
+
+    private fun mockExternalCredential(
+        mockId: String,
+        mockType: ExternalCredentialType,
+    ): ExternalCredential = mockk {
+        every { id } returns mockId
+        every { value } returns mockk()
+        every { type } returns mockType
+    }
+
+    private fun setupDecryption(
+        project: Project,
+        returnValue: TokenizableString,
+    ) {
+        val projectId = "projectId"
+        every { authStore.signedInProjectId } returns projectId
+        coEvery { configManager.getProject(projectId) } returns project
+        every {
+            tokenizationProcessor.decrypt(
+                encrypted = any(),
+                tokenKeyType = TokenKeyType.ExternalCredential,
+                project = project,
+            )
+        } returns returnValue
+    }
+
     private fun mockRequest(): ActionRequest = mockk {
         every { projectId } returns "projectId"
         every { actionIdentifier } returns ActionRequestIdentifier("action", "package", "", 1, 0L)
diff --git a/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/ActionToIntentMapperTest.kt b/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/ActionToIntentMapperTest.kt
index d2c545e9d3..1a39853093 100644
--- a/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/ActionToIntentMapperTest.kt
+++ b/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/ActionToIntentMapperTest.kt
@@ -7,9 +7,8 @@ import com.simprints.feature.clientapi.models.LibSimprintsConstants
 import com.simprints.feature.clientapi.models.OdkConstants
 import com.simprints.infra.orchestration.data.ActionResponse
 import com.simprints.testtools.common.syntax.assertThrows
-import io.mockk.MockKAnnotations
+import io.mockk.*
 import io.mockk.impl.annotations.MockK
-import io.mockk.verify
 import org.junit.Before
 import org.junit.Test
 
@@ -74,5 +73,6 @@ class ActionToIntentMapperTest {
         actionIdentifier = ConfirmIdentityActionFactory.getIdentifier().copy(packageName = packageName),
         sessionId = "sessionId",
         confirmed = true,
+        externalCredential = null,
     )
 }
diff --git a/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/CommCareResponseMapperTest.kt b/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/CommCareResponseMapperTest.kt
index a99aa6a354..f9abf3fb49 100644
--- a/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/CommCareResponseMapperTest.kt
+++ b/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/CommCareResponseMapperTest.kt
@@ -1,8 +1,8 @@
 package com.simprints.feature.clientapi.mappers.response
 
 import androidx.core.os.bundleOf
-import androidx.test.ext.junit.runners.AndroidJUnit4
-import com.google.common.truth.Truth.assertThat
+import androidx.test.ext.junit.runners.*
+import com.google.common.truth.Truth.*
 import com.simprints.core.domain.response.AppErrorReason
 import com.simprints.core.domain.response.AppMatchConfidence
 import com.simprints.feature.clientapi.mappers.request.requestFactories.ConfirmIdentityActionFactory
@@ -31,6 +31,7 @@ class CommCareResponseMapperTest {
                 sessionId = "sessionId",
                 enrolledGuid = "guid",
                 subjectActions = "subjects",
+                externalCredential = null,
             ),
         ).getBundle(CommCareConstants.COMMCARE_BUNDLE_KEY) ?: bundleOf()
 
@@ -59,6 +60,7 @@ class CommCareResponseMapperTest {
                         matchConfidence = AppMatchConfidence.LOW,
                     ),
                 ),
+                isMultiFactorIdEnabled = false,
             ),
         )
 
@@ -85,6 +87,7 @@ class CommCareResponseMapperTest {
                 actionIdentifier = ConfirmIdentityActionFactory.getIdentifier(),
                 sessionId = "sessionId",
                 confirmed = true,
+                externalCredential = null,
             ),
         ).getBundle(CommCareConstants.COMMCARE_BUNDLE_KEY) ?: bundleOf()
 
diff --git a/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/LibSimprintsResponseMapperTest.kt b/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/LibSimprintsResponseMapperTest.kt
index 05e28f5260..5d3140035f 100644
--- a/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/LibSimprintsResponseMapperTest.kt
+++ b/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/LibSimprintsResponseMapperTest.kt
@@ -2,17 +2,24 @@ package com.simprints.feature.clientapi.mappers.response
 
 import androidx.test.ext.junit.runners.*
 import com.google.common.truth.Truth.*
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.response.AppErrorReason
 import com.simprints.core.domain.response.AppMatchConfidence
+import com.simprints.core.domain.tokenization.asTokenizableRaw
 import com.simprints.feature.clientapi.mappers.request.requestFactories.ConfirmIdentityActionFactory
 import com.simprints.feature.clientapi.mappers.request.requestFactories.EnrolActionFactory
 import com.simprints.feature.clientapi.mappers.request.requestFactories.EnrolLastBiometricsActionFactory
 import com.simprints.feature.clientapi.mappers.request.requestFactories.IdentifyRequestActionFactory
 import com.simprints.feature.clientapi.mappers.request.requestFactories.VerifyActionFactory
+import com.simprints.feature.clientapi.mappers.response.LibSimprintsResponseMapper.Companion.HAS_CREDENTIAL
+import com.simprints.feature.clientapi.mappers.response.LibSimprintsResponseMapper.Companion.SCANNED_CREDENTIAL
+import com.simprints.feature.clientapi.mappers.response.LibSimprintsResponseMapper.Companion.SCANNED_CREDENTIAL_TYPE
+import com.simprints.feature.clientapi.mappers.response.LibSimprintsResponseMapper.Companion.SCANNED_CREDENTIAL_VALUE
 import com.simprints.infra.orchestration.data.ActionResponse
 import com.simprints.infra.orchestration.data.responses.AppMatchResult
 import com.simprints.libsimprints.Constants
 import com.simprints.libsimprints.contracts.VersionsList
+import io.mockk.*
 import org.junit.Test
 import org.junit.runner.RunWith
 import com.simprints.libsimprints.Identification as LegacyIdentification
@@ -33,6 +40,7 @@ class LibSimprintsResponseMapperTest {
                 sessionId = "sessionId",
                 enrolledGuid = "guid",
                 subjectActions = "subjects",
+                externalCredential = null,
             ),
         )
 
@@ -55,6 +63,7 @@ class LibSimprintsResponseMapperTest {
                 sessionId = "sessionId",
                 enrolledGuid = "guid",
                 subjectActions = "subjects",
+                externalCredential = null,
             ),
         )
 
@@ -83,6 +92,7 @@ class LibSimprintsResponseMapperTest {
                         matchConfidence = AppMatchConfidence.LOW,
                     ),
                 ),
+                isMultiFactorIdEnabled = false,
             ),
         )
 
@@ -110,6 +120,7 @@ class LibSimprintsResponseMapperTest {
                         matchConfidence = AppMatchConfidence.MEDIUM,
                     ),
                 ),
+                isMultiFactorIdEnabled = false,
             ),
         )
 
@@ -126,11 +137,18 @@ class LibSimprintsResponseMapperTest {
 
     @Test
     fun `correctly maps confirm response`() {
+        val expectedValue = "expectedValue".asTokenizableRaw()
+        val expectedType = ExternalCredentialType.NHISCard
+        val expectedJson = "{\"$SCANNED_CREDENTIAL_VALUE\":\"$expectedValue\",\"$SCANNED_CREDENTIAL_TYPE\":\"$expectedType\"}"
         val extras = mapper(
             ActionResponse.ConfirmActionResponse(
                 actionIdentifier = ConfirmIdentityActionFactory.getIdentifier(),
                 sessionId = "sessionId",
                 confirmed = true,
+                externalCredential = mockk {
+                    every { value } returns expectedValue
+                    every { type } returns expectedType
+                },
             ),
         )
 
@@ -138,6 +156,8 @@ class LibSimprintsResponseMapperTest {
         assertThat(extras.getString(Constants.SIMPRINTS_DEVICE_ID)).isEqualTo("deviceId")
         assertThat(extras.getString(Constants.SIMPRINTS_APP_VERSION_NAME)).isEqualTo("appVersionName")
         assertThat(extras.getBoolean(Constants.SIMPRINTS_BIOMETRICS_COMPLETE_CHECK)).isTrue()
+        assertThat(extras.getBoolean(HAS_CREDENTIAL)).isTrue()
+        assertThat(extras.getString(SCANNED_CREDENTIAL)).isEqualTo(expectedJson)
     }
 
     @Test
@@ -381,4 +401,146 @@ class LibSimprintsResponseMapperTest {
             )
         }
     }
+
+    @Test
+    fun `correctly maps enrol response with external credential`() {
+        val expectedValue = "expectedValue".asTokenizableRaw()
+        val expectedType = ExternalCredentialType.NHISCard
+        val expectedJson = "{\"$SCANNED_CREDENTIAL_VALUE\":\"$expectedValue\",\"$SCANNED_CREDENTIAL_TYPE\":\"$expectedType\"}"
+
+        val extras = mapper(
+            ActionResponse.EnrolActionResponse(
+                actionIdentifier = EnrolActionFactory.getIdentifier(),
+                sessionId = "sessionId",
+                enrolledGuid = "guid",
+                subjectActions = "subjects",
+                externalCredential = mockk {
+                    every { value } returns expectedValue
+                    every { type } returns expectedType
+                },
+            ),
+        )
+
+        assertThat(extras.getBoolean(HAS_CREDENTIAL)).isTrue()
+        assertThat(extras.getString(SCANNED_CREDENTIAL)).isEqualTo(expectedJson)
+    }
+
+    @Test
+    fun `correctly maps confirm response without external credential`() {
+        val extras = mapper(
+            ActionResponse.ConfirmActionResponse(
+                actionIdentifier = ConfirmIdentityActionFactory.getIdentifier(),
+                sessionId = "sessionId",
+                confirmed = true,
+                externalCredential = null,
+            ),
+        )
+
+        assertThat(extras.getString(Constants.SIMPRINTS_SESSION_ID)).isEqualTo("sessionId")
+        assertThat(extras.getString(Constants.SIMPRINTS_DEVICE_ID)).isEqualTo("deviceId")
+        assertThat(extras.getString(Constants.SIMPRINTS_APP_VERSION_NAME)).isEqualTo("appVersionName")
+        assertThat(extras.getBoolean(Constants.SIMPRINTS_BIOMETRICS_COMPLETE_CHECK)).isTrue()
+        assertThat(extras.getBoolean(HAS_CREDENTIAL)).isFalse()
+        assertThat(extras.keySet()).doesNotContain(SCANNED_CREDENTIAL)
+    }
+
+    @Test
+    fun `correctly maps identify response with multi-factor ID enabled`() {
+        val identification1 = AppMatchResult(
+            guid = "guid-1",
+            confidenceScore = 100,
+            matchConfidence = AppMatchConfidence.MEDIUM,
+            isLinkedToScannedCredential = true,
+            isCredentialVerified = true,
+        )
+        val identification2 = AppMatchResult(
+            guid = "guid-2",
+            confidenceScore = 75,
+            matchConfidence = AppMatchConfidence.LOW,
+            isLinkedToScannedCredential = false,
+            isCredentialVerified = null,
+        )
+
+        val expectedIdentifications = "[${identification1.toResponseJson()},${identification2.toResponseJson()}]"
+
+        val extras = mapper(
+            ActionResponse.IdentifyActionResponse(
+                actionIdentifier = IdentifyRequestActionFactory.getIdentifier(),
+                sessionId = "sessionId",
+                identifications = listOf(identification1, identification2),
+                isMultiFactorIdEnabled = true,
+            ),
+        )
+
+        assertThat(extras.getString(Constants.SIMPRINTS_SESSION_ID)).isEqualTo("sessionId")
+        assertThat(extras.getString(Constants.SIMPRINTS_DEVICE_ID)).isEqualTo("deviceId")
+        assertThat(extras.getString(Constants.SIMPRINTS_APP_VERSION_NAME)).isEqualTo("appVersionName")
+        assertThat(extras.getString(Constants.SIMPRINTS_IDENTIFICATIONS)).isEqualTo(expectedIdentifications)
+        assertThat(extras.getBoolean(Constants.SIMPRINTS_BIOMETRICS_COMPLETE_CHECK)).isTrue()
+    }
+
+    @Test
+    fun `mapIdentificationsWithCredentials omits isVerified when null`() {
+        val guid = "guid"
+        val extras = mapper(
+            ActionResponse.IdentifyActionResponse(
+                actionIdentifier = IdentifyRequestActionFactory.getIdentifier(),
+                sessionId = "sessionId",
+                identifications = listOf(
+                    AppMatchResult(
+                        guid = guid,
+                        confidenceScore = 80,
+                        matchConfidence = AppMatchConfidence.MEDIUM,
+                        isLinkedToScannedCredential = false,
+                        isCredentialVerified = null,
+                    ),
+                ),
+                isMultiFactorIdEnabled = true,
+            ),
+        )
+
+        val identificationsJson = extras.getString(Constants.SIMPRINTS_IDENTIFICATIONS)
+        assertThat(identificationsJson).contains("\"guid\":\"$guid\"")
+        assertThat(identificationsJson).contains("\"isLinkedToCredential\":false")
+        assertThat(identificationsJson).doesNotContain("isVerified")
+    }
+
+    @Test
+    fun `identify response uses legacy format when multi-factor ID is disabled`() {
+        val guid = "guid"
+        val confidenceScore = 100
+        val extras = mapper(
+            ActionResponse.IdentifyActionResponse(
+                actionIdentifier = IdentifyRequestActionFactory.getIdentifier(),
+                sessionId = "sessionId",
+                identifications = listOf(
+                    AppMatchResult(
+                        guid = guid,
+                        confidenceScore = confidenceScore,
+                        matchConfidence = AppMatchConfidence.MEDIUM,
+                        isLinkedToScannedCredential = true,
+                        isCredentialVerified = true,
+                    ),
+                ),
+                isMultiFactorIdEnabled = false,
+            ),
+        )
+
+        assertThat(extras.getParcelableArrayList<LegacyIdentification>(Constants.SIMPRINTS_IDENTIFICATIONS)).containsExactly(
+            LegacyIdentification(guid = guid, confidence = confidenceScore, tier = LegacyTier.TIER_2),
+        )
+    }
+
+    private fun AppMatchResult.toResponseJson(): String {
+        val jsonBuilder = StringBuilder()
+        jsonBuilder.append("{\"guid\":\"$guid\"")
+        jsonBuilder.append(",\"confidenceBand\":\"${matchConfidence.name}\"")
+        jsonBuilder.append(",\"confidence\":$confidenceScore")
+        jsonBuilder.append(",\"isLinkedToCredential\":$isLinkedToScannedCredential")
+        isCredentialVerified?.let {
+            jsonBuilder.append(",\"isVerified\":$it")
+        }
+        jsonBuilder.append("}")
+        return jsonBuilder.toString()
+    }
 }
diff --git a/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/OdkResponseMapperTest.kt b/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/OdkResponseMapperTest.kt
index b4f234d861..6b1349d889 100644
--- a/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/OdkResponseMapperTest.kt
+++ b/feature/client-api/src/test/java/com/simprints/feature/clientapi/mappers/response/OdkResponseMapperTest.kt
@@ -1,7 +1,7 @@
 package com.simprints.feature.clientapi.mappers.response
 
-import androidx.test.ext.junit.runners.AndroidJUnit4
-import com.google.common.truth.Truth.assertThat
+import androidx.test.ext.junit.runners.*
+import com.google.common.truth.Truth.*
 import com.simprints.core.domain.response.AppErrorReason
 import com.simprints.core.domain.response.AppMatchConfidence
 import com.simprints.feature.clientapi.mappers.request.requestFactories.ConfirmIdentityActionFactory
@@ -27,6 +27,7 @@ class OdkResponseMapperTest {
                 sessionId = "sessionId",
                 enrolledGuid = "guid",
                 subjectActions = "subjects",
+                externalCredential = null,
             ),
         )
 
@@ -53,6 +54,7 @@ class OdkResponseMapperTest {
                         matchConfidence = AppMatchConfidence.LOW,
                     ),
                 ),
+                isMultiFactorIdEnabled = false,
             ),
         )
 
@@ -72,6 +74,7 @@ class OdkResponseMapperTest {
                 actionIdentifier = IdentifyRequestActionFactory.getIdentifier(),
                 sessionId = "sessionId",
                 identifications = listOf(),
+                isMultiFactorIdEnabled = false,
             ),
         )
 
@@ -85,6 +88,7 @@ class OdkResponseMapperTest {
                 actionIdentifier = ConfirmIdentityActionFactory.getIdentifier(),
                 sessionId = "sessionId",
                 confirmed = true,
+                externalCredential = null,
             ),
         )
 
diff --git a/feature/consent/src/main/java/com/simprints/feature/consent/screens/consent/ConsentViewModel.kt b/feature/consent/src/main/java/com/simprints/feature/consent/screens/consent/ConsentViewModel.kt
index 8f8606c54c..0affc90d14 100644
--- a/feature/consent/src/main/java/com/simprints/feature/consent/screens/consent/ConsentViewModel.kt
+++ b/feature/consent/src/main/java/com/simprints/feature/consent/screens/consent/ConsentViewModel.kt
@@ -82,20 +82,23 @@ internal class ConsentViewModel @Inject constructor(
         selectedTabIndex: Int,
     ): ConsentViewState {
         val allowParentalConsent = projectConfig.consent.allowParentalConsent
+        val isMultiFactorIdEnabled = projectConfig.multifactorId?.allowedExternalCredentials?.isNotEmpty() ?: false
 
         return ConsentViewState(
             showLogo = projectConfig.consent.displaySimprintsLogo,
             showParentalConsent = allowParentalConsent,
             consentTextBuilder = GeneralConsentTextHelper(
-                projectConfig.consent,
-                projectConfig.general.modalities,
-                consentType,
+                config = projectConfig.consent,
+                modalities = projectConfig.general.modalities,
+                consentType = consentType,
+                isMultiFactorIdEnabled = isMultiFactorIdEnabled,
             ),
             parentalTextBuilder = if (allowParentalConsent) {
                 ParentalConsentTextHelper(
-                    projectConfig.consent,
-                    projectConfig.general.modalities,
-                    consentType,
+                    config = projectConfig.consent,
+                    modalities = projectConfig.general.modalities,
+                    consentType = consentType,
+                    isMultiFactorIdEnabled = isMultiFactorIdEnabled,
                 )
             } else {
                 null
diff --git a/feature/consent/src/main/java/com/simprints/feature/consent/screens/consent/helpers/GeneralConsentTextHelper.kt b/feature/consent/src/main/java/com/simprints/feature/consent/screens/consent/helpers/GeneralConsentTextHelper.kt
index 6fcb535638..c8e234d80e 100644
--- a/feature/consent/src/main/java/com/simprints/feature/consent/screens/consent/helpers/GeneralConsentTextHelper.kt
+++ b/feature/consent/src/main/java/com/simprints/feature/consent/screens/consent/helpers/GeneralConsentTextHelper.kt
@@ -10,17 +10,21 @@ internal data class GeneralConsentTextHelper(
     private val config: ConsentConfiguration,
     private val modalities: List<Modality>,
     private val consentType: ConsentType,
+    private val isMultiFactorIdEnabled: Boolean,
 ) {
     // TODO All the `getString(id).format(arg,arg)` calls should be `getString(id,arg,arg)` one strings are fixed
 
-    // First argument in consent text should always be program name, second is modality specific access/use case text
     fun assembleText(context: Context) = StringBuilder()
         .apply {
             val modalityUseCase = getModalitySpecificUseCaseText(context, modalities)
-            val modalityAccess = getModalitySpecificAccessText(context, modalities)
+            val modalityAccess =
+                getModalitySpecificAccessText(context, modalities) + getMultiFactorIdAccessText(context, isMultiFactorIdEnabled)
 
-            filterAppRequestForConsent(context, consentType, config, modalityUseCase)
-            filterForDataSharingOptions(context, config, modalityUseCase, modalityAccess)
+            val requestModalityUseCase = modalityUseCase + getMultiFactorIdUseCaseText(context, isMultiFactorIdEnabled)
+            val dataSharingModalityUseCase = modalityUseCase + getMultiFactorIdSharingText(context, isMultiFactorIdEnabled)
+
+            filterAppRequestForConsent(context, consentType, config, requestModalityUseCase)
+            filterForDataSharingOptions(context, config, dataSharingModalityUseCase, modalityAccess)
         }.toString()
 
     private fun StringBuilder.filterAppRequestForConsent(
@@ -134,4 +138,42 @@ internal data class GeneralConsentTextHelper(
         Modality.FACE -> context.getString(R.string.consent_biometrics_access_face)
         Modality.FINGERPRINT -> context.getString(R.string.consent_biometrics_access_fingerprint)
     }
+
+    private fun getMultiFactorIdUseCaseText(
+        context: Context,
+        isMultiFactorIdEnabled: Boolean,
+    ): String = if (isMultiFactorIdEnabled) {
+        listOf(
+            ",",
+            context.getString(R.string.consent_biometric_concat_modalities),
+            context.getString(R.string.consent_credentials_general),
+        ).joinToString(separator = " ")
+    } else {
+        ""
+    }
+
+    private fun getMultiFactorIdAccessText(
+        context: Context,
+        isMultiFactorIdEnabled: Boolean,
+    ): String = if (isMultiFactorIdEnabled) {
+        listOf(
+            ",",
+            context.getString(R.string.consent_credentials_access),
+        ).joinToString(separator = " ")
+    } else {
+        ""
+    }
+
+    private fun getMultiFactorIdSharingText(
+        context: Context,
+        isMultiFactorIdEnabled: Boolean,
+    ): String = if (isMultiFactorIdEnabled) {
+        listOf(
+            ",",
+            context.getString(R.string.consent_biometric_concat_modalities),
+            context.getString(R.string.consent_credentials_your_id),
+        ).joinToString(separator = " ")
+    } else {
+        ""
+    }
 }
diff --git a/feature/consent/src/main/java/com/simprints/feature/consent/screens/consent/helpers/ParentalConsentTextHelper.kt b/feature/consent/src/main/java/com/simprints/feature/consent/screens/consent/helpers/ParentalConsentTextHelper.kt
index bf73ec7eb4..66ae44a2f7 100644
--- a/feature/consent/src/main/java/com/simprints/feature/consent/screens/consent/helpers/ParentalConsentTextHelper.kt
+++ b/feature/consent/src/main/java/com/simprints/feature/consent/screens/consent/helpers/ParentalConsentTextHelper.kt
@@ -10,17 +10,20 @@ internal data class ParentalConsentTextHelper(
     private val config: ConsentConfiguration,
     private val modalities: List<Modality>,
     private val consentType: ConsentType,
+    private val isMultiFactorIdEnabled: Boolean,
 ) {
     // TODO All the `getString(id).format(arg,arg)` calls should be `getString(id,arg,arg)` one strings are fixed
 
-    // First argument in consent text should always be program name, second is modality specific access/use case text
     fun assembleText(context: Context): String = StringBuilder()
         .apply {
             val modalityUseCase = getModalitySpecificUseCaseText(context, modalities)
-            val modalityAccess = getModalitySpecificAccessText(context, modalities)
+            val modalityAccess =
+                getModalitySpecificAccessText(context, modalities) + getMultiFactorIdAccessText(context, isMultiFactorIdEnabled)
 
-            filterAppRequestForParentalConsent(context, consentType, config, modalityUseCase)
-            extractDataSharingOptions(context, config, modalityUseCase, modalityAccess)
+            val requestModalityUseCase = modalityUseCase + getMultiFactorIdUseCaseText(context, isMultiFactorIdEnabled)
+            val dataSharingModalityUseCase = modalityUseCase + getMultiFactorIdSharingText(context, isMultiFactorIdEnabled)
+            filterAppRequestForParentalConsent(context, consentType, config, requestModalityUseCase)
+            extractDataSharingOptions(context, config, dataSharingModalityUseCase, modalityAccess)
         }.toString()
 
     private fun StringBuilder.filterAppRequestForParentalConsent(
@@ -136,4 +139,42 @@ internal data class ParentalConsentTextHelper(
         Modality.FINGERPRINT -> context.getString(R.string.consent_biometrics_access_fingerprint)
         else -> ""
     }
+
+    private fun getMultiFactorIdAccessText(
+        context: Context,
+        isMultiFactorIdEnabled: Boolean,
+    ): String = if (isMultiFactorIdEnabled) {
+        listOf(
+            ",",
+            context.getString(R.string.consent_credentials_parental_access),
+        ).joinToString(separator = " ")
+    } else {
+        ""
+    }
+
+    private fun getMultiFactorIdUseCaseText(
+        context: Context,
+        isMultiFactorIdEnabled: Boolean,
+    ): String = if (isMultiFactorIdEnabled) {
+        listOf(
+            ",",
+            context.getString(R.string.consent_biometric_concat_modalities),
+            context.getString(R.string.consent_credentials_parental_general),
+        ).joinToString(separator = " ")
+    } else {
+        ""
+    }
+
+    private fun getMultiFactorIdSharingText(
+        context: Context,
+        isMultiFactorIdEnabled: Boolean,
+    ): String = if (isMultiFactorIdEnabled) {
+        listOf(
+            ",",
+            context.getString(R.string.consent_biometric_concat_modalities),
+            context.getString(R.string.consent_credentials_parental_your_id),
+        ).joinToString(separator = " ")
+    } else {
+        ""
+    }
 }
diff --git a/feature/consent/src/test/java/com/simprints/feature/consent/screens/consent/helpers/GeneralConsentTextHelperTest.kt b/feature/consent/src/test/java/com/simprints/feature/consent/screens/consent/helpers/GeneralConsentTextHelperTest.kt
index 985d9c4087..cda8dba7b1 100644
--- a/feature/consent/src/test/java/com/simprints/feature/consent/screens/consent/helpers/GeneralConsentTextHelperTest.kt
+++ b/feature/consent/src/test/java/com/simprints/feature/consent/screens/consent/helpers/GeneralConsentTextHelperTest.kt
@@ -40,6 +40,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.ENROL,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -63,6 +64,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT, GeneralConfiguration.Modality.FACE),
             ConsentType.ENROL,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -86,6 +88,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FACE),
             ConsentType.ENROL,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -109,6 +112,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT, GeneralConfiguration.Modality.FACE),
             ConsentType.ENROL,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -132,6 +136,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.VERIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -155,6 +160,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -178,6 +184,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT, GeneralConfiguration.Modality.FACE),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -201,6 +208,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -225,6 +233,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FACE),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -249,6 +258,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT, GeneralConfiguration.Modality.FACE),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -273,6 +283,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -296,6 +307,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -318,6 +330,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -340,6 +353,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -362,6 +376,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -384,6 +399,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -407,6 +423,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -429,6 +446,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         assertThat(generalConsentText).doesNotContainMatch("\\.\\w")
@@ -448,6 +466,7 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         assertThat(generalConsentText).doesNotContainMatch("^\\s.*")
@@ -467,11 +486,84 @@ class GeneralConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         assertThat(generalConsentText).doesNotContain("  ")
     }
 
+    @Test
+    fun `should add multi-factor ID use case text when isMultiFactorIdEnabled is true`() {
+        val generalConsentText = GeneralConsentTextHelper(
+            configWithPrompt(
+                ConsentConfiguration.ConsentPromptConfiguration(
+                    enrolmentVariant = ConsentConfiguration.ConsentEnrolmentVariant.STANDARD,
+                    dataSharedWithPartner = false,
+                    dataUsedForRAndD = false,
+                    privacyRights = false,
+                    confirmation = false,
+                ),
+            ),
+            listOf(GeneralConfiguration.Modality.FINGERPRINT),
+            ConsentType.ENROL,
+            isMultiFactorIdEnabled = true,
+        ).assembleText(context)
+
+        val expectedText = String.format(
+            ", %s %s",
+            context.getString(R.string.consent_biometric_concat_modalities),
+            context.getString(R.string.consent_credentials_general),
+        )
+
+        assertThat(generalConsentText).contains(expectedText)
+    }
+
+    @Test
+    fun `should add multi-factor ID sharing text when isMultiFactorIdEnabled is true`() {
+        val generalConsentText = GeneralConsentTextHelper(
+            configWithPrompt(
+                ConsentConfiguration.ConsentPromptConfiguration(
+                    enrolmentVariant = ConsentConfiguration.ConsentEnrolmentVariant.STANDARD,
+                    dataSharedWithPartner = true,
+                    dataUsedForRAndD = false,
+                    privacyRights = false,
+                    confirmation = false,
+                ),
+            ),
+            listOf(GeneralConfiguration.Modality.FINGERPRINT),
+            ConsentType.IDENTIFY,
+            isMultiFactorIdEnabled = true,
+        ).assembleText(context)
+
+        // Just check for the key identifying phrase from the credentials text
+        assertThat(generalConsentText).contains("national ID document or other external credentials")
+    }
+
+    @Test
+    fun `should add multi-factor ID access text when isMultiFactorIdEnabled is true`() {
+        val generalConsentText = GeneralConsentTextHelper(
+            configWithPrompt(
+                ConsentConfiguration.ConsentPromptConfiguration(
+                    enrolmentVariant = ConsentConfiguration.ConsentEnrolmentVariant.STANDARD,
+                    dataSharedWithPartner = false,
+                    dataUsedForRAndD = false,
+                    privacyRights = false,
+                    confirmation = false,
+                ),
+            ),
+            listOf(GeneralConfiguration.Modality.FINGERPRINT),
+            ConsentType.IDENTIFY,
+            isMultiFactorIdEnabled = true,
+        ).assembleText(context)
+
+        val expectedText = String.format(
+            ", %s",
+            context.getString(R.string.consent_credentials_access),
+        )
+
+        assertThat(generalConsentText).contains(expectedText)
+    }
+
     private fun configWithPrompt(prompt: ConsentConfiguration.ConsentPromptConfiguration) = ConsentConfiguration(
         programName = PROGRAM_NAME,
         organizationName = ORGANIZATION_NAME,
diff --git a/feature/consent/src/test/java/com/simprints/feature/consent/screens/consent/helpers/ParentalConsentTextHelperTest.kt b/feature/consent/src/test/java/com/simprints/feature/consent/screens/consent/helpers/ParentalConsentTextHelperTest.kt
index 7fe9694c79..542eae823a 100644
--- a/feature/consent/src/test/java/com/simprints/feature/consent/screens/consent/helpers/ParentalConsentTextHelperTest.kt
+++ b/feature/consent/src/test/java/com/simprints/feature/consent/screens/consent/helpers/ParentalConsentTextHelperTest.kt
@@ -40,6 +40,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.ENROL,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -63,6 +64,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT, GeneralConfiguration.Modality.FACE),
             ConsentType.ENROL,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -86,6 +88,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FACE),
             ConsentType.ENROL,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -109,6 +112,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT, GeneralConfiguration.Modality.FACE),
             ConsentType.ENROL,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -132,6 +136,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.VERIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -155,6 +160,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -178,6 +184,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT, GeneralConfiguration.Modality.FACE),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -201,6 +208,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -225,6 +233,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FACE),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -249,6 +258,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT, GeneralConfiguration.Modality.FACE),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -273,6 +283,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -296,6 +307,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -318,6 +330,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -340,6 +353,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -362,6 +376,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -384,6 +399,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -407,6 +423,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         val expectedString = context
@@ -429,6 +446,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         assertThat(parentalConsentText).doesNotContainMatch("\\.\\w")
@@ -448,6 +466,7 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         assertThat(parentalConsentText).doesNotContainMatch("^\\s.*")
@@ -467,11 +486,72 @@ class ParentalConsentTextHelperTest {
             ),
             listOf(GeneralConfiguration.Modality.FINGERPRINT),
             ConsentType.IDENTIFY,
+            false,
         ).assembleText(context)
 
         assertThat(parentalConsentText).doesNotContain("  ")
     }
 
+    @Test
+    fun `should add multi-factor ID use case text when isMultiFactorIdEnabled is true`() {
+        val parentalConsentText = ParentalConsentTextHelper(
+            configWithPrompt(
+                ConsentConfiguration.ConsentPromptConfiguration(
+                    enrolmentVariant = ConsentConfiguration.ConsentEnrolmentVariant.STANDARD,
+                    dataSharedWithPartner = false,
+                    dataUsedForRAndD = false,
+                    privacyRights = false,
+                    confirmation = false,
+                ),
+            ),
+            listOf(GeneralConfiguration.Modality.FINGERPRINT),
+            ConsentType.ENROL,
+            isMultiFactorIdEnabled = true,
+        ).assembleText(context)
+
+        assertThat(parentalConsentText).contains(context.getString(R.string.consent_credentials_parental_general))
+    }
+
+    @Test
+    fun `should add multi-factor ID access text when isMultiFactorIdEnabled is true`() {
+        val parentalConsentText = ParentalConsentTextHelper(
+            configWithPrompt(
+                ConsentConfiguration.ConsentPromptConfiguration(
+                    enrolmentVariant = ConsentConfiguration.ConsentEnrolmentVariant.STANDARD,
+                    dataSharedWithPartner = false,
+                    dataUsedForRAndD = false,
+                    privacyRights = false,
+                    confirmation = false,
+                ),
+            ),
+            listOf(GeneralConfiguration.Modality.FINGERPRINT),
+            ConsentType.IDENTIFY,
+            isMultiFactorIdEnabled = true,
+        ).assembleText(context)
+
+        assertThat(parentalConsentText).contains(context.getString(R.string.consent_credentials_parental_access))
+    }
+
+    @Test
+    fun `should add multi-factor ID sharing text when isMultiFactorIdEnabled is true`() {
+        val parentalConsentText = ParentalConsentTextHelper(
+            configWithPrompt(
+                ConsentConfiguration.ConsentPromptConfiguration(
+                    enrolmentVariant = ConsentConfiguration.ConsentEnrolmentVariant.STANDARD,
+                    dataSharedWithPartner = true,
+                    dataUsedForRAndD = false,
+                    privacyRights = false,
+                    confirmation = false,
+                ),
+            ),
+            listOf(GeneralConfiguration.Modality.FINGERPRINT),
+            ConsentType.IDENTIFY,
+            isMultiFactorIdEnabled = true,
+        ).assembleText(context)
+
+        assertThat(parentalConsentText).contains("child's national ID document or other external credentials")
+    }
+
     private fun configWithPrompt(prompt: ConsentConfiguration.ConsentPromptConfiguration) = ConsentConfiguration(
         programName = PROGRAM_NAME,
         organizationName = ORGANIZATION_NAME,
diff --git a/feature/enrol-last-biometric/build.gradle.kts b/feature/enrol-last-biometric/build.gradle.kts
index dec9378420..c1699c9563 100644
--- a/feature/enrol-last-biometric/build.gradle.kts
+++ b/feature/enrol-last-biometric/build.gradle.kts
@@ -10,6 +10,7 @@ android {
 dependencies {
 
     implementation(project(":feature:alert"))
+    implementation(project(":feature:external-credential"))
     implementation(project(":infra:event-sync"))
     implementation(project(":infra:config-store"))
     implementation(project(":infra:config-sync"))
diff --git a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/EnrolLastBiometricContract.kt b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/EnrolLastBiometricContract.kt
index a3c6c5bc94..b4c2fca5c1 100644
--- a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/EnrolLastBiometricContract.kt
+++ b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/EnrolLastBiometricContract.kt
@@ -1,7 +1,10 @@
 package com.simprints.feature.enrollast
 
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
 import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
 
+@ExcludedFromGeneratedTestCoverageReports("Data class")
 object EnrolLastBiometricContract {
     val DESTINATION = R.id.enrolLastBiometricFragment
 
@@ -10,10 +13,12 @@ object EnrolLastBiometricContract {
         userId: TokenizableString,
         moduleId: TokenizableString,
         steps: List<EnrolLastBiometricStepResult>,
+        scannedCredential: ScannedCredential?,
     ) = EnrolLastBiometricParams(
         projectId = projectId,
         userId = userId,
         moduleId = moduleId,
         steps = steps,
+        scannedCredential = scannedCredential,
     )
 }
diff --git a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/EnrolLastBiometricParams.kt b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/EnrolLastBiometricParams.kt
index 1f38f1fb95..57040125ff 100644
--- a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/EnrolLastBiometricParams.kt
+++ b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/EnrolLastBiometricParams.kt
@@ -1,18 +1,22 @@
 package com.simprints.feature.enrollast
 
 import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
 import com.simprints.core.domain.step.StepParams
 import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
 import com.simprints.infra.config.store.models.FaceConfiguration
 import com.simprints.infra.config.store.models.Finger
 import com.simprints.infra.config.store.models.FingerprintConfiguration
 
 @Keep
+@ExcludedFromGeneratedTestCoverageReports("Data class")
 data class EnrolLastBiometricParams(
     val projectId: String,
     val userId: TokenizableString,
     val moduleId: TokenizableString,
     val steps: List<EnrolLastBiometricStepResult>,
+    val scannedCredential: ScannedCredential?,
 ) : StepParams
 
 sealed class EnrolLastBiometricStepResult : StepParams {
diff --git a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/EnrolLastBiometricResult.kt b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/EnrolLastBiometricResult.kt
index 872e6874c8..e7abcc16f4 100644
--- a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/EnrolLastBiometricResult.kt
+++ b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/EnrolLastBiometricResult.kt
@@ -1,9 +1,11 @@
 package com.simprints.feature.enrollast
 
 import androidx.annotation.Keep
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import com.simprints.core.domain.step.StepResult
 
 @Keep
 data class EnrolLastBiometricResult(
     val newSubjectId: String?,
+    val externalCredential: ExternalCredential?,
 ) : StepResult
diff --git a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/EnrolLastBiometricFragment.kt b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/EnrolLastBiometricFragment.kt
index 9411e13490..b95dc0bafa 100644
--- a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/EnrolLastBiometricFragment.kt
+++ b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/EnrolLastBiometricFragment.kt
@@ -6,6 +6,8 @@ import android.widget.Toast
 import androidx.fragment.app.Fragment
 import androidx.fragment.app.viewModels
 import androidx.navigation.fragment.findNavController
+import com.google.android.material.bottomsheet.BottomSheetDialog
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import com.simprints.core.domain.response.AppErrorReason
 import com.simprints.core.livedata.LiveDataEventWithContentObserver
 import com.simprints.feature.alert.AlertContract
@@ -21,6 +23,8 @@ import com.simprints.feature.enrollast.screen.EnrolLastState.ErrorType
 import com.simprints.feature.enrollast.screen.EnrolLastState.ErrorType.DUPLICATE_ENROLMENTS
 import com.simprints.feature.enrollast.screen.EnrolLastState.ErrorType.GENERAL_ERROR
 import com.simprints.feature.enrollast.screen.EnrolLastState.ErrorType.NO_MATCH_RESULTS
+import com.simprints.feature.enrollast.screen.model.CredentialDialogItem
+import com.simprints.feature.externalcredential.view.ScannedCredentialDialog
 import com.simprints.infra.config.store.models.GeneralConfiguration.Modality
 import com.simprints.infra.events.event.domain.models.AlertScreenEvent
 import com.simprints.infra.logging.LoggingConstants.CrashReportTag.ORCHESTRATION
@@ -37,6 +41,7 @@ import com.simprints.infra.resources.R as IDR
 internal class EnrolLastBiometricFragment : Fragment(R.layout.fragment_enrol_last) {
     private val viewModel: EnrolLastBiometricViewModel by viewModels()
     private val params: EnrolLastBiometricParams by navigationParams()
+    private var dialog: BottomSheetDialog? = null
 
     override fun onViewCreated(
         view: View,
@@ -50,17 +55,35 @@ internal class EnrolLastBiometricFragment : Fragment(R.layout.fragment_enrol_las
             viewLifecycleOwner,
             R.id.enrolLastBiometricFragment,
             AlertContract.DESTINATION,
-        ) { finishWithSubjectId(null) }
+        ) { finish(newSubjectId = null, credential = null) }
 
-        viewModel.finish.observe(viewLifecycleOwner, LiveDataEventWithContentObserver { finishWithResult(it) })
+        initObservers()
         viewModel.onViewCreated(params)
     }
 
+    private fun initObservers() {
+        viewModel.finish.observe(viewLifecycleOwner, LiveDataEventWithContentObserver { finishWithResult(it) })
+        viewModel.showAddCredentialDialog.observe(
+            viewLifecycleOwner,
+            LiveDataEventWithContentObserver(::displayCredentialDialog),
+        )
+    }
+
+    private fun displayCredentialDialog(credentialDialogItem: CredentialDialogItem) {
+        dialog = ScannedCredentialDialog(
+            context = requireActivity(),
+            credential = credentialDialogItem.scannedCredential,
+            displayedCredential = credentialDialogItem.displayedCredential,
+            onConfirm = { viewModel.enrolBiometric(params, isAddingCredential = true) },
+            onSkip = { viewModel.enrolBiometric(params, isAddingCredential = false) },
+        ).also(ScannedCredentialDialog::show)
+    }
+
     private fun finishWithResult(result: EnrolLastState) = when (result) {
         is EnrolLastState.Failed -> showError(result.errorType, result.modalities)
         is EnrolLastState.Success -> {
             Toast.makeText(requireContext(), getString(IDR.string.enrol_last_biometrics_success), Toast.LENGTH_LONG).show()
-            finishWithSubjectId(result.newGuid)
+            finish(result.newGuid, result.externalCredential)
         }
     }
 
@@ -103,7 +126,10 @@ internal class EnrolLastBiometricFragment : Fragment(R.layout.fragment_enrol_las
             }
         }.let { getString(it) }
 
-    private fun finishWithSubjectId(newSubjectId: String?) {
-        findNavController().finishWithResult(this, EnrolLastBiometricResult(newSubjectId))
+    private fun finish(
+        newSubjectId: String?,
+        credential: ExternalCredential?,
+    ) {
+        findNavController().finishWithResult(this, EnrolLastBiometricResult(newSubjectId, credential))
     }
 }
diff --git a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/EnrolLastBiometricViewModel.kt b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/EnrolLastBiometricViewModel.kt
index 0216e1849d..0522c2149d 100644
--- a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/EnrolLastBiometricViewModel.kt
+++ b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/EnrolLastBiometricViewModel.kt
@@ -4,20 +4,28 @@ import androidx.lifecycle.LiveData
 import androidx.lifecycle.MutableLiveData
 import androidx.lifecycle.ViewModel
 import androidx.lifecycle.viewModelScope
+import com.simprints.core.domain.tokenization.TokenizableString
 import com.simprints.core.livedata.LiveDataEventWithContent
 import com.simprints.core.livedata.send
 import com.simprints.core.tools.time.TimeHelper
 import com.simprints.feature.enrollast.EnrolLastBiometricParams
 import com.simprints.feature.enrollast.EnrolLastBiometricStepResult
 import com.simprints.feature.enrollast.screen.EnrolLastState.ErrorType.GENERAL_ERROR
+import com.simprints.feature.enrollast.screen.model.CredentialDialogItem
 import com.simprints.feature.enrollast.screen.usecase.BuildSubjectUseCase
 import com.simprints.feature.enrollast.screen.usecase.CheckForDuplicateEnrolmentsUseCase
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.feature.externalcredential.screens.search.model.toExternalCredential
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
 import com.simprints.infra.config.sync.ConfigManager
 import com.simprints.infra.enrolment.records.repository.EnrolmentRecordRepository
 import com.simprints.infra.enrolment.records.repository.domain.models.Subject
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectAction
+import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
 import com.simprints.infra.events.event.domain.models.BiometricReferenceCreationEvent
 import com.simprints.infra.events.event.domain.models.EnrolmentEventV4
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureValueEvent
 import com.simprints.infra.events.session.SessionEventRepository
 import com.simprints.infra.logging.LoggingConstants.CrashReportTag.ENROLMENT
 import com.simprints.infra.logging.Simber
@@ -32,21 +40,37 @@ internal class EnrolLastBiometricViewModel @Inject constructor(
     private val eventRepository: SessionEventRepository,
     private val enrolmentRecordRepository: EnrolmentRecordRepository,
     private val checkForDuplicateEnrolments: CheckForDuplicateEnrolmentsUseCase,
+    private val tokenizationProcessor: TokenizationProcessor,
     private val buildSubject: BuildSubjectUseCase,
 ) : ViewModel() {
     val finish: LiveData<LiveDataEventWithContent<EnrolLastState>>
         get() = _finish
-    private var _finish = MutableLiveData<LiveDataEventWithContent<EnrolLastState>>()
+    private val _finish = MutableLiveData<LiveDataEventWithContent<EnrolLastState>>()
+
+    val showAddCredentialDialog: LiveData<LiveDataEventWithContent<CredentialDialogItem>>
+        get() = _showAddCredentialDialog
+    private val _showAddCredentialDialog = MutableLiveData<LiveDataEventWithContent<CredentialDialogItem>>()
 
     private var enrolWasAttempted = false
 
     fun onViewCreated(params: EnrolLastBiometricParams) {
-        if (!enrolWasAttempted) {
-            enrolBiometric(params)
+        viewModelScope.launch {
+            params.scannedCredential?.let { scannedCredential ->
+                if (isCredentialLinkedToAnotherSubject(scannedCredential, params.projectId)) {
+                    displayAddCredentialDialog(scannedCredential, params.projectId)
+                    return@launch
+                }
+            }
+            if (!enrolWasAttempted) {
+                enrolBiometric(params, isAddingCredential = true)
+            }
         }
     }
 
-    fun enrolBiometric(params: EnrolLastBiometricParams) = viewModelScope.launch {
+    fun enrolBiometric(
+        params: EnrolLastBiometricParams,
+        isAddingCredential: Boolean,
+    ) = viewModelScope.launch {
         enrolWasAttempted = true
 
         val projectConfig = configManager.getProjectConfiguration()
@@ -54,10 +78,11 @@ internal class EnrolLastBiometricViewModel @Inject constructor(
         val modalities = projectConfig.general.modalities
 
         val previousLastEnrolmentResult = getPreviousEnrolmentResult(params.steps)
+        val scannedCredential = params.scannedCredential?.takeIf { isAddingCredential }
         if (previousLastEnrolmentResult != null) {
             _finish.send(
                 previousLastEnrolmentResult.subjectId
-                    ?.let { EnrolLastState.Success(it) }
+                    ?.let { subjectId -> EnrolLastState.Success(subjectId, scannedCredential?.toExternalCredential(subjectId)) }
                     ?: EnrolLastState.Failed(GENERAL_ERROR, modalities),
             )
             return@launch
@@ -69,36 +94,70 @@ internal class EnrolLastBiometricViewModel @Inject constructor(
         }
 
         try {
-            val subject = buildSubject(params)
+            val subject = buildSubject(params, isAddingCredential = isAddingCredential)
             registerEvent(subject)
             enrolmentRecordRepository.performActions(listOf(SubjectAction.Creation(subject)), project)
-            _finish.send(EnrolLastState.Success(subject.subjectId))
+            _finish.send(EnrolLastState.Success(subject.subjectId, scannedCredential?.toExternalCredential(subject.subjectId)))
         } catch (t: Throwable) {
             Simber.e("Enrolment failed", t, tag = ENROLMENT)
             _finish.send(EnrolLastState.Failed(GENERAL_ERROR, modalities))
         }
     }
 
+    private suspend fun displayAddCredentialDialog(
+        scannedCredential: ScannedCredential,
+        projectId: String,
+    ) {
+        val project = configManager.getProject(projectId)
+        val decrypted = tokenizationProcessor.decrypt(
+            encrypted = scannedCredential.credential,
+            tokenKeyType = TokenKeyType.ExternalCredential,
+            project = project,
+        ) as TokenizableString.Raw
+        _showAddCredentialDialog.send(CredentialDialogItem(scannedCredential, decrypted))
+    }
+
+    private suspend fun isCredentialLinkedToAnotherSubject(
+        scannedCredential: ScannedCredential?,
+        projectId: String,
+    ): Boolean {
+        if (scannedCredential == null) return false
+
+        return enrolmentRecordRepository
+            .load(
+                SubjectQuery(
+                    projectId = projectId,
+                    externalCredential = scannedCredential.credential,
+                ),
+            ).isNotEmpty()
+    }
+
     private fun getPreviousEnrolmentResult(steps: List<EnrolLastBiometricStepResult>) =
         steps.filterIsInstance<EnrolLastBiometricStepResult.EnrolLastBiometricsResult>().firstOrNull()
 
     private suspend fun registerEvent(subject: Subject) {
         Simber.d("Register events for enrolments", tag = ENROLMENT)
-
-        val biometricReferenceIds = eventRepository
+        val events = eventRepository
             .getEventsInCurrentSession()
+
+        val biometricReferenceIds = events
             .filterIsInstance<BiometricReferenceCreationEvent>()
             .sortedByDescending { it.payload.createdAt }
             .map { it.payload.id }
 
+        val externalCredentialIds = events
+            .filterIsInstance<ExternalCredentialCaptureValueEvent>()
+            .map { it.payload.id }
+
         eventRepository.addOrUpdateEvent(
             EnrolmentEventV4(
-                timeHelper.now(),
-                subject.subjectId,
-                subject.projectId,
-                subject.moduleId,
-                subject.attendantId,
-                biometricReferenceIds,
+                createdAt = timeHelper.now(),
+                subjectId = subject.subjectId,
+                projectId = subject.projectId,
+                moduleId = subject.moduleId,
+                attendantId = subject.attendantId,
+                biometricReferenceIds = biometricReferenceIds,
+                externalCredentialIds = externalCredentialIds,
             ),
         )
     }
diff --git a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/EnrolLastState.kt b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/EnrolLastState.kt
index 538baebd41..2f5a2f7d27 100644
--- a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/EnrolLastState.kt
+++ b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/EnrolLastState.kt
@@ -1,17 +1,24 @@
 package com.simprints.feature.enrollast.screen
 
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import com.simprints.infra.config.store.models.GeneralConfiguration
 
+@ExcludedFromGeneratedTestCoverageReports("Data class")
 internal sealed class EnrolLastState {
+    @ExcludedFromGeneratedTestCoverageReports("Data class")
     data class Success(
         val newGuid: String,
+        val externalCredential: ExternalCredential?,
     ) : EnrolLastState()
 
+    @ExcludedFromGeneratedTestCoverageReports("Data class")
     data class Failed(
         val errorType: ErrorType,
         val modalities: List<GeneralConfiguration.Modality>,
     ) : EnrolLastState()
 
+    @ExcludedFromGeneratedTestCoverageReports("Data class")
     enum class ErrorType {
         NO_MATCH_RESULTS,
         DUPLICATE_ENROLMENTS,
diff --git a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/model/CredentialDialogItem.kt b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/model/CredentialDialogItem.kt
new file mode 100644
index 0000000000..afe4cc1011
--- /dev/null
+++ b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/model/CredentialDialogItem.kt
@@ -0,0 +1,11 @@
+package com.simprints.feature.enrollast.screen.model
+
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+
+@ExcludedFromGeneratedTestCoverageReports("Data struct")
+internal data class CredentialDialogItem(
+    val scannedCredential: ScannedCredential,
+    val displayedCredential: TokenizableString.Raw,
+)
diff --git a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/usecase/BuildSubjectUseCase.kt b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/usecase/BuildSubjectUseCase.kt
index 8de9c976e6..6341a5a27d 100644
--- a/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/usecase/BuildSubjectUseCase.kt
+++ b/feature/enrol-last-biometric/src/main/java/com/simprints/feature/enrollast/screen/usecase/BuildSubjectUseCase.kt
@@ -8,6 +8,8 @@ import com.simprints.feature.enrollast.EnrolLastBiometricParams
 import com.simprints.feature.enrollast.EnrolLastBiometricStepResult
 import com.simprints.feature.enrollast.FaceTemplateCaptureResult
 import com.simprints.feature.enrollast.FingerTemplateCaptureResult
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.feature.externalcredential.screens.search.model.toExternalCredential
 import com.simprints.infra.config.store.models.Finger
 import com.simprints.infra.enrolment.records.repository.domain.models.Subject
 import com.simprints.infra.eventsync.sync.common.SubjectFactory
@@ -19,19 +21,36 @@ internal class BuildSubjectUseCase @Inject constructor(
     private val timeHelper: TimeHelper,
     private val subjectFactory: SubjectFactory,
 ) {
-    operator fun invoke(params: EnrolLastBiometricParams): Subject = subjectFactory.buildSubject(
-        UUID.randomUUID().toString(),
-        params.projectId,
-        params.userId,
-        params.moduleId,
-        createdAt = Date(timeHelper.now().ms),
-        fingerprintSamples = getFingerprintCaptureResult(params.steps)
-            ?.let { result -> result.results.map { fingerprintSample(result.referenceId, it) } }
-            .orEmpty(),
-        faceSamples = getFaceCaptureResult(params.steps)
-            ?.let { result -> result.results.map { faceSample(result.referenceId, it) } }
-            .orEmpty(),
-    )
+    operator fun invoke(
+        params: EnrolLastBiometricParams,
+        isAddingCredential: Boolean,
+    ): Subject {
+        val subjectId = UUID.randomUUID().toString()
+        val externalCredentials = if (isAddingCredential) {
+            getExternalCredentialResult(params.scannedCredential, subjectId)?.let(::listOf) ?: emptyList()
+        } else {
+            emptyList()
+        }
+        return subjectFactory.buildSubject(
+            subjectId = subjectId,
+            projectId = params.projectId,
+            attendantId = params.userId,
+            moduleId = params.moduleId,
+            createdAt = Date(timeHelper.now().ms),
+            fingerprintSamples = getFingerprintCaptureResult(params.steps)
+                ?.let { result -> result.results.map { fingerprintSample(result.referenceId, it) } }
+                .orEmpty(),
+            faceSamples = getFaceCaptureResult(params.steps)
+                ?.let { result -> result.results.map { faceSample(result.referenceId, it) } }
+                .orEmpty(),
+            externalCredentials = externalCredentials,
+        )
+    }
+
+    private fun getExternalCredentialResult(
+        credential: ScannedCredential?,
+        subjectId: String,
+    ) = credential?.toExternalCredential(subjectId)
 
     private fun getFingerprintCaptureResult(steps: List<EnrolLastBiometricStepResult>) = steps
         .filterIsInstance<EnrolLastBiometricStepResult.FingerprintCaptureResult>()
diff --git a/feature/enrol-last-biometric/src/test/java/com/simprints/feature/enrollast/screen/EnrolLastBiometricViewModelTest.kt b/feature/enrol-last-biometric/src/test/java/com/simprints/feature/enrollast/screen/EnrolLastBiometricViewModelTest.kt
index e3421e3011..80f74754c8 100644
--- a/feature/enrol-last-biometric/src/test/java/com/simprints/feature/enrollast/screen/EnrolLastBiometricViewModelTest.kt
+++ b/feature/enrol-last-biometric/src/test/java/com/simprints/feature/enrollast/screen/EnrolLastBiometricViewModelTest.kt
@@ -10,10 +10,15 @@ import com.simprints.feature.enrollast.EnrolLastBiometricParams
 import com.simprints.feature.enrollast.EnrolLastBiometricStepResult
 import com.simprints.feature.enrollast.screen.usecase.BuildSubjectUseCase
 import com.simprints.feature.enrollast.screen.usecase.CheckForDuplicateEnrolmentsUseCase
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.infra.config.store.models.Project
 import com.simprints.infra.config.store.models.ProjectConfiguration
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
 import com.simprints.infra.config.sync.ConfigManager
 import com.simprints.infra.enrolment.records.repository.EnrolmentRecordRepository
 import com.simprints.infra.enrolment.records.repository.domain.models.Subject
+import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
 import com.simprints.infra.events.event.domain.models.BiometricReferenceCreationEvent
 import com.simprints.infra.events.event.domain.models.BiometricReferenceCreationEvent.BiometricReferenceCreationPayload
 import com.simprints.infra.events.event.domain.models.EnrolmentEventV4
@@ -43,6 +48,9 @@ internal class EnrolLastBiometricViewModelTest {
     @MockK
     lateinit var projectConfig: ProjectConfiguration
 
+    @MockK
+    lateinit var project: Project
+
     @MockK
     lateinit var eventRepository: SessionEventRepository
 
@@ -58,6 +66,12 @@ internal class EnrolLastBiometricViewModelTest {
     @MockK
     lateinit var subject: Subject
 
+    @MockK
+    lateinit var scannedCredential: ScannedCredential
+
+    @MockK
+    lateinit var tokenizationProcessor: TokenizationProcessor
+
     private lateinit var viewModel: EnrolLastBiometricViewModel
 
     @Before
@@ -75,12 +89,13 @@ internal class EnrolLastBiometricViewModelTest {
         )
 
         viewModel = EnrolLastBiometricViewModel(
-            timeHelper,
-            configManager,
-            eventRepository,
-            enrolmentRecordRepository,
-            checkForDuplicateEnrolments,
-            buildSubject,
+            timeHelper = timeHelper,
+            configManager = configManager,
+            eventRepository = eventRepository,
+            enrolmentRecordRepository = enrolmentRecordRepository,
+            checkForDuplicateEnrolments = checkForDuplicateEnrolments,
+            tokenizationProcessor = tokenizationProcessor,
+            buildSubject = buildSubject,
         )
     }
 
@@ -112,13 +127,14 @@ internal class EnrolLastBiometricViewModelTest {
                     EnrolLastBiometricStepResult.EnrolLastBiometricsResult("previousSubjectId"),
                 ),
             ),
+            isAddingCredential = false,
         )
 
         val result = viewModel.finish
             .test()
             .value()
             .getContentIfNotHandled()
-        assertThat(result).isEqualTo(EnrolLastState.Success("previousSubjectId"))
+        assertThat(result).isEqualTo(EnrolLastState.Success(newGuid = "previousSubjectId", externalCredential = null))
     }
 
     @Test
@@ -129,6 +145,7 @@ internal class EnrolLastBiometricViewModelTest {
                     EnrolLastBiometricStepResult.EnrolLastBiometricsResult("previousSubjectId"),
                 ),
             ),
+            isAddingCredential = false,
         )
 
         coVerify(exactly = 0) { eventRepository.addOrUpdateEvent(any()) }
@@ -143,6 +160,7 @@ internal class EnrolLastBiometricViewModelTest {
                     EnrolLastBiometricStepResult.EnrolLastBiometricsResult(null),
                 ),
             ),
+            isAddingCredential = false,
         )
 
         val result =
@@ -157,7 +175,7 @@ internal class EnrolLastBiometricViewModelTest {
     fun `returns failure when has duplicate enrolments`() = runTest {
         every { checkForDuplicateEnrolments.invoke(any(), any()) } returns EnrolLastState.ErrorType.DUPLICATE_ENROLMENTS
 
-        viewModel.enrolBiometric(createParams(listOf()))
+        viewModel.enrolBiometric(createParams(listOf()), isAddingCredential = false)
 
         val result =
             viewModel.finish
@@ -171,9 +189,9 @@ internal class EnrolLastBiometricViewModelTest {
     @Test
     fun `returns success when no duplicate enrolments`() = runTest {
         every { checkForDuplicateEnrolments.invoke(any(), any()) } returns null
-        coEvery { buildSubject.invoke(any()) } returns subject
+        coEvery { buildSubject.invoke(any(), any()) } returns subject
 
-        viewModel.enrolBiometric(createParams(listOf()))
+        viewModel.enrolBiometric(createParams(listOf()), isAddingCredential = false)
 
         val result = viewModel.finish
             .test()
@@ -185,9 +203,9 @@ internal class EnrolLastBiometricViewModelTest {
     @Test
     fun `saves event and record when no duplicate enrolments`() = runTest {
         every { checkForDuplicateEnrolments.invoke(any(), any()) } returns null
-        coEvery { buildSubject.invoke(any()) } returns subject
+        coEvery { buildSubject.invoke(any(), any()) } returns subject
 
-        viewModel.enrolBiometric(createParams(listOf()))
+        viewModel.enrolBiometric(createParams(listOf()), isAddingCredential = false)
 
         coVerify { eventRepository.addOrUpdateEvent(any()) }
         coVerify { enrolmentRecordRepository.performActions(any(), any()) }
@@ -196,10 +214,10 @@ internal class EnrolLastBiometricViewModelTest {
     @Test
     fun `returns failure record saving fails`() = runTest {
         every { checkForDuplicateEnrolments.invoke(any(), any()) } returns null
-        coEvery { buildSubject.invoke(any()) } returns subject
+        coEvery { buildSubject.invoke(any(), any()) } returns subject
         coEvery { enrolmentRecordRepository.performActions(any(), any()) } throws Exception()
 
-        viewModel.enrolBiometric(createParams(listOf()))
+        viewModel.enrolBiometric(createParams(listOf()), isAddingCredential = false)
 
         val result =
             viewModel.finish
@@ -232,7 +250,7 @@ internal class EnrolLastBiometricViewModelTest {
             biometricReferenceCreationEvent1,
         )
 
-        viewModel.enrolBiometric(createParams(listOf()))
+        viewModel.enrolBiometric(createParams(listOf()), isAddingCredential = false)
 
         coVerify {
             eventRepository.addOrUpdateEvent(
@@ -245,11 +263,39 @@ internal class EnrolLastBiometricViewModelTest {
         }
     }
 
+    @Test
+    fun `shows add credential dialog when scanned credential is linked to another subject`() = runTest {
+        val decryptedCredential = "decryptedCredential".asTokenizableRaw()
+        coEvery { enrolmentRecordRepository.load(any()) } returns listOf(subject)
+        coEvery { configManager.getProject(PROJECT_ID) } returns project
+        coEvery {
+            tokenizationProcessor.decrypt(
+                encrypted = scannedCredential.credential,
+                tokenKeyType = TokenKeyType.ExternalCredential,
+                project = project,
+            )
+        } returns decryptedCredential
+
+        viewModel.onViewCreated(createParams(listOf()))
+
+        val result = viewModel.showAddCredentialDialog
+            .test()
+            .value()
+            .getContentIfNotHandled()
+
+        assertThat(result).isNotNull()
+        assertThat(result?.scannedCredential).isEqualTo(scannedCredential)
+        assertThat(result?.displayedCredential).isEqualTo(decryptedCredential)
+        coVerify(exactly = 0) { buildSubject.invoke(any(), any()) }
+        coVerify(exactly = 0) { enrolmentRecordRepository.performActions(any(), any()) }
+    }
+
     private fun createParams(steps: List<EnrolLastBiometricStepResult>) = EnrolLastBiometricParams(
         projectId = PROJECT_ID,
         userId = USER_ID,
         moduleId = MODULE_ID,
         steps = steps,
+        scannedCredential = scannedCredential,
     )
 
     companion object {
diff --git a/feature/enrol-last-biometric/src/test/java/com/simprints/feature/enrollast/screen/usecase/BuildSubjectUseCaseTest.kt b/feature/enrol-last-biometric/src/test/java/com/simprints/feature/enrollast/screen/usecase/BuildSubjectUseCaseTest.kt
index 2145e1a2c0..89f970bc80 100644
--- a/feature/enrol-last-biometric/src/test/java/com/simprints/feature/enrollast/screen/usecase/BuildSubjectUseCaseTest.kt
+++ b/feature/enrol-last-biometric/src/test/java/com/simprints/feature/enrollast/screen/usecase/BuildSubjectUseCaseTest.kt
@@ -1,7 +1,10 @@
 package com.simprints.feature.enrollast.screen.usecase
 
 import com.google.common.truth.Truth.assertThat
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.fingerprint.IFingerIdentifier
+import com.simprints.core.domain.tokenization.TokenizableString
 import com.simprints.core.domain.tokenization.asTokenizableRaw
 import com.simprints.core.tools.time.TimeHelper
 import com.simprints.core.tools.time.Timestamp
@@ -9,6 +12,8 @@ import com.simprints.feature.enrollast.EnrolLastBiometricParams
 import com.simprints.feature.enrollast.EnrolLastBiometricStepResult
 import com.simprints.feature.enrollast.FaceTemplateCaptureResult
 import com.simprints.feature.enrollast.FingerTemplateCaptureResult
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.feature.externalcredential.screens.search.model.toExternalCredential
 import com.simprints.infra.config.store.models.Finger
 import com.simprints.infra.eventsync.sync.common.SubjectFactory
 import com.simprints.testtools.unit.EncodingUtilsImplForTests
@@ -23,6 +28,9 @@ class BuildSubjectUseCaseTest {
     @MockK
     private lateinit var timeHelper: TimeHelper
 
+    @MockK
+    private lateinit var scannedCredential: ScannedCredential
+
     private lateinit var useCase: BuildSubjectUseCase
 
     private lateinit var subjectFactory: SubjectFactory
@@ -40,7 +48,7 @@ class BuildSubjectUseCaseTest {
 
     @Test
     fun `has no samples if no steps provided`() {
-        val result = useCase(createParams(emptyList()))
+        val result = useCase(createParams(steps = emptyList(), scannedCredential = scannedCredential), isAddingCredential = false)
 
         assertThat(result.fingerprintSamples).isEmpty()
         assertThat(result.faceSamples).isEmpty()
@@ -50,12 +58,14 @@ class BuildSubjectUseCaseTest {
     fun `has no samples if no valid steps provided`() {
         val result = useCase(
             createParams(
-                listOf(
+                steps = listOf(
                     EnrolLastBiometricStepResult.EnrolLastBiometricsResult(null),
                     EnrolLastBiometricStepResult.FingerprintMatchResult(emptyList(), mockk()),
                     EnrolLastBiometricStepResult.FaceMatchResult(emptyList(), mockk()),
                 ),
+                scannedCredential = scannedCredential,
             ),
+            isAddingCredential = false,
         )
 
         assertThat(result.fingerprintSamples).isEmpty()
@@ -66,7 +76,7 @@ class BuildSubjectUseCaseTest {
     fun `maps first available fingerprint capture step results`() {
         val result = useCase(
             createParams(
-                listOf(
+                steps = listOf(
                     EnrolLastBiometricStepResult.FingerprintMatchResult(emptyList(), mockk()),
                     EnrolLastBiometricStepResult.FingerprintCaptureResult(
                         REFERENCE_ID,
@@ -77,7 +87,9 @@ class BuildSubjectUseCaseTest {
                         listOf(mockFingerprintResults(Finger.LEFT_THUMB)),
                     ),
                 ),
+                scannedCredential = scannedCredential,
             ),
+            isAddingCredential = false,
         )
 
         assertThat(result.fingerprintSamples).isNotEmpty()
@@ -89,7 +101,7 @@ class BuildSubjectUseCaseTest {
         val result = useCase(
             createParams(
                 listOf(
-                    EnrolLastBiometricStepResult.FingerprintCaptureResult(
+                    element = EnrolLastBiometricStepResult.FingerprintCaptureResult(
                         REFERENCE_ID,
                         listOf(
                             mockFingerprintResults(Finger.RIGHT_5TH_FINGER),
@@ -105,7 +117,9 @@ class BuildSubjectUseCaseTest {
                         ),
                     ),
                 ),
+                scannedCredential,
             ),
+            isAddingCredential = false,
         )
 
         assertThat(result.fingerprintSamples).isNotEmpty()
@@ -115,24 +129,60 @@ class BuildSubjectUseCaseTest {
     @Test
     fun `maps first available face capture step results`() {
         val result = useCase(
-            createParams(
+            params = createParams(
                 listOf(
                     EnrolLastBiometricStepResult.FaceMatchResult(emptyList(), mockk()),
                     EnrolLastBiometricStepResult.FaceCaptureResult(REFERENCE_ID, mockFaceResultsList("first")),
                     EnrolLastBiometricStepResult.FaceCaptureResult(REFERENCE_ID, mockFaceResultsList("second")),
                 ),
+                scannedCredential = scannedCredential,
             ),
+            isAddingCredential = false,
         )
 
         assertThat(result.faceSamples).isNotEmpty()
         assertThat(result.faceSamples.first().format).isEqualTo("first")
     }
 
-    private fun createParams(steps: List<EnrolLastBiometricStepResult>) = EnrolLastBiometricParams(
+    @Test
+    fun `includes external credential when isAddingCredential is true and scannedCredential is not null`() {
+        val mockTokenized = mockk<TokenizableString.Tokenized>()
+        val mockCredentialType = mockk<ExternalCredentialType>()
+
+        val scannedCredential = ScannedCredential(
+            credential = mockTokenized,
+            credentialType = mockCredentialType,
+            documentImagePath = null,
+            zoomedCredentialImagePath = null,
+            credentialBoundingBox = null,
+            scanStartTime = Timestamp(1L),
+            scanEndTime = Timestamp(1L),
+            scannedValue = TokenizableString.Raw("test"),
+        )
+
+        val result = useCase(createParams(steps = emptyList(), scannedCredential = scannedCredential), isAddingCredential = true)
+
+        assertThat(result.externalCredentials).hasSize(1)
+        assertThat(result.externalCredentials.first().value).isEqualTo(mockTokenized)
+        assertThat(result.externalCredentials.first().type).isEqualTo(mockCredentialType)
+    }
+
+    @Test
+    fun `has no external credentials when isAddingCredential is true but scannedCredential is null`() {
+        val result = useCase(createParams(steps = emptyList(), scannedCredential = null), isAddingCredential = true)
+
+        assertThat(result.externalCredentials).isEmpty()
+    }
+
+    private fun createParams(
+        steps: List<EnrolLastBiometricStepResult>,
+        scannedCredential: ScannedCredential?,
+    ) = EnrolLastBiometricParams(
         projectId = PROJECT_ID,
         userId = USER_ID,
         moduleId = MODULE_ID,
         steps = steps,
+        scannedCredential = scannedCredential,
     )
 
     private fun mockFingerprintResults(finger: Finger) = FingerTemplateCaptureResult(finger, byteArrayOf(), 1, "ISO_19794_2")
diff --git a/feature/external-credential/.gitignore b/feature/external-credential/.gitignore
new file mode 100644
index 0000000000..796b96d1c4
--- /dev/null
+++ b/feature/external-credential/.gitignore
@@ -0,0 +1 @@
+/build
diff --git a/feature/external-credential/build.gradle.kts b/feature/external-credential/build.gradle.kts
new file mode 100644
index 0000000000..411b4dc0e1
--- /dev/null
+++ b/feature/external-credential/build.gradle.kts
@@ -0,0 +1,22 @@
+plugins {
+    id("simprints.feature")
+    id("kotlin-parcelize")
+}
+
+android {
+    namespace = "com.simprints.feature.externalcredential"
+}
+
+dependencies {
+    implementation(project(":infra:config-store"))
+    implementation(project(":infra:config-sync"))
+    implementation(project(":infra:ui-base"))
+    implementation(project(":feature:exit-form"))
+    implementation(project(":infra:enrolment-records:repository"))
+    implementation(project(":infra:auth-store"))
+    implementation(project(":infra:matching"))
+    implementation(project(":infra:events"))
+    implementation(project(":infra:credential-store"))
+    implementation(libs.androidX.cameraX.view)
+    implementation(libs.mlkit.text.recognition)
+}
diff --git a/feature/external-credential/src/main/AndroidManifest.xml b/feature/external-credential/src/main/AndroidManifest.xml
new file mode 100644
index 0000000000..e100076157
--- /dev/null
+++ b/feature/external-credential/src/main/AndroidManifest.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest>
+
+</manifest>
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/ExternalCredentialContract.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/ExternalCredentialContract.kt
new file mode 100644
index 0000000000..2aeb320d87
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/ExternalCredentialContract.kt
@@ -0,0 +1,28 @@
+package com.simprints.feature.externalcredential
+
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.common.FlowType
+import com.simprints.feature.externalcredential.model.ExternalCredentialParams
+import com.simprints.infra.config.store.models.AgeGroup
+import com.simprints.infra.matching.MatchParams
+
+@ExcludedFromGeneratedTestCoverageReports("Navigation class")
+object ExternalCredentialContract {
+    val DESTINATION = R.id.externalCredentialControllerFragment
+
+    fun getParams(
+        subjectId: String?,
+        flowType: FlowType,
+        ageGroup: AgeGroup?,
+        probeReferenceId: String? = null,
+        faceSamples: List<MatchParams.FaceSample> = emptyList(),
+        fingerprintSamples: List<MatchParams.FingerprintSample> = emptyList(),
+    ) = ExternalCredentialParams(
+        subjectId = subjectId,
+        flowType = flowType,
+        ageGroup = ageGroup,
+        probeReferenceId = probeReferenceId,
+        faceSamples = faceSamples,
+        fingerprintSamples = fingerprintSamples,
+    )
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/ExternalCredentialSearchResult.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/ExternalCredentialSearchResult.kt
new file mode 100644
index 0000000000..d2584c3ed4
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/ExternalCredentialSearchResult.kt
@@ -0,0 +1,26 @@
+package com.simprints.feature.externalcredential
+
+import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.common.FlowType
+import com.simprints.core.domain.step.StepResult
+import com.simprints.feature.externalcredential.model.CredentialMatch
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+
+/**
+ * Results of the external credential 1:L match (where L is '1' or really close to 1).
+ *
+ * @param flowType flow type. Either [FlowType.ENROL] or [FlowType.IDENTIFY]
+ * @param scannedCredential information about the credential that was scanned
+ * @param matchResults if [scannedCredential] exists in local database, this field contains match results between the biometric probe taken
+ * during the flow, and probes linked to the [scannedCredential]
+ */
+@Keep
+@ExcludedFromGeneratedTestCoverageReports("Data class")
+data class ExternalCredentialSearchResult(
+    val flowType: FlowType,
+    val scannedCredential: ScannedCredential?,
+    val matchResults: List<CredentialMatch>,
+) : StepResult {
+    val goodMatches = matchResults.filter(CredentialMatch::isVerificationSuccessful)
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/ext/ResourceExt.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/ext/ResourceExt.kt
new file mode 100644
index 0000000000..91e30bc556
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/ext/ResourceExt.kt
@@ -0,0 +1,36 @@
+package com.simprints.feature.externalcredential.ext
+
+import android.content.res.Resources
+import androidx.annotation.PluralsRes
+import androidx.annotation.StringRes
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.infra.resources.R as IDR
+
+fun Resources.getQuantityCredentialString(
+    @StringRes id: Int,
+    @StringRes specificCredentialRes: Int,
+    @StringRes multipleCredentialsRes: Int,
+    credentialTypes: List<ExternalCredentialType>,
+): String {
+    val documentTypeRes = if (credentialTypes.size == 1) {
+        specificCredentialRes
+    } else {
+        multipleCredentialsRes
+    }
+    return getString(id, documentTypeRes)
+}
+
+fun Resources.getCredentialFieldTitle(type: ExternalCredentialType): String = when (type) {
+    ExternalCredentialType.NHISCard -> IDR.string.mfid_nhis_card_credential_field
+    ExternalCredentialType.GhanaIdCard -> IDR.string.mfid_ghana_id_credential_field
+    ExternalCredentialType.QRCode -> IDR.string.mfid_qr_credential_field
+}.run(::getString)
+
+fun Resources.getCredentialTypeString(type: ExternalCredentialType?): String = getCredentialTypeRes(type).run(::getString)
+
+fun Resources.getCredentialTypeRes(type: ExternalCredentialType?): Int = when (type) {
+    ExternalCredentialType.NHISCard -> IDR.string.mfid_type_nhis_card
+    ExternalCredentialType.GhanaIdCard -> IDR.string.mfid_type_ghana_id_card
+    ExternalCredentialType.QRCode -> IDR.string.mfid_type_qr_code
+    null -> IDR.string.mfid_type_any_document
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/model/BoundingBox.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/model/BoundingBox.kt
new file mode 100644
index 0000000000..d0d622dba3
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/model/BoundingBox.kt
@@ -0,0 +1,21 @@
+package com.simprints.feature.externalcredential.model
+
+import android.graphics.Rect
+import androidx.annotation.Keep
+import java.io.Serializable
+
+/**
+ * A serializable substitute for Android's Rect class, which is not serializable.
+ * Used for passing rectangular bounds as navigation arguments or in any other scenarios where serialization is required
+ */
+@Keep
+data class BoundingBox(
+    val left: Int,
+    val top: Int,
+    val right: Int,
+    val bottom: Int,
+) : Serializable
+
+fun Rect.toBoundingBox(): BoundingBox = BoundingBox(left, top, right, bottom)
+
+fun BoundingBox.toRect(): Rect = Rect(left, top, right, bottom)
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/model/CredentialMatch.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/model/CredentialMatch.kt
new file mode 100644
index 0000000000..a628729173
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/model/CredentialMatch.kt
@@ -0,0 +1,20 @@
+package com.simprints.feature.externalcredential.model
+
+import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.infra.config.store.models.FaceConfiguration
+import com.simprints.infra.config.store.models.FingerprintConfiguration
+import com.simprints.infra.matching.MatchResultItem
+
+@Keep
+@ExcludedFromGeneratedTestCoverageReports("Data class")
+data class CredentialMatch(
+    val credential: TokenizableString.Tokenized,
+    val matchResult: MatchResultItem,
+    val verificationThreshold: Float,
+    val faceBioSdk: FaceConfiguration.BioSdk?,
+    val fingerprintBioSdk: FingerprintConfiguration.BioSdk?,
+) {
+    val isVerificationSuccessful = matchResult.confidence >= verificationThreshold
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/model/ExternalCredentialParams.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/model/ExternalCredentialParams.kt
new file mode 100644
index 0000000000..54060a72c9
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/model/ExternalCredentialParams.kt
@@ -0,0 +1,19 @@
+package com.simprints.feature.externalcredential.model
+
+import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.common.FlowType
+import com.simprints.core.domain.step.StepParams
+import com.simprints.infra.config.store.models.AgeGroup
+import com.simprints.infra.matching.MatchParams
+
+@Keep
+@ExcludedFromGeneratedTestCoverageReports("Data class")
+data class ExternalCredentialParams(
+    val subjectId: String?,
+    val flowType: FlowType,
+    val ageGroup: AgeGroup?,
+    val probeReferenceId: String?,
+    val faceSamples: List<MatchParams.FaceSample>,
+    val fingerprintSamples: List<MatchParams.FingerprintSample>,
+) : StepParams
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/controller/ExternalCredentialControllerFragment.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/controller/ExternalCredentialControllerFragment.kt
new file mode 100644
index 0000000000..9c6f7dda13
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/controller/ExternalCredentialControllerFragment.kt
@@ -0,0 +1,91 @@
+package com.simprints.feature.externalcredential.screens.controller
+
+import android.os.Bundle
+import android.view.View
+import androidx.activity.addCallback
+import androidx.fragment.app.Fragment
+import androidx.fragment.app.activityViewModels
+import androidx.navigation.NavController
+import androidx.navigation.fragment.findNavController
+import com.simprints.core.livedata.LiveDataEventWithContentObserver
+import com.simprints.feature.exitform.ExitFormContract
+import com.simprints.feature.exitform.ExitFormResult
+import com.simprints.feature.externalcredential.GraphExternalCredentialInternalDirections
+import com.simprints.feature.externalcredential.R
+import com.simprints.feature.externalcredential.model.ExternalCredentialParams
+import com.simprints.infra.uibase.navigation.finishWithResult
+import com.simprints.infra.uibase.navigation.handleResult
+import com.simprints.infra.uibase.navigation.navigateSafely
+import com.simprints.infra.uibase.navigation.navigationParams
+import dagger.hilt.android.AndroidEntryPoint
+
+@AndroidEntryPoint
+internal class ExternalCredentialControllerFragment : Fragment(R.layout.fragment_external_credential_controller) {
+    private val params: ExternalCredentialParams by navigationParams()
+    private val viewModel: ExternalCredentialViewModel by activityViewModels()
+
+    private val hostFragment: Fragment?
+        get() = childFragmentManager.findFragmentById(R.id.external_credential_host_fragment)
+
+    private val internalNavController: NavController?
+        get() = hostFragment?.findNavController()
+
+    private val currentlyDisplayedInternalFragment: Fragment?
+        get() = hostFragment?.childFragmentManager?.fragments?.first()
+
+    override fun onViewCreated(
+        view: View,
+        savedInstanceState: Bundle?,
+    ) {
+        super.onViewCreated(view, savedInstanceState)
+
+        viewModel.init(params)
+
+        findNavController().handleResult<ExitFormResult>(
+            this,
+            R.id.externalCredentialControllerFragment,
+            ExitFormContract.DESTINATION,
+        ) {
+            val option = it.submittedOption()
+            if (option != null) {
+                findNavController().finishWithResult(this, it)
+            } else {
+                internalNavController?.navigateSafely(
+                    currentlyDisplayedInternalFragment,
+                    GraphExternalCredentialInternalDirections.actionGlobalExternalCredentialSelect(),
+                )
+            }
+        }
+        internalNavController?.setGraph(R.navigation.graph_external_credential_internal)
+
+        initObservers()
+        initListeners()
+    }
+
+    private fun initObservers() {
+        viewModel.stateLiveData.observe(viewLifecycleOwner) {
+        }
+        viewModel.finishEvent.observe(
+            viewLifecycleOwner,
+            LiveDataEventWithContentObserver { result ->
+                findNavController().finishWithResult(this, result)
+            },
+        )
+    }
+
+    private fun initListeners() {
+        requireActivity().onBackPressedDispatcher.addCallback(viewLifecycleOwner) {
+            when (internalNavController?.currentDestination?.id) {
+                R.id.externalCredentialSelectFragment, R.id.externalCredentialSearch -> {
+                    // Exit form navigation
+                    findNavController().navigateSafely(
+                        this@ExternalCredentialControllerFragment,
+                        R.id.action_global_refusalFragment,
+                    )
+                }
+
+                else -> internalNavController?.popBackStack()
+            }
+        }
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/controller/ExternalCredentialState.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/controller/ExternalCredentialState.kt
new file mode 100644
index 0000000000..324ed60dcd
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/controller/ExternalCredentialState.kt
@@ -0,0 +1,20 @@
+package com.simprints.feature.externalcredential.screens.controller
+
+import com.simprints.core.domain.common.FlowType
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+
+internal data class ExternalCredentialState(
+    val subjectId: String?,
+    val flowType: FlowType,
+    val credentialValue: String?,
+    val selectedType: ExternalCredentialType?,
+) {
+    companion object {
+        val EMPTY = ExternalCredentialState(
+            subjectId = null,
+            flowType = FlowType.VERIFY,
+            credentialValue = null,
+            selectedType = null,
+        )
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/controller/ExternalCredentialViewModel.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/controller/ExternalCredentialViewModel.kt
new file mode 100644
index 0000000000..d9f7ed06db
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/controller/ExternalCredentialViewModel.kt
@@ -0,0 +1,115 @@
+package com.simprints.feature.externalcredential.screens.controller
+
+import androidx.lifecycle.LiveData
+import androidx.lifecycle.MutableLiveData
+import androidx.lifecycle.ViewModel
+import androidx.lifecycle.viewModelScope
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.livedata.LiveDataEventWithContent
+import com.simprints.core.livedata.send
+import com.simprints.core.tools.time.TimeHelper
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
+import com.simprints.feature.externalcredential.model.ExternalCredentialParams
+import com.simprints.feature.externalcredential.usecase.ExternalCredentialEventTrackerUseCase
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSelectionEvent
+import dagger.hilt.android.lifecycle.HiltViewModel
+import kotlinx.coroutines.launch
+import javax.inject.Inject
+
+@HiltViewModel
+internal class ExternalCredentialViewModel @Inject internal constructor(
+    private val timeHelper: TimeHelper,
+    private val configManager: ConfigManager,
+    private val eventsTracker: ExternalCredentialEventTrackerUseCase,
+) : ViewModel() {
+    private var isInitialized = false
+    lateinit var params: ExternalCredentialParams
+        private set
+    val finishEvent: LiveData<LiveDataEventWithContent<ExternalCredentialSearchResult>>
+        get() = _finishEvent
+    private val _finishEvent = MutableLiveData<LiveDataEventWithContent<ExternalCredentialSearchResult>>()
+    private var state: ExternalCredentialState = ExternalCredentialState.EMPTY
+        set(value) {
+            field = value
+            _stateLiveData.postValue(value)
+        }
+    private val _stateLiveData = MutableLiveData(ExternalCredentialState.EMPTY)
+    val stateLiveData: LiveData<ExternalCredentialState> = _stateLiveData
+
+    val externalCredentialTypes: LiveData<List<ExternalCredentialType>>
+        get() = _externalCredentialTypes
+    private val _externalCredentialTypes = MutableLiveData<List<ExternalCredentialType>>()
+
+    private lateinit var selectionStartTime: Timestamp
+    private lateinit var selectionEventId: String
+    private lateinit var captureStartTime: Timestamp
+    private var selectedSkipReason: ExternalCredentialSelectionEvent.SkipReason? = null
+    private var selectedSkipOtherText: String? = null
+
+    init {
+        viewModelScope.launch {
+            val config = configManager.getProjectConfiguration()
+            val allowedExternalCredentials = config.multifactorId?.allowedExternalCredentials.orEmpty()
+            _externalCredentialTypes.postValue(allowedExternalCredentials)
+        }
+    }
+
+    fun selectionStarted() {
+        selectionStartTime = timeHelper.now()
+    }
+
+    fun skipOptionSelected(skipOption: ExternalCredentialSelectionEvent.SkipReason) {
+        selectedSkipReason = skipOption
+    }
+
+    fun skipOtherReasonChanged(otherText: String?) {
+        selectedSkipOtherText = otherText?.ifBlank { null }
+    }
+
+    private fun updateState(state: (ExternalCredentialState) -> ExternalCredentialState) {
+        this.state = state(this.state)
+    }
+
+    fun setSelectedExternalCredentialType(selectedType: ExternalCredentialType?) {
+        viewModelScope.launch {
+            if (selectedType != null) {
+                val selectionEndTime = timeHelper.now()
+                selectionEventId = eventsTracker.saveSelectionEvent(selectionStartTime, selectionEndTime, selectedType)
+                captureStartTime = timeHelper.now()
+            }
+            updateState { it.copy(selectedType = selectedType) }
+        }
+    }
+
+    fun setExternalCredentialValue(value: String) {
+        updateState { it.copy(credentialValue = value) }
+    }
+
+    fun init(params: ExternalCredentialParams) {
+        if (!isInitialized) {
+            isInitialized = true
+            this.params = params
+            updateState { ExternalCredentialState.EMPTY.copy(subjectId = params.subjectId, flowType = params.flowType) }
+        }
+    }
+
+    fun finish(result: ExternalCredentialSearchResult) {
+        viewModelScope.launch {
+            if (result.scannedCredential == null) {
+                selectedSkipReason?.let { reason ->
+                    eventsTracker.saveSkippedEvent(selectionStartTime, reason, selectedSkipOtherText)
+                }
+            } else {
+                eventsTracker.saveCaptureEvents(
+                    captureStartTime,
+                    params.subjectId.orEmpty(),
+                    result.scannedCredential,
+                    selectionEventId,
+                )
+            }
+            _finishEvent.send(result)
+        }
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/ExternalCredentialScanOcrFragment.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/ExternalCredentialScanOcrFragment.kt
new file mode 100644
index 0000000000..33957a011c
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/ExternalCredentialScanOcrFragment.kt
@@ -0,0 +1,336 @@
+package com.simprints.feature.externalcredential.screens.scanocr
+
+import android.Manifest.permission.CAMERA
+import android.content.Intent
+import android.os.Bundle
+import android.provider.Settings
+import android.view.View
+import android.view.ViewPropertyAnimator
+import androidx.activity.result.contract.ActivityResultContracts
+import androidx.camera.core.ImageAnalysis
+import androidx.camera.lifecycle.ProcessCameraProvider
+import androidx.core.content.ContextCompat
+import androidx.core.net.toUri
+import androidx.core.view.isInvisible
+import androidx.core.view.isVisible
+import androidx.fragment.app.Fragment
+import androidx.fragment.app.activityViewModels
+import androidx.fragment.app.viewModels
+import androidx.lifecycle.ViewModel
+import androidx.lifecycle.ViewModelProvider
+import androidx.lifecycle.lifecycleScope
+import androidx.navigation.fragment.findNavController
+import androidx.navigation.fragment.navArgs
+import com.simprints.core.DispatcherBG
+import com.simprints.core.domain.permission.PermissionStatus
+import com.simprints.core.livedata.LiveDataEventWithContentObserver
+import com.simprints.core.tools.extentions.getCurrentPermissionStatus
+import com.simprints.core.tools.extentions.permissionFromResult
+import com.simprints.feature.externalcredential.R
+import com.simprints.feature.externalcredential.databinding.FragmentExternalCredentialScanOcrBinding
+import com.simprints.feature.externalcredential.screens.controller.ExternalCredentialViewModel
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrCropConfig
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.BuildOcrCropConfigUseCase
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.ProvideCameraListenerUseCase
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.infra.logging.LoggingConstants.CrashReportTag.MULTI_FACTOR_ID
+import com.simprints.infra.logging.Simber
+import com.simprints.infra.uibase.navigation.navigateSafely
+import com.simprints.infra.uibase.view.applySystemBarInsets
+import com.simprints.infra.uibase.view.fadeIn
+import com.simprints.infra.uibase.view.fadeOut
+import com.simprints.infra.uibase.viewbinding.viewBinding
+import dagger.hilt.android.AndroidEntryPoint
+import kotlinx.coroutines.CoroutineDispatcher
+import kotlinx.coroutines.launch
+import java.util.concurrent.ExecutorService
+import java.util.concurrent.Executors
+import javax.inject.Inject
+import com.simprints.infra.resources.R as IDR
+
+@AndroidEntryPoint
+internal class ExternalCredentialScanOcrFragment : Fragment(R.layout.fragment_external_credential_scan_ocr) {
+    private val args: ExternalCredentialScanOcrFragmentArgs by navArgs()
+    private val binding by viewBinding(FragmentExternalCredentialScanOcrBinding::bind)
+    private val mainViewModel: ExternalCredentialViewModel by activityViewModels()
+    private val viewModel by viewModels<ExternalCredentialScanOcrViewModel> {
+        object : ViewModelProvider.Factory {
+            override fun <T : ViewModel> create(modelClass: Class<T>): T {
+                @Suppress("UNCHECKED_CAST")
+                return viewModelFactory.create(args.ocrDocumentType) as T
+            }
+        }
+    }
+
+    private val launchPermissionRequest = registerForActivityResult(
+        ActivityResultContracts.RequestPermission(),
+    ) { granted ->
+        val cameraPermissionStatus = requireActivity().permissionFromResult(CAMERA, granted)
+        previousPermissionStatus = cameraPermissionStatus
+        if (cameraPermissionStatus == PermissionStatus.Granted) {
+            initializeFragment()
+        } else {
+            val shouldOpenPhoneSettings = cameraPermissionStatus == PermissionStatus.DeniedNeverAskAgain
+            renderNoPermission(shouldOpenPhoneSettings)
+        }
+    }
+    private var previousPermissionStatus: PermissionStatus? = null
+    private lateinit var cameraExecutor: ExecutorService
+    private lateinit var imageAnalysis: ImageAnalysis
+    private var progressAnimator: ViewPropertyAnimator? = null
+    private var checkAnimator: ViewPropertyAnimator? = null
+    private var isAnimatingCompletion: Boolean = false
+    private var pendingFinishAction: (() -> Unit)? = null
+
+    @Inject
+    lateinit var viewModelFactory: ExternalCredentialScanOcrViewModel.Factory
+
+    @Inject
+    lateinit var buildOcrCropConfigUseCase: BuildOcrCropConfigUseCase
+
+    @Inject
+    lateinit var provideCameraListenerUseCase: ProvideCameraListenerUseCase
+
+    @Inject
+    @DispatcherBG
+    lateinit var bgDispatcher: CoroutineDispatcher
+
+    override fun onViewCreated(
+        view: View,
+        savedInstanceState: Bundle?,
+    ) {
+        super.onViewCreated(view, savedInstanceState)
+        applySystemBarInsets(view)
+        Simber.i("ExternalCredentialScanOcrFragment started", tag = MULTI_FACTOR_ID)
+        initObservers()
+    }
+
+    override fun onResume() {
+        super.onResume()
+        val currentPermission = requireActivity().getCurrentPermissionStatus(CAMERA)
+        when (currentPermission) {
+            PermissionStatus.Granted -> initializeFragment()
+            PermissionStatus.Denied -> {
+                // Permission dialog was already displayed, and user denied permissions. Showing rationale so to avoid constantly-appearing
+                // system dialog.
+                if (previousPermissionStatus == currentPermission) {
+                    renderNoPermission(shouldOpenPhoneSettings = false)
+                } else {
+                    launchPermissionRequest.launch(CAMERA)
+                }
+            }
+
+            PermissionStatus.DeniedNeverAskAgain -> {
+                // Requesting system dialog just in case. Some devices faulty report 'DeniedNeverAskAgain' status when it is actually 'Denied'
+                launchPermissionRequest.launch(CAMERA)
+                renderNoPermission(shouldOpenPhoneSettings = true)
+            }
+        }
+    }
+
+    override fun onDestroy() {
+        stopOcr()
+        stopCamera()
+        clearAnimations()
+        super.onDestroy()
+    }
+
+    private fun clearAnimations() {
+        pendingFinishAction = null
+        isAnimatingCompletion = false
+        checkAnimator?.cancel()
+        progressAnimator?.cancel()
+    }
+
+    private fun initializeFragment() {
+        renderInitialState()
+        initCamera(onComplete = {
+            if (viewModel.isOcrActive) {
+                startOcr()
+            }
+        })
+    }
+
+    private fun initObservers() {
+        viewModel.stateLiveData.observe(viewLifecycleOwner) { state ->
+            when (state) {
+                is ScanOcrState.ScanningInProgress -> {
+                    renderProgress(state)
+                    if (state.successfulCaptures >= state.scansRequired) {
+                        stopOcr()
+                        viewModel.processOcrResultsAndFinish()
+                    }
+                }
+
+                ScanOcrState.NotScanning -> renderInitialState()
+                ScanOcrState.Complete -> animateCompletionState()
+            }
+        }
+
+        viewModel.finishOcrEvent.observe(
+            viewLifecycleOwner,
+            LiveDataEventWithContentObserver { scannedCredential ->
+                scheduleFinish(scannedCredential)
+            },
+        )
+    }
+
+    private fun initCamera(onComplete: () -> Unit) {
+        if (::cameraExecutor.isInitialized) {
+            return
+        }
+
+        cameraExecutor = Executors.newSingleThreadExecutor()
+        val cameraProviderFuture = ProcessCameraProvider.getInstance(requireContext())
+        val cameraListener = provideCameraListenerUseCase(
+            cameraProviderFuture = cameraProviderFuture,
+            surfaceProvider = binding.preview.surfaceProvider,
+            viewLifecycleOwner = viewLifecycleOwner,
+            onImageAnalysisReady = {
+                imageAnalysis = it
+                onComplete()
+            },
+        )
+        cameraProviderFuture.addListener(cameraListener, ContextCompat.getMainExecutor(requireContext()))
+    }
+
+    private fun renderProgress(state: ScanOcrState.ScanningInProgress) = with(binding) {
+        val progressPercentage = (state.successfulCaptures * 100 / state.scansRequired).coerceAtMost(100)
+        buttonScan.isVisible = false
+        progressContainer.isVisible = true
+        progressBar.isVisible = true
+        iconScanComplete.alpha = 0f
+        progressBar.setProgressCompat(progressPercentage, true)
+        instructionsText.setTextColor(ContextCompat.getColor(requireContext(), IDR.color.simprints_text_black))
+        viewfinderMask.setMaskColor(ContextCompat.getColor(requireContext(), IDR.color.simprints_white))
+        viewfinderMask.alpha = VIEW_FINDER_ALPHA_SCAN_ACTIVE
+    }
+
+    private fun renderInitialState() = with(binding) {
+        val documentTypeText = viewModel.getDocumentTypeRes().run(::getString)
+        permissionRequestView.isVisible = false
+        instructionsText.isVisible = true
+        instructionsText.text = getString(IDR.string.mfid_scan_instructions, documentTypeText)
+        instructionsText.setTextColor(ContextCompat.getColor(requireContext(), IDR.color.simprints_text_white))
+        documentScannerArea.isVisible = true
+        progressContainer.isVisible = false
+        buttonScan.isVisible = true
+        buttonScan.setOnClickListener {
+            viewModel.ocrStarted()
+            startOcr()
+        }
+        viewfinderMask.setMaskColor(ContextCompat.getColor(requireContext(), IDR.color.simprints_black))
+        viewfinderMask.alpha = VIEW_FINDER_ALPHA_INITIAL
+    }
+
+    private fun animateCompletionState() = with(binding) {
+        isAnimatingCompletion = true
+        progressBar.fadeOut(FINISH_ANIMATION_DURATION, scaleX = true, fragment = this@ExternalCredentialScanOcrFragment)
+        scanInstructions.fadeOut(FINISH_ANIMATION_DURATION, scaleX = false, fragment = this@ExternalCredentialScanOcrFragment)
+        iconScanComplete.fadeIn(FINISH_ANIMATION_DURATION, fragment = this@ExternalCredentialScanOcrFragment, onComplete = {
+            isAnimatingCompletion = false
+            // Execute any pending action after the animation. Currently used is for next fragment navigation
+            pendingFinishAction?.invoke()
+            pendingFinishAction = null
+        })
+    }
+
+    private fun renderNoPermission(shouldOpenPhoneSettings: Boolean) {
+        with(binding) {
+            instructionsText.isVisible = false
+            progressContainer.isVisible = false
+            documentScannerArea.isInvisible = true
+            buttonScan.isVisible = false
+            val documentTypeText = viewModel.getDocumentTypeRes().run(::getString)
+            val bodyText = getString(IDR.string.mfid_scan_camera_permission_body, documentTypeText)
+            if (shouldOpenPhoneSettings) {
+                permissionRequestView.init(
+                    title = IDR.string.face_capture_permission_denied,
+                    body = bodyText,
+                    buttonText = IDR.string.fingerprint_connect_phone_settings_button,
+                    onClickListener = {
+                        requireActivity().startActivity(
+                            Intent(
+                                Settings.ACTION_APPLICATION_DETAILS_SETTINGS,
+                                "package:${requireActivity().packageName}".toUri(),
+                            ),
+                        )
+                    },
+                )
+            } else {
+                permissionRequestView.init(
+                    title = IDR.string.face_capture_permission_denied,
+                    body = bodyText,
+                    buttonText = IDR.string.face_capture_permission_action,
+                    onClickListener = {
+                        launchPermissionRequest.launch(CAMERA)
+                    },
+                )
+            }
+            permissionRequestView.isVisible = true
+        }
+    }
+
+    private fun startOcr() {
+        imageAnalysis.setAnalyzer(cameraExecutor) { imageProxy ->
+            if (viewModel.isRunningOcrOnFrame) {
+                imageProxy.close()
+                return@setAnalyzer
+            }
+            viewModel.ocrOnFrameStarted()
+            lifecycleScope.launch(bgDispatcher) {
+                try {
+                    val (bitmap, imageInfo) = imageProxy.toBitmap() to imageProxy.imageInfo
+                    val cropConfig: OcrCropConfig = buildOcrCropConfigUseCase(
+                        rotationDegrees = imageInfo.rotationDegrees,
+                        cameraPreview = binding.preview,
+                        documentScannerArea = binding.documentScannerArea,
+                    )
+                    viewModel.runOcrOnFrame(frame = bitmap, cropConfig)
+                } finally {
+                    imageProxy.close()
+                }
+            }
+        }
+    }
+
+    private fun stopCamera() {
+        if (::cameraExecutor.isInitialized) {
+            cameraExecutor.shutdown()
+        }
+    }
+
+    private fun stopOcr() {
+        if (::imageAnalysis.isInitialized) {
+            imageAnalysis.clearAnalyzer()
+        }
+    }
+
+    /**
+     * Waits until all animations are complete before navigating away. Completion animations are in place because the execution of
+     * [ExternalCredentialScanOcrViewModel.processOcrResultsAndFinish] is not immediate, and it makes the transition to the next fragment
+     * smoother for user.
+     *
+     * The animation state is stored in the [isAnimatingCompletion]. If it is set to true, the navigation action is set to
+     * [pendingFinishAction] which will be executed once animations are complete. If false, the navigation will proceed immediately.
+     */
+    private fun scheduleFinish(credential: ScannedCredential) {
+        val navigationAction = {
+            findNavController().navigateSafely(
+                this@ExternalCredentialScanOcrFragment,
+                ExternalCredentialScanOcrFragmentDirections.actionExternalCredentialScanOcrToExternalCredentialSearch(credential),
+            )
+        }
+        if (isAnimatingCompletion) {
+            pendingFinishAction = navigationAction
+        } else {
+            navigationAction.invoke()
+        }
+    }
+
+    companion object {
+        private const val VIEW_FINDER_ALPHA_INITIAL = 0.5f
+        private const val VIEW_FINDER_ALPHA_SCAN_ACTIVE = 0.9f
+        private const val FINISH_ANIMATION_DURATION = 300L
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/ExternalCredentialScanOcrViewModel.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/ExternalCredentialScanOcrViewModel.kt
new file mode 100644
index 0000000000..72e4f155b1
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/ExternalCredentialScanOcrViewModel.kt
@@ -0,0 +1,173 @@
+package com.simprints.feature.externalcredential.screens.scanocr
+
+import android.graphics.Bitmap
+import androidx.lifecycle.LiveData
+import androidx.lifecycle.MutableLiveData
+import androidx.lifecycle.ViewModel
+import androidx.lifecycle.viewModelScope
+import com.simprints.core.DispatcherBG
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.domain.tokenization.asTokenizableRaw
+import com.simprints.core.livedata.LiveDataEventWithContent
+import com.simprints.core.livedata.send
+import com.simprints.core.tools.time.TimeHelper
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.feature.externalcredential.screens.scanocr.model.DetectedOcrBlock
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrCropConfig
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrDocumentType
+import com.simprints.feature.externalcredential.screens.scanocr.model.asExternalCredentialType
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.CropDocumentFromPreviewUseCase
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.GetCredentialCoordinatesUseCase
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.KeepOnlyBestDetectedBlockUseCase
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.NormalizeBitmapToPreviewUseCase
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.ZoomOntoCredentialUseCase
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.infra.authstore.AuthStore
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.infra.credential.store.CredentialImageRepository
+import com.simprints.infra.credential.store.model.CredentialScanImageType.ZoomedInCredential
+import com.simprints.infra.logging.LoggingConstants.CrashReportTag.MULTI_FACTOR_ID
+import com.simprints.infra.logging.Simber
+import com.simprints.infra.resources.R
+import dagger.assisted.Assisted
+import dagger.assisted.AssistedFactory
+import dagger.assisted.AssistedInject
+import kotlinx.coroutines.CoroutineDispatcher
+import kotlinx.coroutines.launch
+
+internal class ExternalCredentialScanOcrViewModel @AssistedInject constructor(
+    @Assisted val ocrDocumentType: OcrDocumentType,
+    private val timeHelper: TimeHelper,
+    private val normalizeBitmapToPreviewUseCase: NormalizeBitmapToPreviewUseCase,
+    private val cropDocumentFromPreviewUseCase: CropDocumentFromPreviewUseCase,
+    private val getCredentialCoordinatesUseCase: GetCredentialCoordinatesUseCase,
+    private val keepOnlyBestDetectedBlockUseCase: KeepOnlyBestDetectedBlockUseCase,
+    private val credentialImageRepository: CredentialImageRepository,
+    private val zoomOntoCredentialUseCase: ZoomOntoCredentialUseCase,
+    private val tokenizationProcessor: TokenizationProcessor,
+    private val authStore: AuthStore,
+    private val configManager: ConfigManager,
+    @DispatcherBG private val bgDispatcher: CoroutineDispatcher,
+) : ViewModel() {
+    @AssistedFactory
+    interface Factory {
+        fun create(ocrDocumentType: OcrDocumentType): ExternalCredentialScanOcrViewModel
+    }
+
+    private var detectedBlocks: List<DetectedOcrBlock> = emptyList()
+    var isRunningOcrOnFrame: Boolean = false
+        private set
+    val isOcrActive: Boolean
+        get() = detectedBlocks.isNotEmpty()
+    private var state: ScanOcrState = ScanOcrState.EMPTY
+        set(value) {
+            field = value
+            _stateLiveData.postValue(value)
+        }
+    private val _stateLiveData = MutableLiveData<ScanOcrState>()
+    val stateLiveData: LiveData<ScanOcrState> = _stateLiveData
+    val finishOcrEvent: LiveData<LiveDataEventWithContent<ScannedCredential>>
+        get() = _finishOcrEvent
+    private val _finishOcrEvent = MutableLiveData<LiveDataEventWithContent<ScannedCredential>>()
+
+    private lateinit var startTime: Timestamp
+
+    private fun updateState(state: (ScanOcrState) -> ScanOcrState) {
+        this.state = state(this.state)
+    }
+
+    fun getDocumentTypeRes(): Int = when (ocrDocumentType) {
+        OcrDocumentType.NhisCard -> R.string.mfid_type_nhis_card
+        OcrDocumentType.GhanaIdCard -> R.string.mfid_type_ghana_id_card
+    }
+
+    fun ocrStarted() {
+        startTime = timeHelper.now()
+        updateState {
+            ScanOcrState.ScanningInProgress(
+                ocrDocumentType = ocrDocumentType,
+                successfulCaptures = 0,
+                scansRequired = SUCCESSFUL_SCANS_REQUIRED,
+            )
+        }
+    }
+
+    fun runOcrOnFrame(
+        frame: Bitmap,
+        cropConfig: OcrCropConfig,
+    ) {
+        viewModelScope.launch(bgDispatcher) {
+            try {
+                Simber.d("started OCR")
+                val normalizedBitmap = normalizeBitmapToPreviewUseCase(frame, cropConfig)
+                val cropped = cropDocumentFromPreviewUseCase(bitmap = normalizedBitmap, cutoutRect = cropConfig.cutoutRect)
+                val detectedBlock = getCredentialCoordinatesUseCase(bitmap = cropped, documentType = ocrDocumentType) ?: return@launch
+                Simber.d("Detected OCR")
+                detectedBlocks += detectedBlock
+                updateState {
+                    ScanOcrState.ScanningInProgress(
+                        ocrDocumentType = ocrDocumentType,
+                        successfulCaptures = detectedBlocks.size,
+                        scansRequired = SUCCESSFUL_SCANS_REQUIRED,
+                    )
+                }
+            } finally {
+                isRunningOcrOnFrame = false
+            }
+        }
+    }
+
+    fun processOcrResultsAndFinish() {
+        updateState { ScanOcrState.Complete }
+        viewModelScope.launch {
+            val project = configManager.getProject(authStore.signedInProjectId)
+            val detectedBlock = keepOnlyBestDetectedBlockUseCase(detectedBlocks, ocrDocumentType)
+            val credentialType = detectedBlock.documentType.asExternalCredentialType()
+            val blockBoundingBox = detectedBlock.blockBoundingBox
+            val zoomedCredentialImagePath = buildZoomedImagePath(detectedBlock)
+            val detectedValueRaw = detectedBlock.readoutValue.asTokenizableRaw()
+            val credential = tokenizationProcessor.encrypt(
+                decrypted = detectedValueRaw,
+                tokenKeyType = TokenKeyType.ExternalCredential,
+                project = project,
+            ) as TokenizableString.Tokenized
+
+            val scannedCredential = ScannedCredential(
+                credential = credential,
+                credentialType = credentialType,
+                documentImagePath = detectedBlock.imagePath,
+                zoomedCredentialImagePath = zoomedCredentialImagePath,
+                credentialBoundingBox = blockBoundingBox,
+                scanStartTime = startTime,
+                scanEndTime = timeHelper.now(),
+                scannedValue = detectedValueRaw,
+            )
+            _finishOcrEvent.send(scannedCredential)
+            detectedBlocks = emptyList()
+        }
+    }
+
+    private suspend fun buildZoomedImagePath(detectedBlock: DetectedOcrBlock): String? = try {
+        credentialImageRepository.saveCredentialScan(
+            bitmap = zoomOntoCredentialUseCase(detectedBlock.imagePath, detectedBlock.blockBoundingBox),
+            imageType = ZoomedInCredential,
+        )
+    } catch (e: Exception) {
+        Simber.e(
+            "Unable to zoom into bounding box [${detectedBlock.blockBoundingBox}] of ${detectedBlock.documentType} image ${detectedBlock.imagePath}",
+            e,
+            MULTI_FACTOR_ID,
+        )
+        null
+    }
+
+    fun ocrOnFrameStarted() {
+        isRunningOcrOnFrame = true
+    }
+
+    companion object {
+        private const val SUCCESSFUL_SCANS_REQUIRED = 5
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/ScanOcrState.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/ScanOcrState.kt
new file mode 100644
index 0000000000..0c14d4ef8d
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/ScanOcrState.kt
@@ -0,0 +1,19 @@
+package com.simprints.feature.externalcredential.screens.scanocr
+
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrDocumentType
+
+internal sealed class ScanOcrState {
+    data object NotScanning : ScanOcrState()
+
+    data class ScanningInProgress(
+        val ocrDocumentType: OcrDocumentType,
+        val successfulCaptures: Int,
+        val scansRequired: Int,
+    ) : ScanOcrState()
+
+    data object Complete : ScanOcrState()
+
+    companion object {
+        val EMPTY = ScanOcrState.NotScanning
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/model/DetectedOcrBlock.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/model/DetectedOcrBlock.kt
new file mode 100644
index 0000000000..8e9f5845ef
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/model/DetectedOcrBlock.kt
@@ -0,0 +1,25 @@
+package com.simprints.feature.externalcredential.screens.scanocr.model
+
+import com.google.mlkit.vision.text.Text
+import com.simprints.feature.externalcredential.model.BoundingBox
+
+/**
+ * Result of the OCR credential detection of image. [Text.TextBlock] contains a [Text.Line] that was contains the detected credential.
+ * [readoutValue] is a normalized string that was read from the [Text.Line] (no extra space, trimmed).
+ *
+ * To save memory, the image is not stored directly in the data class. Rather this data class keeps a file path reference to the image
+ * in [imagePath].
+ *
+ * @param imagePath path to bitmap that was used for OCR
+ * @param documentType type of a supported document
+ * @param blockBoundingBox bounding box of block in which [lineBoundingBox] was detected
+ * @param lineBoundingBox bounding box of line that contained [Text.Element] objects that were concatenated and normalized to produce a [readoutValue]
+ * @param readoutValue normalized readout value from all [Text.Element] objects in [lineBoundingBox]
+ */
+internal data class DetectedOcrBlock(
+    val imagePath: String,
+    val documentType: OcrDocumentType,
+    val blockBoundingBox: BoundingBox,
+    val lineBoundingBox: BoundingBox,
+    val readoutValue: String,
+)
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/model/OcrCropConfig.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/model/OcrCropConfig.kt
new file mode 100644
index 0000000000..6a9540665e
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/model/OcrCropConfig.kt
@@ -0,0 +1,10 @@
+package com.simprints.feature.externalcredential.screens.scanocr.model
+
+import android.graphics.Rect
+
+internal data class OcrCropConfig(
+    val rotationDegrees: Int,
+    val cutoutRect: Rect,
+    val previewViewWidth: Int,
+    val previewViewHeight: Int,
+)
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/model/OcrDocumentType.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/model/OcrDocumentType.kt
new file mode 100644
index 0000000000..46c6e8cca5
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/model/OcrDocumentType.kt
@@ -0,0 +1,19 @@
+package com.simprints.feature.externalcredential.screens.scanocr.model
+
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+
+enum class OcrDocumentType {
+    NhisCard,
+    GhanaIdCard,
+}
+
+fun ExternalCredentialType.asOcrDocumentType() = when (this) {
+    ExternalCredentialType.NHISCard -> OcrDocumentType.NhisCard
+    ExternalCredentialType.GhanaIdCard -> OcrDocumentType.GhanaIdCard
+    ExternalCredentialType.QRCode -> throw IllegalArgumentException("Cannot create Ocr Document Type from $this")
+}
+
+fun OcrDocumentType.asExternalCredentialType() = when (this) {
+    OcrDocumentType.NhisCard -> ExternalCredentialType.NHISCard
+    OcrDocumentType.GhanaIdCard -> ExternalCredentialType.GhanaIdCard
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/BuildOcrCropConfigUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/BuildOcrCropConfigUseCase.kt
new file mode 100644
index 0000000000..50b9970973
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/BuildOcrCropConfigUseCase.kt
@@ -0,0 +1,23 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import android.view.View
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrCropConfig
+import javax.inject.Inject
+
+internal class BuildOcrCropConfigUseCase @Inject constructor(
+    private val getBoundsRelativeToParentUseCase: GetBoundsRelativeToParentUseCase,
+) {
+    operator fun invoke(
+        rotationDegrees: Int,
+        cameraPreview: View,
+        documentScannerArea: View,
+    ): OcrCropConfig {
+        val cutoutRect = getBoundsRelativeToParentUseCase(parent = cameraPreview, child = documentScannerArea)
+        return OcrCropConfig(
+            rotationDegrees = rotationDegrees,
+            cutoutRect = cutoutRect,
+            previewViewWidth = cameraPreview.width,
+            previewViewHeight = cameraPreview.height,
+        )
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/CalculateLevenshteinDistanceUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/CalculateLevenshteinDistanceUseCase.kt
new file mode 100644
index 0000000000..9f8b0dffb4
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/CalculateLevenshteinDistanceUseCase.kt
@@ -0,0 +1,47 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import javax.inject.Inject
+import kotlin.math.min
+
+internal class CalculateLevenshteinDistanceUseCase @Inject constructor() {
+    /**
+     * Calculates the Levenshtein distance between two strings.
+     *
+     * The Levenshtein distance is the minimum number of single-character edits (insertions, deletions, or substitutions) required to change
+     * one string into another.
+     *
+     * Examples:
+     * - "kitten" -> "sitting" = 3 (substitute k->s, e->i, insert g)
+     * - "ABC" -> "ACD" = 1 (substitute B->C)
+     * - "hello" -> "hello" = 0 (identical strings)
+     *
+     * @param s1 first string
+     * @param s2 second string
+     * @return minimum number of edits needed to transform s1 into s2
+     */
+    operator fun invoke(
+        s1: String,
+        s2: String,
+    ): Int {
+        if (s1 == s2) return 0
+        if (s1.isEmpty()) return s2.length
+        if (s2.isEmpty()) return s1.length
+        val dp = Array(s1.length + 1) { IntArray(s2.length + 1) }
+        for (i in 0..s1.length) dp[i][0] = i
+        for (j in 0..s2.length) dp[0][j] = j
+        for (i in 1..s1.length) {
+            for (j in 1..s2.length) {
+                val cost = if (s1[i - 1] == s2[j - 1]) 0 else 1
+                dp[i][j] = min(
+                    min(
+                        dp[i - 1][j] + 1,
+                        dp[i][j - 1] + 1,
+                    ),
+                    dp[i - 1][j - 1] + cost,
+                )
+            }
+        }
+
+        return dp[s1.length][s2.length]
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/CropDocumentFromPreviewUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/CropDocumentFromPreviewUseCase.kt
new file mode 100644
index 0000000000..5b0f2d4979
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/CropDocumentFromPreviewUseCase.kt
@@ -0,0 +1,28 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import android.graphics.Bitmap
+import android.graphics.Rect
+import javax.inject.Inject
+
+internal class CropDocumentFromPreviewUseCase @Inject constructor() {
+    operator fun invoke(
+        bitmap: Bitmap,
+        cutoutRect: Rect,
+    ): Bitmap {
+        val left = cutoutRect.left.coerceIn(0, bitmap.width)
+        val top = cutoutRect.top.coerceIn(0, bitmap.height)
+        val right = cutoutRect.right.coerceIn(left, bitmap.width)
+        val bottom = cutoutRect.bottom.coerceIn(top, bitmap.height)
+
+        val width = right - left
+        val height = bottom - top
+
+        if (width <= 0 || height <= 0) {
+            throw IllegalStateException(
+                "Invalid OCR crop dimensions: width=$width, height=$height. CutoutRect=[$cutoutRect], bitmapSize(w,h)=[${bitmap.width}x${bitmap.height}]",
+            )
+        }
+
+        return Bitmap.createBitmap(bitmap, left, top, width, height)
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/FindBestTextBlockForCredentialUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/FindBestTextBlockForCredentialUseCase.kt
new file mode 100644
index 0000000000..ade0e55533
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/FindBestTextBlockForCredentialUseCase.kt
@@ -0,0 +1,43 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import com.simprints.feature.externalcredential.screens.scanocr.model.DetectedOcrBlock
+import javax.inject.Inject
+
+internal class FindBestTextBlockForCredentialUseCase @Inject constructor(
+    private val calculateLevenshteinDistanceUseCase: CalculateLevenshteinDistanceUseCase,
+) {
+    /**
+     * Finds the detected OCR block that contains the readout value most similar to the given credential string.
+     *
+     * This method first attempts to find an exact match by comparing the readout value of each block with the credential. If no exact
+     * match is found, it uses Levenshtein distance to find the block with the smallest edit distance to the credential.
+     *
+     * @param credential the target credential string to match
+     * @param detectedBlocks list of detected OCR blocks to search through. Must not be empty
+     * @return the detected OCR block with the best matching readout value
+     * @throws IllegalArgumentException if no blocks provided
+     */
+    operator fun invoke(
+        credential: String,
+        detectedBlocks: List<DetectedOcrBlock>,
+    ): DetectedOcrBlock {
+        if (detectedBlocks.isEmpty()) {
+            throw IllegalArgumentException("OCR: cannot find match for credential, provided detected block list is empty")
+        }
+
+        // Searching from the end of detected blocks to maximize chances of getting the image closest to what the user have seen on the
+        // camera preview. This allows for natural look when transitioning to the next screen, as the best fitting text block will be as
+        // close to the last frame the user sees as possible.
+        for (block in detectedBlocks.asReversed()) {
+            if (block.readoutValue == credential) {
+                return block
+            }
+        }
+
+        // If no exact match, finding the closest one using Levenshtein distance. Updating its credential value to the given for consistency
+        return detectedBlocks
+            .minBy { block ->
+                calculateLevenshteinDistanceUseCase(credential, block.readoutValue)
+            }.copy(readoutValue = credential)
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetBoundsRelativeToParentUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetBoundsRelativeToParentUseCase.kt
new file mode 100644
index 0000000000..cb3ce092c6
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetBoundsRelativeToParentUseCase.kt
@@ -0,0 +1,27 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import android.graphics.Rect
+import android.view.View
+import javax.inject.Inject
+
+internal class GetBoundsRelativeToParentUseCase @Inject constructor() {
+    operator fun invoke(
+        parent: View,
+        child: View,
+    ): Rect {
+        val childLocation = IntArray(2)
+        val parentLocation = IntArray(2)
+        child.getLocationOnScreen(childLocation)
+        parent.getLocationOnScreen(parentLocation)
+
+        val offsetX = childLocation[0] - parentLocation[0]
+        val offsetY = childLocation[1] - parentLocation[1]
+
+        return Rect(
+            offsetX,
+            offsetY,
+            offsetX + child.width,
+            offsetY + child.height,
+        )
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetCredentialCoordinatesUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetCredentialCoordinatesUseCase.kt
new file mode 100644
index 0000000000..20fe8554a7
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetCredentialCoordinatesUseCase.kt
@@ -0,0 +1,83 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import android.graphics.Bitmap
+import com.google.android.gms.tasks.Tasks
+import com.google.mlkit.vision.common.InputImage
+import com.google.mlkit.vision.text.TextRecognition
+import com.google.mlkit.vision.text.latin.TextRecognizerOptions
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.feature.externalcredential.model.toBoundingBox
+import com.simprints.feature.externalcredential.screens.scanocr.model.DetectedOcrBlock
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrDocumentType
+import com.simprints.infra.credential.store.CredentialImageRepository
+import com.simprints.infra.credential.store.model.CredentialScanImageType.FullDocument
+import com.simprints.infra.logging.LoggingConstants.CrashReportTag.MULTI_FACTOR_ID
+import com.simprints.infra.logging.Simber
+import javax.inject.Inject
+import javax.inject.Singleton
+
+@Singleton
+@ExcludedFromGeneratedTestCoverageReports("Unable to mock Google ML Kit")
+internal class GetCredentialCoordinatesUseCase @Inject constructor(
+    private val ghanaNhisCardOcrSelectorUseCase: GhanaNhisCardOcrSelectorUseCase,
+    private val ghanaIdCardOcrSelectorUseCase: GhanaIdCardOcrSelectorUseCase,
+    private val credentialImageRepository: CredentialImageRepository,
+) {
+    private val recognizer = TextRecognition.getClient(TextRecognizerOptions.DEFAULT_OPTIONS)
+
+    /**
+     * OCR uses Google ML kit. It has a following hierarchy:
+     *      - Block. A contiguous set of text lines, such as a paragraph or column,
+     *      - Line. A contiguous set of words on the same axis. There can be multiple Lines in the Block
+     *      - Element. A contiguous set of alphanumeric characters ("word") on the same axis. There can be Elements in one Line
+     *      - Symbol. A single alphanumeric character in an Element.
+     *
+     * This method returns a [DetectedOcrBlock] class if the OCR managed to find a line that satisfies the given [documentType] pattern.
+     * If such Line is found, then it is returned in a [DetectedOcrBlock] alongside its parent block, and a normalized value.
+     *
+     * Lines are used instead of Elements because the OCR might mistakenly read an extra white space in a Line, resulting in multiple
+     * Elements. Since Lines are geometrically in one plane, we just take the concatenation of all underlying child Elements, and analyze
+     * them it as a single string.
+     *
+     * @param bitmap bitmap to run OCR on
+     * @param documentType type of the document
+     *
+     * @return [DetectedOcrBlock] if any Line satisfies the [documentType] pattern, or null if none.
+     */
+    suspend operator fun invoke(
+        bitmap: Bitmap,
+        documentType: OcrDocumentType,
+    ): DetectedOcrBlock? {
+        val image = InputImage.fromBitmap(bitmap, 0)
+        return try {
+            val result = Tasks.await(recognizer.process(image)) ?: return null
+            return result.textBlocks.firstNotNullOfOrNull { textBlock ->
+                textBlock.lines.firstNotNullOfOrNull { textLine ->
+                    // Getting text from the entire line readout, and normalizing to avoid any extra spaces
+                    val lineReadout = textLine.text.trim().replace(" ", "")
+                    val isValid = when (documentType) {
+                        OcrDocumentType.NhisCard -> ghanaNhisCardOcrSelectorUseCase(lineReadout)
+                        OcrDocumentType.GhanaIdCard -> ghanaIdCardOcrSelectorUseCase(lineReadout)
+                    }
+                    if (isValid) {
+                        val blockBoundingRect = textBlock.boundingBox ?: return@firstNotNullOfOrNull null
+                        val lineBoundingRect = textLine.boundingBox ?: return@firstNotNullOfOrNull null
+                        val savedImagePath = credentialImageRepository.saveCredentialScan(bitmap, imageType = FullDocument)
+                        return@firstNotNullOfOrNull DetectedOcrBlock(
+                            imagePath = savedImagePath,
+                            documentType = documentType,
+                            blockBoundingBox = blockBoundingRect.toBoundingBox(),
+                            lineBoundingBox = lineBoundingRect.toBoundingBox(),
+                            readoutValue = lineReadout,
+                        )
+                    } else {
+                        return@firstNotNullOfOrNull null
+                    }
+                }
+            }
+        } catch (e: Exception) {
+            Simber.e("OCR failed for $documentType", e, tag = MULTI_FACTOR_ID)
+            null
+        }
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetExternalCredentialBasedOnConfidenceUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetExternalCredentialBasedOnConfidenceUseCase.kt
new file mode 100644
index 0000000000..6a34597b5a
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetExternalCredentialBasedOnConfidenceUseCase.kt
@@ -0,0 +1,50 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import com.simprints.feature.externalcredential.screens.scanocr.model.DetectedOcrBlock
+import com.simprints.infra.logging.LoggingConstants.CrashReportTag.MULTI_FACTOR_ID
+import com.simprints.infra.logging.Simber
+import javax.inject.Inject
+
+internal class GetExternalCredentialBasedOnConfidenceUseCase @Inject constructor() {
+    /**
+     * Constructs the most likely credential string by selecting the most frequent character at each position across all detected OCR
+     * blocks. This is necessary because during the OCR readouts, detection mechanisms might confuse characters (think, 'l' versus 'I').
+     *
+     * To account for that, this method puts the most frequent character at each position across all readings.
+     *
+     * Example: ["ABC", "ACD", "CCD"], credentialLength=3 -> "ACD"
+     * - Position 0: 'A' appears 2 times, 'C' appears 1 time -> 'A' wins
+     * - Position 1: 'B' appears 1 time, 'C' appears 2 times -> 'C' wins
+     * - Position 2: 'C' appears 1 time, 'D' appears 2 times -> 'D' wins
+     * Result: 'ACD'
+     *
+     * Example: ["ABC", "AC"], credentialLength=3 -> "ACD"
+     *
+     * @param detectedBlocks list of OCR detection results containing readout values
+     * @param credentialLength target length of the external credential
+     * @return most likely credential string based on character frequency voting
+     * @throws [IllegalArgumentException] if [detectedBlocks] is empty
+     */
+    operator fun invoke(
+        detectedBlocks: List<DetectedOcrBlock>,
+        credentialLength: Int,
+    ): String {
+        val detectedValues: List<String> = detectedBlocks
+            .map(DetectedOcrBlock::readoutValue)
+            .filter { it.length == credentialLength }
+        if (detectedValues.isEmpty()) {
+            throw IllegalArgumentException("OCR block list is empty, cannot extract external credential from it")
+        }
+
+        // Grouping characters at each position across all strings and picking the most frequent one
+        return (0 until credentialLength)
+            .map { position ->
+                detectedValues
+                    .map { it[position] }
+                    .groupingBy { it }
+                    .eachCount()
+                    .maxBy { it.value }
+                    .key
+            }.joinToString(separator = "")
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GhanaIdCardOcrSelectorUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GhanaIdCardOcrSelectorUseCase.kt
new file mode 100644
index 0000000000..b5672f17fa
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GhanaIdCardOcrSelectorUseCase.kt
@@ -0,0 +1,12 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import javax.inject.Inject
+
+internal class GhanaIdCardOcrSelectorUseCase @Inject constructor() {
+    operator fun invoke(readoutValue: String): Boolean = GHANA_ID_PATTERN.matches(readoutValue)
+
+    companion object {
+        // Ghana ID card number pattern is "GHA-12345789-0"
+        private val GHANA_ID_PATTERN = Regex("^GHA-\\d{9}-\\d$")
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GhanaNhisCardOcrSelectorUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GhanaNhisCardOcrSelectorUseCase.kt
new file mode 100644
index 0000000000..e7f4133529
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GhanaNhisCardOcrSelectorUseCase.kt
@@ -0,0 +1,12 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import javax.inject.Inject
+
+internal class GhanaNhisCardOcrSelectorUseCase @Inject constructor() {
+    operator fun invoke(readoutValue: String): Boolean = NHIS_PATTERN.matches(readoutValue)
+
+    companion object {
+        // NHIS Card membership is 8 digits long
+        private val NHIS_PATTERN = Regex("^\\d{8}$")
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/KeepOnlyBestDetectedBlockUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/KeepOnlyBestDetectedBlockUseCase.kt
new file mode 100644
index 0000000000..3f477015a6
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/KeepOnlyBestDetectedBlockUseCase.kt
@@ -0,0 +1,31 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import com.simprints.feature.externalcredential.screens.scanocr.model.DetectedOcrBlock
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrDocumentType
+import com.simprints.infra.credential.store.CredentialImageRepository
+import javax.inject.Inject
+
+internal class KeepOnlyBestDetectedBlockUseCase @Inject constructor(
+    private val getExternalCredentialBasedOnConfidenceUseCase: GetExternalCredentialBasedOnConfidenceUseCase,
+    private val findBestTextBlockForCredentialUseCase: FindBestTextBlockForCredentialUseCase,
+    private val credentialImageRepository: CredentialImageRepository,
+) {
+    suspend operator fun invoke(
+        allDetectedBlock: List<DetectedOcrBlock>,
+        documentType: OcrDocumentType,
+    ): DetectedOcrBlock {
+        val credentialLength = when (documentType) {
+            OcrDocumentType.NhisCard -> 8 // NHIS membership number contains 8 digits: 12345678
+            OcrDocumentType.GhanaIdCard -> 15 // Ghana ID field contains 15 chars: GHA-123456789-0
+        }
+        val externalCredential = getExternalCredentialBasedOnConfidenceUseCase(allDetectedBlock, credentialLength)
+        val detectedBlock = findBestTextBlockForCredentialUseCase(credential = externalCredential, detectedBlocks = allDetectedBlock)
+
+        // Deleting cached scan images for all remaining blocks
+        allDetectedBlock
+            .map(DetectedOcrBlock::imagePath)
+            .filterNot { imagePath -> imagePath == detectedBlock.imagePath }
+            .onEach { imagePath -> credentialImageRepository.deleteByPath(imagePath) }
+        return detectedBlock
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/NormalizeBitmapToPreviewUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/NormalizeBitmapToPreviewUseCase.kt
new file mode 100644
index 0000000000..66154ef8da
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/NormalizeBitmapToPreviewUseCase.kt
@@ -0,0 +1,68 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import android.graphics.Bitmap
+import android.graphics.Matrix
+import androidx.core.graphics.scale
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrCropConfig
+import javax.inject.Inject
+
+internal class NormalizeBitmapToPreviewUseCase @Inject constructor() {
+    /**
+     * Normalizes a camera capture [inputBitmap] bitmap to match the PreviewView's dimensions and aspect ratio.
+     *
+     * This method performs three transformations:
+     * 1. Rotation - Rotates the bitmap by the specified degrees if needed
+     * 2. Center cropping - Crops the bitmap to match PreviewView aspect ratio, keeping the center portion
+     * 3. Scaling - Scales the cropped bitmap to exactly match PreviewView dimensions
+     *
+     * The center cropping ensures that the normalized bitmap has the same aspect ratio as what the user
+     * sees in the camera preview, making OCR results spatially consistent with the preview overlay.
+     *
+     * @param inputBitmap the original camera capture bitmap
+     * @param cropConfig configuration containing rotation, preview width and height
+     *
+     * @return normalized bitmap with PreviewView dimensions and aspect ratio
+     */
+    suspend operator fun invoke(
+        inputBitmap: Bitmap,
+        cropConfig: OcrCropConfig,
+    ): Bitmap {
+        val rotationDegrees = cropConfig.rotationDegrees
+        val previewViewWidth = cropConfig.previewViewWidth
+        val previewViewHeight = cropConfig.previewViewHeight
+
+        // Rotate if necessary
+        val rotated = if (rotationDegrees != 0) {
+            val matrix = Matrix().apply { postRotate(rotationDegrees.toFloat()) }
+            Bitmap.createBitmap(inputBitmap, 0, 0, inputBitmap.width, inputBitmap.height, matrix, true)
+        } else {
+            inputBitmap
+        }
+
+        // Center-crop to match PreviewView aspect ratio
+        val previewRatio = previewViewWidth.toFloat() / previewViewHeight
+        val inputRatio = rotated.width.toFloat() / rotated.height
+
+        val cropWidth: Int
+        val cropHeight: Int
+        val offsetX: Int
+        val offsetY: Int
+
+        if (inputRatio > previewRatio) {
+            cropHeight = rotated.height
+            cropWidth = (cropHeight * previewRatio).toInt()
+            offsetX = (rotated.width - cropWidth) / 2
+            offsetY = 0
+        } else {
+            cropWidth = rotated.width
+            cropHeight = (cropWidth / previewRatio).toInt()
+            offsetX = 0
+            offsetY = (rotated.height - cropHeight) / 2
+        }
+
+        val cropped = Bitmap.createBitmap(rotated, offsetX, offsetY, cropWidth, cropHeight)
+
+        // Scale to PreviewView size
+        return cropped.scale(previewViewWidth, previewViewHeight)
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/ProvideCameraListenerUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/ProvideCameraListenerUseCase.kt
new file mode 100644
index 0000000000..6a0e4a9269
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/ProvideCameraListenerUseCase.kt
@@ -0,0 +1,56 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import androidx.camera.core.AspectRatio
+import androidx.camera.core.CameraSelector
+import androidx.camera.core.ImageAnalysis
+import androidx.camera.core.ImageCapture
+import androidx.camera.core.Preview
+import androidx.camera.lifecycle.ProcessCameraProvider
+import androidx.lifecycle.LifecycleOwner
+import com.google.common.util.concurrent.ListenableFuture
+import com.simprints.infra.logging.LoggingConstants.CrashReportTag.MULTI_FACTOR_ID
+import com.simprints.infra.logging.Simber
+import com.simprints.infra.uibase.annotations.ExcludedFromGeneratedTestCoverageReports
+import javax.inject.Inject
+
+@ExcludedFromGeneratedTestCoverageReports("UI Code")
+internal class ProvideCameraListenerUseCase @Inject constructor() {
+    operator fun invoke(
+        cameraProviderFuture: ListenableFuture<ProcessCameraProvider>,
+        surfaceProvider: Preview.SurfaceProvider,
+        viewLifecycleOwner: LifecycleOwner,
+        onImageAnalysisReady: (ImageAnalysis) -> Unit,
+    ) = Runnable {
+        val cameraProvider = cameraProviderFuture.get()
+        val aspectRatio = AspectRatio.RATIO_16_9
+        val preview = Preview
+            .Builder()
+            .setTargetAspectRatio(aspectRatio)
+            .build()
+            .also {
+                it.setSurfaceProvider(surfaceProvider)
+            }
+
+        val imageCapture = ImageCapture
+            .Builder()
+            .setTargetAspectRatio(aspectRatio)
+            .setCaptureMode(ImageCapture.CAPTURE_MODE_MINIMIZE_LATENCY)
+            .build()
+
+        val imageAnalysis = ImageAnalysis
+            .Builder()
+            .setTargetAspectRatio(aspectRatio)
+            .setBackpressureStrategy(ImageAnalysis.STRATEGY_KEEP_ONLY_LATEST)
+            .build()
+
+        val cameraSelector = CameraSelector.DEFAULT_BACK_CAMERA
+
+        try {
+            cameraProvider.unbindAll()
+            cameraProvider.bindToLifecycle(viewLifecycleOwner, cameraSelector, preview, imageCapture, imageAnalysis)
+            onImageAnalysisReady(imageAnalysis)
+        } catch (e: Exception) {
+            Simber.e("Camera binding failed in OCR", e, MULTI_FACTOR_ID)
+        }
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/ZoomOntoCredentialUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/ZoomOntoCredentialUseCase.kt
new file mode 100644
index 0000000000..ac7c11bea4
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/ZoomOntoCredentialUseCase.kt
@@ -0,0 +1,87 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import android.graphics.Bitmap
+import android.graphics.BitmapFactory
+import com.simprints.feature.externalcredential.model.BoundingBox
+import javax.inject.Inject
+import kotlin.math.max
+import kotlin.math.min
+
+internal class ZoomOntoCredentialUseCase @Inject constructor() {
+    /**
+     * Zooms into given image. Zoom area defined by the [boundingBox]
+     *
+     * @param imagePath path to image containing the document to zoom into
+     * @param boundingBox bounding box that defines the zoom area
+     * @return zoomed-in bitmap
+     */
+    operator fun invoke(
+        imagePath: String,
+        boundingBox: BoundingBox,
+    ): Bitmap {
+        val bitmap = BitmapFactory.decodeFile(imagePath)
+        val expandedBox = scaleBoundingBox(boundingBox, BOX_SCALE_FACTOR)
+
+        val left = expandedBox.left.coerceIn(0, bitmap.width)
+        val top = expandedBox.top.coerceIn(0, bitmap.height)
+        val right = expandedBox.right.coerceIn(left, bitmap.width)
+        val bottom = expandedBox.bottom.coerceIn(top, bitmap.height)
+        val boxWidth = right - left
+        val boxHeight = bottom - top
+
+        if (boxWidth <= 0 || boxHeight <= 0) {
+            return bitmap
+        }
+
+        val boxAspectRatio = boxWidth.toFloat() / boxHeight.toFloat()
+        val finalWidth: Int
+        val finalHeight: Int
+        // Bounding box is taller/wider than 16:10, adding padding to left/right or top/bottom
+        if (boxAspectRatio > TARGET_ASPECT_RATIO) {
+            finalWidth = boxWidth
+            finalHeight = (boxWidth / TARGET_ASPECT_RATIO).toInt()
+        } else {
+            finalHeight = boxHeight
+            finalWidth = (boxHeight * TARGET_ASPECT_RATIO).toInt()
+        }
+
+        val extraWidth = finalWidth - boxWidth
+        val extraHeight = finalHeight - boxHeight
+        val cropRight = min(bitmap.width, right + extraWidth / 2)
+        val cropBottom = min(bitmap.height, bottom + extraHeight / 2)
+
+        // Adjust if we hit image boundaries
+        val adjustedLeft = max(0, cropRight - finalWidth)
+        val adjustedTop = max(0, cropBottom - finalHeight)
+        val actualWidth = cropRight - adjustedLeft
+        val actualHeight = cropBottom - adjustedTop
+        return Bitmap.createBitmap(bitmap, adjustedLeft, adjustedTop, actualWidth, actualHeight)
+    }
+
+    /**
+     * Expands a bounding box by a percentage on all sides.
+     *
+     * @param box Original bounding box
+     * @return Expanded bounding box that may exceed image bounds as it is addressed later
+     */
+    private fun scaleBoundingBox(
+        box: BoundingBox,
+        scale: Float,
+    ): BoundingBox {
+        val boxWidth = box.right - box.left
+        val boxHeight = box.bottom - box.top
+        val horizontalExpansion = (boxWidth * (scale - 1f) / 2f).toInt()
+        val verticalExpansion = (boxHeight * (scale - 1f) / 2f).toInt()
+        return BoundingBox(
+            left = box.left - horizontalExpansion,
+            top = box.top - verticalExpansion,
+            right = box.right + horizontalExpansion,
+            bottom = box.bottom + verticalExpansion,
+        )
+    }
+
+    companion object {
+        private const val TARGET_ASPECT_RATIO = 16f / 10f
+        private const val BOX_SCALE_FACTOR = 1.15f
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanqr/ExternalCredentialScanQrFragment.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanqr/ExternalCredentialScanQrFragment.kt
new file mode 100644
index 0000000000..13996eebb8
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanqr/ExternalCredentialScanQrFragment.kt
@@ -0,0 +1,273 @@
+package com.simprints.feature.externalcredential.screens.scanqr
+
+import android.Manifest.permission.CAMERA
+import android.app.Dialog
+import android.content.Intent
+import android.graphics.Rect
+import android.os.Bundle
+import android.provider.Settings
+import android.view.View
+import android.widget.Button
+import android.widget.TextView
+import android.widget.Toast
+import androidx.activity.result.contract.ActivityResultContracts
+import androidx.core.net.toUri
+import androidx.core.view.isVisible
+import androidx.fragment.app.Fragment
+import androidx.fragment.app.activityViewModels
+import androidx.fragment.app.viewModels
+import androidx.lifecycle.Lifecycle
+import androidx.lifecycle.lifecycleScope
+import androidx.lifecycle.repeatOnLifecycle
+import androidx.navigation.fragment.findNavController
+import com.google.android.material.bottomsheet.BottomSheetBehavior
+import com.google.android.material.bottomsheet.BottomSheetDialog
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.tools.extentions.getCurrentPermissionStatus
+import com.simprints.core.tools.extentions.hasPermission
+import com.simprints.core.tools.extentions.permissionFromResult
+import com.simprints.feature.externalcredential.R
+import com.simprints.feature.externalcredential.databinding.FragmentExternalCredentialScanQrBinding
+import com.simprints.feature.externalcredential.screens.controller.ExternalCredentialViewModel
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.infra.logging.LoggingConstants.CrashReportTag.MULTI_FACTOR_ID
+import com.simprints.infra.logging.Simber
+import com.simprints.infra.uibase.camera.qrscan.CameraHelper
+import com.simprints.infra.uibase.camera.qrscan.QrCodeAnalyzer
+import com.simprints.infra.uibase.navigation.navigateSafely
+import com.simprints.infra.uibase.view.applySystemBarInsets
+import com.simprints.infra.uibase.viewbinding.viewBinding
+import dagger.hilt.android.AndroidEntryPoint
+import kotlinx.coroutines.flow.catch
+import kotlinx.coroutines.flow.collectLatest
+import kotlinx.coroutines.launch
+import javax.inject.Inject
+import com.simprints.infra.resources.R as IDR
+
+@AndroidEntryPoint
+internal class ExternalCredentialScanQrFragment : Fragment(R.layout.fragment_external_credential_scan_qr) {
+    private val binding by viewBinding(FragmentExternalCredentialScanQrBinding::bind)
+    private val crashReportTag = MULTI_FACTOR_ID
+    private val mainViewModel: ExternalCredentialViewModel by activityViewModels()
+    private val viewModel by viewModels<ExternalCredentialScanQrViewModel>()
+
+    private var dialog: Dialog? = null
+    private var isCameraInitialized = false
+
+    @Inject
+    lateinit var cameraHelperFactory: CameraHelper.Factory
+    private val cameraHelper: CameraHelper by lazy {
+        cameraHelperFactory.create(crashReportTag)
+    }
+
+    @Inject
+    lateinit var qrCodeAnalyzerFactory: QrCodeAnalyzer.Factory
+    private lateinit var qrCodeAnalyzer: QrCodeAnalyzer
+
+    private val launchPermissionRequest = registerForActivityResult(
+        ActivityResultContracts.RequestPermission(),
+    ) { granted ->
+        val cameraPermissionStatus = requireActivity().permissionFromResult(CAMERA, granted)
+        viewModel.updateCameraPermissionStatus(cameraPermissionStatus)
+    }
+
+    override fun onViewCreated(
+        view: View,
+        savedInstanceState: Bundle?,
+    ) {
+        super.onViewCreated(view, savedInstanceState)
+        applySystemBarInsets(view)
+        Simber.i("ExternalCredentialScanQrFragment started", tag = MULTI_FACTOR_ID)
+
+        initObservers()
+
+        if (!requireActivity().hasPermission(CAMERA)) {
+            launchPermissionRequest.launch(CAMERA)
+        }
+    }
+
+    override fun onResume() {
+        super.onResume()
+        val cameraPermissionStatus = requireActivity().getCurrentPermissionStatus(CAMERA)
+        viewModel.updateCameraPermissionStatus(cameraPermissionStatus)
+    }
+
+    override fun onDestroy() {
+        dismissDialog()
+        super.onDestroy()
+    }
+
+    private fun dismissDialog() {
+        dialog?.dismiss()
+        dialog = null
+    }
+
+    private fun initObservers() {
+        viewModel.stateLiveData.observe(viewLifecycleOwner) { state ->
+            when (state) {
+                ScanQrState.ReadyToScan -> {
+                    renderInitialState()
+                    initCamera()
+                }
+
+                is ScanQrState.QrCodeCaptured -> renderScanComplete(state)
+                is ScanQrState.NoCameraPermission -> renderNoPermission(state.shouldOpenPhoneSettings)
+            }
+        }
+    }
+
+    private fun renderInitialState() = with(binding) {
+        permissionRequestView.isVisible = false
+        qrInstructionsText.isVisible = true
+        qrInstructionsText.text = getString(IDR.string.mfid_scan_instructions, getString(IDR.string.mfid_type_qr_code))
+        qrPreviewCard.isVisible = false
+        buttonScan.setText(IDR.string.mfid_qr_scan_no_qr_detected)
+        buttonScan.isVisible = true
+        buttonScan.isEnabled = false
+        buttonScan.setOnClickListener {}
+    }
+
+    private fun renderScanComplete(state: ScanQrState.QrCodeCaptured) = with(binding) {
+        val qrCodeRaw = state.qrCode
+        qrInstructionsText.isVisible = false
+        qrPreviewCard.isVisible = true
+        qrPreviewText.text = qrCodeRaw.value
+        buttonScan.setText(IDR.string.mfid_continue)
+        buttonScan.isEnabled = true
+        buttonScan.setOnClickListener {
+            if (viewModel.isValidQrCodeFormat(qrCodeRaw)) {
+                val args = ScannedCredential(
+                    credential = state.qrCodeEncrypted,
+                    credentialType = ExternalCredentialType.QRCode,
+                    documentImagePath = null,
+                    credentialBoundingBox = null,
+                    zoomedCredentialImagePath = null,
+                    scanStartTime = state.scanStartTime,
+                    scanEndTime = state.scanEndTime,
+                    scannedValue = state.qrCode,
+                )
+                findNavController().navigateSafely(
+                    this@ExternalCredentialScanQrFragment,
+                    ExternalCredentialScanQrFragmentDirections.actionExternalCredentialSelectScanQrToExternalCredentialSearch(args),
+                )
+            } else {
+                showInvalidQrCodeFormatDialog(
+                    qrCodeValue = qrCodeRaw,
+                    onDismiss = {
+                        dismissDialog()
+                        viewModel.updateCapturedValue(null)
+                    },
+                )
+            }
+        }
+    }
+
+    private fun showInvalidQrCodeFormatDialog(
+        qrCodeValue: TokenizableString.Raw,
+        onDismiss: () -> Unit,
+    ) {
+        dismissDialog()
+        dialog = BottomSheetDialog(requireContext()).also {
+            val view = layoutInflater
+                .inflate(R.layout.dialog_qr_wrong_value, null)
+                .also { view ->
+                    val qrValueTextView = view.findViewById<TextView>(R.id.qrValue)
+                    val buttonRescan = view.findViewById<Button>(R.id.buttonRescan)
+                    qrValueTextView.text = qrCodeValue.value
+                    buttonRescan.setOnClickListener { dismissDialog() }
+                }
+            it.setContentView(view)
+            it.setOnDismissListener { onDismiss() }
+            it.setCancelable(true)
+            it.behavior.state = BottomSheetBehavior.STATE_EXPANDED
+            it.behavior.isDraggable = false
+        }
+        dialog?.show()
+    }
+
+    private fun initCamera() {
+        binding.qrScannerArea.post {
+            if (isCameraInitialized) return@post
+            isCameraInitialized = true
+            startCamera()
+            startAnalyzer()
+        }
+    }
+
+    private fun startAnalyzer() {
+        viewLifecycleOwner.lifecycleScope.launch {
+            viewLifecycleOwner.repeatOnLifecycle(Lifecycle.State.RESUMED) {
+                qrCodeAnalyzer.scannedCode
+                    .catch { e ->
+                        Simber.e("Camera not available for QR scanning", e, tag = crashReportTag)
+                        Toast.makeText(requireActivity(), "No camera", Toast.LENGTH_LONG).show()
+                    }.collectLatest { qrCode ->
+                        viewModel.updateCapturedValue(qrCode)
+                    }
+            }
+        }
+    }
+
+    private fun startCamera() {
+        val cropConfig = getCropConfig()
+        qrCodeAnalyzer = qrCodeAnalyzerFactory.create(cropConfig = cropConfig, crashReportTag = crashReportTag)
+
+        cameraHelper.startCamera(
+            viewLifecycleOwner,
+            binding.qrScannerPreview,
+            qrCodeAnalyzer,
+        ) {
+            Toast.makeText(requireActivity(), "No Camera available", Toast.LENGTH_LONG).show()
+        }
+    }
+
+    private fun getCropConfig(): QrCodeAnalyzer.CropConfig = with(binding) {
+        val qrScannerArea = Rect(
+            qrScannerArea.left,
+            qrScannerArea.top,
+            qrScannerArea.right,
+            qrScannerArea.bottom,
+        )
+        val orientation = resources.configuration.orientation
+        val previewWidth = qrScannerPreview.width
+        val previewHeight = qrScannerPreview.height
+        return QrCodeAnalyzer.CropConfig(
+            rect = qrScannerArea,
+            orientation = orientation,
+            rootViewWidth = previewWidth,
+            rootViewHeight = previewHeight,
+        )
+    }
+
+    private fun renderNoPermission(shouldOpenPhoneSettings: Boolean) = with(binding) {
+        qrInstructionsText.isVisible = false
+        buttonScan.isVisible = false
+        val bodyText = getString(IDR.string.mfid_scan_camera_permission_body, getString(IDR.string.mfid_type_qr_code))
+        if (shouldOpenPhoneSettings) {
+            permissionRequestView.init(
+                title = IDR.string.face_capture_permission_denied,
+                body = bodyText,
+                buttonText = IDR.string.fingerprint_connect_phone_settings_button,
+                onClickListener = {
+                    requireActivity().startActivity(
+                        Intent(
+                            Settings.ACTION_APPLICATION_DETAILS_SETTINGS,
+                            "package:${requireActivity().packageName}".toUri(),
+                        ),
+                    )
+                },
+            )
+        } else {
+            permissionRequestView.init(
+                title = IDR.string.face_capture_permission_denied,
+                body = bodyText,
+                buttonText = IDR.string.face_capture_permission_action,
+                onClickListener = {
+                    launchPermissionRequest.launch(CAMERA)
+                },
+            )
+        }
+        permissionRequestView.isVisible = true
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanqr/ExternalCredentialScanQrViewModel.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanqr/ExternalCredentialScanQrViewModel.kt
new file mode 100644
index 0000000000..17be0e35f2
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanqr/ExternalCredentialScanQrViewModel.kt
@@ -0,0 +1,78 @@
+package com.simprints.feature.externalcredential.screens.scanqr
+
+import androidx.lifecycle.LiveData
+import androidx.lifecycle.MutableLiveData
+import androidx.lifecycle.ViewModel
+import androidx.lifecycle.viewModelScope
+import com.simprints.core.domain.permission.PermissionStatus
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.domain.tokenization.asTokenizableRaw
+import com.simprints.core.tools.time.TimeHelper
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.feature.externalcredential.screens.scanqr.usecase.ExternalCredentialQrCodeValidatorUseCase
+import com.simprints.infra.authstore.AuthStore
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
+import com.simprints.infra.config.sync.ConfigManager
+import dagger.hilt.android.lifecycle.HiltViewModel
+import kotlinx.coroutines.launch
+import javax.inject.Inject
+
+@HiltViewModel
+internal class ExternalCredentialScanQrViewModel @Inject constructor(
+    private val timeHelper: TimeHelper,
+    private val externalCredentialQrCodeValidator: ExternalCredentialQrCodeValidatorUseCase,
+    private val authStore: AuthStore,
+    private val configManager: ConfigManager,
+    private val tokenizationProcessor: TokenizationProcessor,
+) : ViewModel() {
+    private lateinit var startTime: Timestamp
+    private var state: ScanQrState = ScanQrState.ReadyToScan
+        set(value) {
+            field = value
+            _stateLiveData.postValue(value)
+        }
+    private val _stateLiveData = MutableLiveData<ScanQrState>(ScanQrState.ReadyToScan)
+    val stateLiveData: LiveData<ScanQrState> = _stateLiveData
+
+    private fun updateState(state: (ScanQrState) -> ScanQrState) {
+        this.state = state(this.state)
+    }
+
+    fun updateCapturedValue(value: String?) {
+        viewModelScope.launch {
+            val newState = when (value) {
+                null -> ScanQrState.ReadyToScan
+                else -> {
+                    val project = configManager.getProject(authStore.signedInProjectId)
+                    val qrCodeEncrypted = tokenizationProcessor.encrypt(
+                        decrypted = value.asTokenizableRaw(),
+                        tokenKeyType = TokenKeyType.ExternalCredential,
+                        project = project,
+                    ) as TokenizableString.Tokenized
+                    ScanQrState.QrCodeCaptured(
+                        scanStartTime = startTime,
+                        scanEndTime = timeHelper.now(),
+                        qrCode = value.asTokenizableRaw(),
+                        qrCodeEncrypted = qrCodeEncrypted,
+                    )
+                }
+            }
+            updateState { newState }
+        }
+    }
+
+    fun updateCameraPermissionStatus(permissionStatus: PermissionStatus) {
+        val newState = when (permissionStatus) {
+            PermissionStatus.Granted -> {
+                startTime = timeHelper.now() // Reset scan timer
+                ScanQrState.ReadyToScan
+            }
+            PermissionStatus.Denied -> ScanQrState.NoCameraPermission(shouldOpenPhoneSettings = false)
+            PermissionStatus.DeniedNeverAskAgain -> ScanQrState.NoCameraPermission(shouldOpenPhoneSettings = true)
+        }
+        updateState { newState }
+    }
+
+    fun isValidQrCodeFormat(qrCodeValue: TokenizableString.Raw): Boolean = externalCredentialQrCodeValidator(qrCodeValue.value)
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanqr/ScanQrState.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanqr/ScanQrState.kt
new file mode 100644
index 0000000000..c3f2720756
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanqr/ScanQrState.kt
@@ -0,0 +1,19 @@
+package com.simprints.feature.externalcredential.screens.scanqr
+
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.tools.time.Timestamp
+
+sealed class ScanQrState {
+    data object ReadyToScan : ScanQrState()
+
+    data class NoCameraPermission(
+        val shouldOpenPhoneSettings: Boolean,
+    ) : ScanQrState()
+
+    data class QrCodeCaptured(
+        val scanStartTime: Timestamp,
+        val scanEndTime: Timestamp,
+        val qrCode: TokenizableString.Raw,
+        val qrCodeEncrypted: TokenizableString.Tokenized,
+    ) : ScanQrState()
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanqr/usecase/ExternalCredentialQrCodeValidatorUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanqr/usecase/ExternalCredentialQrCodeValidatorUseCase.kt
new file mode 100644
index 0000000000..270ec4c4c5
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/scanqr/usecase/ExternalCredentialQrCodeValidatorUseCase.kt
@@ -0,0 +1,15 @@
+package com.simprints.feature.externalcredential.screens.scanqr.usecase
+
+import javax.inject.Inject
+
+internal class ExternalCredentialQrCodeValidatorUseCase @Inject constructor() {
+    /**
+     * Checks whether the scanned QR code value is valid to be used in the Multi-Factor ID. Currently, it uses hardcoded values.
+     * In future, the validity criteria should be passed from the project configuration.
+     */
+    operator fun invoke(qrCodeValue: String): Boolean = qrCodeValue.length == QR_CODE_LENGTH
+
+    companion object {
+        private const val QR_CODE_LENGTH = 6
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/ExternalCredentialSearchFragment.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/ExternalCredentialSearchFragment.kt
new file mode 100644
index 0000000000..9df99a4d9b
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/ExternalCredentialSearchFragment.kt
@@ -0,0 +1,251 @@
+package com.simprints.feature.externalcredential.screens.search
+
+import android.content.Context
+import android.graphics.BitmapFactory
+import android.os.Bundle
+import android.view.View
+import android.view.inputmethod.InputMethodManager
+import androidx.core.content.ContextCompat
+import androidx.core.view.isVisible
+import androidx.fragment.app.Fragment
+import androidx.fragment.app.activityViewModels
+import androidx.fragment.app.viewModels
+import androidx.lifecycle.ViewModel
+import androidx.lifecycle.ViewModelProvider
+import androidx.navigation.fragment.findNavController
+import androidx.navigation.fragment.navArgs
+import com.simprints.core.domain.common.FlowType
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.asTokenizableRaw
+import com.simprints.core.livedata.LiveDataEventWithContentObserver
+import com.simprints.core.tools.extentions.hideKeyboard
+import com.simprints.feature.externalcredential.R
+import com.simprints.feature.externalcredential.databinding.FragmentExternalCredentialSearchBinding
+import com.simprints.feature.externalcredential.ext.getCredentialFieldTitle
+import com.simprints.feature.externalcredential.ext.getCredentialTypeString
+import com.simprints.feature.externalcredential.screens.controller.ExternalCredentialViewModel
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.ZoomOntoCredentialUseCase
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.feature.externalcredential.screens.search.model.SearchCredentialState
+import com.simprints.feature.externalcredential.screens.search.model.SearchState
+import com.simprints.infra.logging.LoggingConstants.CrashReportTag.MULTI_FACTOR_ID
+import com.simprints.infra.logging.Simber
+import com.simprints.infra.uibase.navigation.navigateSafely
+import com.simprints.infra.uibase.viewbinding.viewBinding
+import dagger.hilt.android.AndroidEntryPoint
+import javax.inject.Inject
+import com.simprints.infra.resources.R as IDR
+
+@AndroidEntryPoint
+internal class ExternalCredentialSearchFragment : Fragment(R.layout.fragment_external_credential_search) {
+    private val args: ExternalCredentialSearchFragmentArgs by navArgs()
+    private val binding by viewBinding(FragmentExternalCredentialSearchBinding::bind)
+    private val mainViewModel: ExternalCredentialViewModel by activityViewModels()
+    private val viewModel by viewModels<ExternalCredentialSearchViewModel> {
+        object : ViewModelProvider.Factory {
+            override fun <T : ViewModel> create(modelClass: Class<T>): T {
+                @Suppress("UNCHECKED_CAST")
+                return viewModelFactory.create(
+                    scannedCredential = args.scannedCredential,
+                    externalCredentialParams = mainViewModel.params,
+                ) as T
+            }
+        }
+    }
+
+    @Inject
+    lateinit var viewModelFactory: ExternalCredentialSearchViewModel.Factory
+
+    @Inject
+    lateinit var zoomOntoCredentialUseCase: ZoomOntoCredentialUseCase
+    private var isEditingCredential: Boolean = false
+
+    override fun onViewCreated(
+        view: View,
+        savedInstanceState: Bundle?,
+    ) {
+        super.onViewCreated(view, savedInstanceState)
+        initObservers()
+    }
+
+    override fun onPause() {
+        hideKeyboard()
+        super.onPause()
+    }
+
+    private fun initObservers() {
+        viewModel.stateLiveData.observe(viewLifecycleOwner) { state ->
+            renderCredentialCard(state)
+            renderSearchProgress(state.searchState, state.scannedCredential.credentialType, state.flowType)
+            renderButtons(state)
+        }
+        viewModel.finishEvent.observe(
+            viewLifecycleOwner,
+            LiveDataEventWithContentObserver { result ->
+                mainViewModel.finish(result)
+            },
+        )
+    }
+
+    private fun renderCredentialCard(state: SearchCredentialState) = with(binding) {
+        val credential = state.displayedCredential?.value.orEmpty()
+        val credentialType = state.scannedCredential.credentialType
+        val credentialField = resources.getCredentialFieldTitle(credentialType)
+        val currentEditTextValue = credentialEditText.text.toString()
+        renderImage(state.scannedCredential)
+        credential.takeIf { currentEditTextValue.isEmpty() }?.let {
+            credentialEditText.setText(it) // Setting only once at the start
+        }
+        documentTypeTitle.text = credentialField
+        credentialEditText.inputType = viewModel.getKeyBoardInputType()
+        credentialEditText.hint = credentialField
+        credentialValue.text = currentEditTextValue
+        confirmCredentialCheckbox.isVisible = state.searchState != SearchState.Searching
+        confirmCredentialCheckbox.text = getString(IDR.string.mfid_confirmation_checkbox_text, credentialField)
+        confirmCredentialCheckbox.isChecked = state.isConfirmed
+
+        iconEditCredential.setOnClickListener {
+            viewModel.updateConfirmation(isConfirmed = false)
+            toggleCredentialEdit()
+            if (!isEditingCredential) {
+                viewModel.confirmCredentialUpdate(credentialEditText.text.toString().asTokenizableRaw())
+            }
+        }
+        confirmCredentialCheckbox.setOnCheckedChangeListener { _, checkedId ->
+            viewModel.updateConfirmation(isConfirmed = checkedId)
+        }
+    }
+
+    private fun renderSearchProgress(
+        searchState: SearchState,
+        credentialType: ExternalCredentialType,
+        flowType: FlowType,
+    ) = with(binding) {
+        when (searchState) {
+            SearchState.Searching -> {
+                searchProgressCard.isVisible = true
+                searchResultCard.isVisible = false
+            }
+
+            is SearchState.CredentialLinked -> {
+                searchProgressCard.isVisible = false
+                searchResultCard.isVisible = true
+
+                when (flowType) {
+                    FlowType.ENROL -> renderEnrolCredentialLinked(credentialType)
+                    else -> { // Identification flow
+                        if (searchState.hasSuccessfulVerifications) {
+                            renderIdentifyCredentialVerificationConfirmed()
+                        } else {
+                            renderIdentifyCredentialVerificationFailed(credentialType)
+                        }
+                    }
+                }
+            }
+
+            SearchState.CredentialNotFound -> {
+                searchProgressCard.isVisible = false
+                when (flowType) {
+                    FlowType.ENROL -> renderEnrolCredentialNotFound()
+                    else -> renderIdentifyCredentialNotFound(credentialType)
+                }
+            }
+        }
+    }
+
+    private fun renderEnrolCredentialLinked(credentialType: ExternalCredentialType) = with(binding) {
+        iconSearchResult.setImageResource(R.drawable.ic_warning)
+        iconSearchResult.isVisible = true
+        val credentialField = resources.getCredentialTypeString(credentialType)
+        val searchResultText = getString(IDR.string.mfid_search_found_enrol, credentialField)
+        textSearchResult.text = searchResultText
+        textSearchResult.setTextColor(ContextCompat.getColor(requireContext(), IDR.color.simprints_red))
+    }
+
+    private fun renderIdentifyCredentialVerificationConfirmed() = with(binding) {
+        iconSearchResult.setImageResource(IDR.drawable.ic_checked_green_large)
+        iconSearchResult.isVisible = true
+        textSearchResult.setText(IDR.string.mfid_search_found_identification)
+        textSearchResult.setTextColor(ContextCompat.getColor(requireContext(), IDR.color.simprints_black))
+    }
+
+    private fun renderIdentifyCredentialVerificationFailed(credentialType: ExternalCredentialType) = with(binding) {
+        iconSearchResult.setImageResource(R.drawable.ic_warning)
+        iconSearchResult.isVisible = true
+        val credential = resources.getCredentialTypeString(credentialType)
+        textSearchResult.text = getString(IDR.string.mfid_search_found_identification_low_match_score, credential)
+        textSearchResult.setTextColor(ContextCompat.getColor(requireContext(), IDR.color.simprints_red))
+    }
+
+    private fun renderEnrolCredentialNotFound() = with(binding) {
+        searchResultCard.isVisible = false
+    }
+
+    private fun renderIdentifyCredentialNotFound(credentialType: ExternalCredentialType) = with(binding) {
+        searchResultCard.isVisible = true
+        iconSearchResult.isVisible = false
+        val credential = resources.getCredentialTypeString(credentialType)
+        val credentialField = resources.getCredentialFieldTitle(credentialType)
+        val searchResultText = getString(IDR.string.mfid_search_not_found_identification, credentialField, credential)
+        textSearchResult.text = searchResultText
+        val textColor = IDR.color.simprints_black
+        textSearchResult.setTextColor(ContextCompat.getColor(requireContext(), textColor))
+    }
+
+    private fun renderButtons(state: SearchCredentialState) = with(binding) {
+        val isSearching = state.searchState != SearchState.Searching
+        buttonRecapture.isVisible = isSearching
+        buttonConfirm.isVisible = isSearching
+        buttonConfirm.isEnabled = state.isConfirmed
+        viewModel.getButtonTextResource(state.searchState, state.flowType)?.run(buttonConfirm::setText)
+        buttonConfirm.setOnClickListener {
+            viewModel.finish(state)
+        }
+        buttonRecapture.setOnClickListener {
+            viewModel.trackRecapture()
+            findNavController().navigateSafely(
+                this@ExternalCredentialSearchFragment,
+                ExternalCredentialSearchFragmentDirections.actionExternalCredentialSearchToExternalCredentialSelectFragment(),
+            )
+        }
+    }
+
+    private fun renderImage(credential: ScannedCredential) {
+        val documentImagePath: String? = credential.documentImagePath
+        binding.documentPreview.isVisible = documentImagePath != null
+        if (documentImagePath == null) return
+
+        try {
+            val imagePath: String = credential.zoomedCredentialImagePath ?: documentImagePath
+            val displayedImage = BitmapFactory.decodeFile(imagePath)
+            binding.documentPreview.setImageBitmap(displayedImage)
+        } catch (e: Exception) {
+            Simber.e("Unable to get [$documentImagePath] OCR image", e, tag = MULTI_FACTOR_ID)
+        }
+    }
+
+    private fun toggleCredentialEdit() = with(binding) {
+        isEditingCredential = !isEditingCredential
+        val iconRes = if (isEditingCredential) {
+            R.drawable.ic_done
+        } else {
+            R.drawable.ic_edit
+        }
+        iconEditCredential.setImageResource(iconRes)
+        credentialValue.isVisible = !isEditingCredential
+        credentialEditText.isVisible = isEditingCredential
+        if (isEditingCredential) {
+            credentialEditText.setSelection(credentialEditText.text.length)
+            val inputManager =
+                requireContext().getSystemService(Context.INPUT_METHOD_SERVICE) as InputMethodManager
+            inputManager.showSoftInput(credentialEditText, InputMethodManager.SHOW_IMPLICIT)
+        }
+        if (!isEditingCredential) {
+            hideKeyboard()
+        }
+    }
+
+    private fun hideKeyboard() {
+        requireActivity().hideKeyboard()
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/ExternalCredentialSearchViewModel.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/ExternalCredentialSearchViewModel.kt
new file mode 100644
index 0000000000..d13785ac91
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/ExternalCredentialSearchViewModel.kt
@@ -0,0 +1,198 @@
+package com.simprints.feature.externalcredential.screens.search
+
+import android.text.InputType
+import androidx.lifecycle.LiveData
+import androidx.lifecycle.MutableLiveData
+import androidx.lifecycle.ViewModel
+import androidx.lifecycle.viewModelScope
+import com.simprints.core.domain.common.FlowType
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.livedata.LiveDataEventWithContent
+import com.simprints.core.livedata.send
+import com.simprints.core.tools.time.TimeHelper
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
+import com.simprints.feature.externalcredential.model.ExternalCredentialParams
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.feature.externalcredential.screens.search.model.SearchCredentialState
+import com.simprints.feature.externalcredential.screens.search.model.SearchState
+import com.simprints.feature.externalcredential.screens.search.usecase.MatchCandidatesUseCase
+import com.simprints.feature.externalcredential.usecase.ExternalCredentialEventTrackerUseCase
+import com.simprints.infra.authstore.AuthStore
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.infra.enrolment.records.repository.EnrolmentRecordRepository
+import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
+import com.simprints.infra.events.event.domain.models.ExternalCredentialConfirmationEvent.ExternalCredentialConfirmationResult
+import dagger.assisted.Assisted
+import dagger.assisted.AssistedFactory
+import dagger.assisted.AssistedInject
+import kotlinx.coroutines.launch
+import com.simprints.infra.resources.R as IDR
+
+internal class ExternalCredentialSearchViewModel @AssistedInject constructor(
+    @Assisted val scannedCredential: ScannedCredential,
+    @Assisted val externalCredentialParams: ExternalCredentialParams,
+    private val timeHelper: TimeHelper,
+    private val authStore: AuthStore,
+    private val configManager: ConfigManager,
+    private val matchCandidatesUseCase: MatchCandidatesUseCase,
+    private val tokenizationProcessor: TokenizationProcessor,
+    private val enrolmentRecordRepository: EnrolmentRecordRepository,
+    private val eventsTracker: ExternalCredentialEventTrackerUseCase,
+) : ViewModel() {
+    @AssistedFactory
+    interface Factory {
+        fun create(
+            scannedCredential: ScannedCredential,
+            externalCredentialParams: ExternalCredentialParams,
+        ): ExternalCredentialSearchViewModel
+    }
+
+    val finishEvent: LiveData<LiveDataEventWithContent<ExternalCredentialSearchResult>>
+        get() = _finishEvent
+    private val _finishEvent = MutableLiveData<LiveDataEventWithContent<ExternalCredentialSearchResult>>()
+    private var state: SearchCredentialState =
+        SearchCredentialState.buildInitial(scannedCredential, externalCredentialParams.flowType)
+        set(value) {
+            field = value
+            _stateLiveData.postValue(value)
+        }
+    private val _stateLiveData = MutableLiveData(state)
+    val stateLiveData: LiveData<SearchCredentialState> = _stateLiveData
+
+    private val confirmationStartTime = timeHelper.now()
+
+    private fun updateState(state: (SearchCredentialState) -> SearchCredentialState) {
+        this.state = state(this.state)
+    }
+
+    init {
+        viewModelScope.launch {
+            decryptCredentialToDisplay(scannedCredential.credential)
+            searchSubjectsLinkedToCredential(scannedCredential.credential)
+        }
+    }
+
+    fun updateConfirmation(isConfirmed: Boolean) {
+        updateState { it.copy(isConfirmed = isConfirmed) }
+    }
+
+    fun confirmCredentialUpdate(updatedCredential: TokenizableString.Raw) {
+        viewModelScope.launch {
+            val project = configManager.getProject(authStore.signedInProjectId)
+            val encryptedCredential = tokenizationProcessor.encrypt(
+                decrypted = updatedCredential,
+                tokenKeyType = TokenKeyType.ExternalCredential,
+                project = project,
+            ) as TokenizableString.Tokenized
+            updateState { currentState ->
+                currentState.copy(
+                    isConfirmed = false,
+                    scannedCredential = currentState.scannedCredential.copy(
+                        credential = encryptedCredential,
+                    ),
+                    displayedCredential = updatedCredential,
+                )
+            }
+            searchSubjectsLinkedToCredential(encryptedCredential)
+        }
+    }
+
+    fun getButtonTextResource(
+        searchState: SearchState,
+        flowType: FlowType,
+    ): Int? = when (searchState) {
+        SearchState.Searching -> null // button is not displayed during search
+        is SearchState.CredentialLinked -> when (flowType) {
+            FlowType.ENROL -> IDR.string.mfid_action_enrol_anyway
+            else -> {
+                if (searchState.hasSuccessfulVerifications) {
+                    IDR.string.mfid_action_go_to_record
+                } else {
+                    IDR.string.mfid_action_continue
+                }
+            }
+        }
+
+        SearchState.CredentialNotFound -> when (flowType) {
+            FlowType.ENROL -> IDR.string.mfid_action_enrol
+            else -> IDR.string.mfid_continue
+        }
+    }
+
+    private suspend fun decryptCredentialToDisplay(credential: TokenizableString.Tokenized) {
+        val project = configManager.getProject(authStore.signedInProjectId)
+        val decrypted = tokenizationProcessor.decrypt(
+            encrypted = credential,
+            tokenKeyType = TokenKeyType.ExternalCredential,
+            project = project,
+        ) as TokenizableString.Raw
+        updateState { it.copy(displayedCredential = decrypted) }
+    }
+
+    private suspend fun searchSubjectsLinkedToCredential(credential: TokenizableString.Tokenized) {
+        updateState { it.copy(searchState = SearchState.Searching) }
+        val project = configManager.getProject(authStore.signedInProjectId)
+        val candidates = enrolmentRecordRepository.load(SubjectQuery(projectId = project.id, externalCredential = credential))
+
+        val startTime = timeHelper.now()
+        when {
+            candidates.isEmpty() -> {
+                eventsTracker.saveSearchEvent(startTime, scannedCredential.credentialScanId, emptyList())
+                updateState { it.copy(searchState = SearchState.CredentialNotFound) }
+            }
+
+            else -> {
+                val projectConfig = configManager.getProjectConfiguration()
+                val matches = matchCandidatesUseCase(candidates, credential, externalCredentialParams, project, projectConfig)
+                eventsTracker.saveSearchEvent(startTime, scannedCredential.credentialScanId, candidates)
+
+                updateState { state -> state.copy(searchState = SearchState.CredentialLinked(matchResults = matches)) }
+            }
+        }
+    }
+
+    /**
+     * Function for QOL improvement. Sets the keyboard to specific [InputType] based on the credential type. QR code and Ghana ID card are
+     * alpha-numeric, while the NHIS card memberships contain only digits.
+     */
+    fun getKeyBoardInputType() = when (scannedCredential.credentialType) {
+        ExternalCredentialType.NHISCard -> InputType.TYPE_CLASS_NUMBER // NHIS card membership contains only numbers
+        ExternalCredentialType.GhanaIdCard -> InputType.TYPE_CLASS_TEXT
+        ExternalCredentialType.QRCode -> InputType.TYPE_CLASS_TEXT
+    }
+
+    fun trackRecapture() {
+        viewModelScope.launch {
+            eventsTracker.saveConfirmation(
+                confirmationStartTime,
+                ExternalCredentialConfirmationResult.RECAPTURE,
+            )
+        }
+    }
+
+    fun finish(state: SearchCredentialState) {
+        viewModelScope.launch {
+            eventsTracker.saveConfirmation(
+                confirmationStartTime,
+                ExternalCredentialConfirmationResult.CONTINUE,
+            )
+            val matches = when (val searchState = state.searchState) {
+                SearchState.Searching,
+                SearchState.CredentialNotFound,
+                -> emptyList()
+
+                is SearchState.CredentialLinked -> searchState.matchResults
+            }
+            _finishEvent.send(
+                ExternalCredentialSearchResult(
+                    flowType = externalCredentialParams.flowType,
+                    scannedCredential = state.scannedCredential,
+                    matchResults = matches,
+                ),
+            )
+        }
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/model/ScannedCredential.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/model/ScannedCredential.kt
new file mode 100644
index 0000000000..134340f857
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/model/ScannedCredential.kt
@@ -0,0 +1,30 @@
+package com.simprints.feature.externalcredential.screens.search.model
+
+import androidx.annotation.Keep
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.core.tools.utils.randomUUID
+import com.simprints.feature.externalcredential.model.BoundingBox
+import java.io.Serializable
+
+@Keep
+data class ScannedCredential(
+    val credentialScanId: String = randomUUID(),
+    val credential: TokenizableString.Tokenized,
+    val credentialType: ExternalCredentialType,
+    val documentImagePath: String?,
+    val zoomedCredentialImagePath: String?,
+    val credentialBoundingBox: BoundingBox?,
+    val scanStartTime: Timestamp,
+    val scanEndTime: Timestamp,
+    val scannedValue: TokenizableString.Raw,
+) : Serializable
+
+fun ScannedCredential.toExternalCredential(subjectId: String) = ExternalCredential(
+    id = credentialScanId,
+    value = credential,
+    subjectId = subjectId,
+    type = credentialType,
+)
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/model/SearchCredentialState.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/model/SearchCredentialState.kt
new file mode 100644
index 0000000000..4493365467
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/model/SearchCredentialState.kt
@@ -0,0 +1,45 @@
+package com.simprints.feature.externalcredential.screens.search.model
+
+import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.common.FlowType
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.feature.externalcredential.model.CredentialMatch
+
+@Keep
+@ExcludedFromGeneratedTestCoverageReports("Data struct")
+internal data class SearchCredentialState(
+    val scannedCredential: ScannedCredential,
+    val displayedCredential: TokenizableString.Raw?,
+    val flowType: FlowType,
+    val searchState: SearchState,
+    val isConfirmed: Boolean,
+) {
+    companion object {
+        fun buildInitial(
+            scannedCredential: ScannedCredential,
+            flowType: FlowType,
+        ) = SearchCredentialState(
+            scannedCredential = scannedCredential,
+            displayedCredential = null,
+            flowType = flowType,
+            searchState = SearchState.Searching,
+            isConfirmed = false,
+        )
+    }
+}
+
+@Keep
+@ExcludedFromGeneratedTestCoverageReports("State data class")
+internal sealed class SearchState {
+    data object Searching : SearchState()
+
+    data class CredentialLinked(
+        val matchResults: List<CredentialMatch>,
+    ) : SearchState() {
+        val goodMatches = matchResults.filter(CredentialMatch::isVerificationSuccessful)
+        val hasSuccessfulVerifications: Boolean = goodMatches.isNotEmpty()
+    }
+
+    data object CredentialNotFound : SearchState()
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/usecase/CreateMatchParamsUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/usecase/CreateMatchParamsUseCase.kt
new file mode 100644
index 0000000000..241cbe01a8
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/usecase/CreateMatchParamsUseCase.kt
@@ -0,0 +1,43 @@
+package com.simprints.feature.externalcredential.screens.search.usecase
+
+import com.simprints.core.domain.common.FlowType
+import com.simprints.infra.config.store.models.AgeGroup
+import com.simprints.infra.config.store.models.GeneralConfiguration.Modality
+import com.simprints.infra.config.store.models.ProjectConfiguration
+import com.simprints.infra.config.store.models.determineFaceSDKs
+import com.simprints.infra.config.store.models.determineFingerprintSDKs
+import com.simprints.infra.enrolment.records.repository.domain.models.BiometricDataSource
+import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
+import com.simprints.infra.matching.MatchParams
+import javax.inject.Inject
+
+internal class CreateMatchParamsUseCase @Inject constructor() {
+    operator fun invoke(
+        candidateSubjectId: String,
+        flowType: FlowType,
+        probeReferenceId: String?,
+        projectConfiguration: ProjectConfiguration,
+        faceSamples: List<MatchParams.FaceSample>,
+        fingerprintSamples: List<MatchParams.FingerprintSample>,
+        ageGroup: AgeGroup?,
+    ): List<MatchParams> = projectConfiguration.general.matchingModalities
+        .map { modality ->
+            val template = MatchParams(
+                probeReferenceId = probeReferenceId.orEmpty(),
+                flowType = flowType,
+                queryForCandidates = SubjectQuery(subjectId = candidateSubjectId),
+                biometricDataSource = BiometricDataSource.Simprints, // [MS-1167] No CoSync in initial MF-ID implementation
+            )
+            when (modality) {
+                Modality.FACE ->
+                    projectConfiguration
+                        .determineFaceSDKs(ageGroup)
+                        .map { template.copy(faceSDK = it, probeFaceSamples = faceSamples) }
+
+                Modality.FINGERPRINT ->
+                    projectConfiguration
+                        .determineFingerprintSDKs(ageGroup)
+                        .map { template.copy(fingerprintSDK = it, probeFingerprintSamples = fingerprintSamples) }
+            }
+        }.flatten()
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/usecase/MatchCandidatesUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/usecase/MatchCandidatesUseCase.kt
new file mode 100644
index 0000000000..b63d6e6d79
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/search/usecase/MatchCandidatesUseCase.kt
@@ -0,0 +1,77 @@
+package com.simprints.feature.externalcredential.screens.search.usecase
+
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.feature.externalcredential.model.CredentialMatch
+import com.simprints.feature.externalcredential.model.ExternalCredentialParams
+import com.simprints.infra.config.store.models.Project
+import com.simprints.infra.config.store.models.ProjectConfiguration
+import com.simprints.infra.enrolment.records.repository.domain.models.Subject
+import com.simprints.infra.matching.usecase.FaceMatcherUseCase
+import com.simprints.infra.matching.usecase.FingerprintMatcherUseCase
+import com.simprints.infra.matching.usecase.MatcherUseCase.MatcherState
+import kotlinx.coroutines.flow.last
+import javax.inject.Inject
+
+internal class MatchCandidatesUseCase @Inject constructor(
+    private val createMatchParamsUseCase: CreateMatchParamsUseCase,
+    private val faceMatcher: FaceMatcherUseCase,
+    private val fingerprintMatcher: FingerprintMatcherUseCase,
+) {
+    suspend operator fun invoke(
+        candidates: List<Subject>,
+        credential: TokenizableString.Tokenized,
+        externalCredentialParams: ExternalCredentialParams,
+        project: Project,
+        projectConfig: ProjectConfiguration,
+    ): List<CredentialMatch> = candidates.flatMap { candidate ->
+        val matchParams = createMatchParamsUseCase(
+            candidateSubjectId = candidate.subjectId,
+            flowType = externalCredentialParams.flowType,
+            probeReferenceId = externalCredentialParams.probeReferenceId,
+            projectConfiguration = projectConfig,
+            faceSamples = externalCredentialParams.faceSamples,
+            fingerprintSamples = externalCredentialParams.fingerprintSamples,
+            ageGroup = externalCredentialParams.ageGroup,
+        )
+        matchParams
+            .mapNotNull { matchParams ->
+                when {
+                    matchParams.probeFaceSamples.isNotEmpty() -> {
+                        val faceSdk = matchParams.faceSDK ?: return@mapNotNull null
+                        projectConfig.face?.getSdkConfiguration(faceSdk)?.verificationMatchThreshold?.let { matchThreshold ->
+                            (faceMatcher(matchParams, project).last() as? MatcherState.Success)
+                                ?.matchResultItems
+                                .orEmpty()
+                                .map { result ->
+                                    CredentialMatch(
+                                        credential = credential,
+                                        matchResult = result,
+                                        verificationThreshold = matchThreshold,
+                                        faceBioSdk = faceSdk,
+                                        fingerprintBioSdk = null,
+                                    )
+                                }
+                        }
+                    }
+
+                    else -> {
+                        val fingerprintSdk = matchParams.fingerprintSDK ?: return@mapNotNull null
+                        projectConfig.fingerprint?.getSdkConfiguration(fingerprintSdk)?.verificationMatchThreshold?.let { matchThreshold ->
+                            (fingerprintMatcher(matchParams, project).last() as? MatcherState.Success)
+                                ?.matchResultItems
+                                .orEmpty()
+                                .map { result ->
+                                    CredentialMatch(
+                                        credential = credential,
+                                        matchResult = result,
+                                        verificationThreshold = matchThreshold,
+                                        faceBioSdk = null,
+                                        fingerprintBioSdk = fingerprintSdk,
+                                    )
+                                }
+                        }
+                    }
+                }
+            }.flatten()
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/select/ExternalCredentialSelectFragment.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/select/ExternalCredentialSelectFragment.kt
new file mode 100644
index 0000000000..630034402c
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/select/ExternalCredentialSelectFragment.kt
@@ -0,0 +1,165 @@
+package com.simprints.feature.externalcredential.screens.select
+
+import android.app.Dialog
+import android.os.Bundle
+import android.view.View
+import android.widget.Button
+import android.widget.TextView
+import androidx.fragment.app.Fragment
+import androidx.fragment.app.activityViewModels
+import androidx.fragment.app.viewModels
+import androidx.navigation.fragment.findNavController
+import androidx.recyclerview.widget.LinearLayoutManager
+import com.google.android.material.bottomsheet.BottomSheetBehavior
+import com.google.android.material.bottomsheet.BottomSheetDialog
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.feature.externalcredential.R
+import com.simprints.feature.externalcredential.databinding.FragmentExternalCredentialSelectBinding
+import com.simprints.feature.externalcredential.ext.getCredentialTypeRes
+import com.simprints.feature.externalcredential.ext.getQuantityCredentialString
+import com.simprints.feature.externalcredential.screens.controller.ExternalCredentialViewModel
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrDocumentType
+import com.simprints.feature.externalcredential.screens.scanocr.model.asOcrDocumentType
+import com.simprints.feature.externalcredential.screens.select.view.ExternalCredentialTypeAdapter
+import com.simprints.infra.logging.LoggingConstants.CrashReportTag.ORCHESTRATION
+import com.simprints.infra.logging.Simber
+import com.simprints.infra.uibase.navigation.navigateSafely
+import com.simprints.infra.uibase.view.applySystemBarInsets
+import com.simprints.infra.uibase.viewbinding.viewBinding
+import dagger.hilt.android.AndroidEntryPoint
+import com.simprints.infra.resources.R as IDR
+
+@AndroidEntryPoint
+internal class ExternalCredentialSelectFragment : Fragment(R.layout.fragment_external_credential_select) {
+    private val mainViewModel: ExternalCredentialViewModel by activityViewModels()
+    private val binding by viewBinding(FragmentExternalCredentialSelectBinding::bind)
+
+    private var dialog: Dialog? = null
+
+    override fun onViewCreated(
+        view: View,
+        savedInstanceState: Bundle?,
+    ) {
+        super.onViewCreated(view, savedInstanceState)
+        applySystemBarInsets(view)
+        Simber.i("ExternalCredentialSelectFragment started", tag = ORCHESTRATION)
+
+        observeChanges()
+    }
+
+    override fun onDestroy() {
+        dismissDialog()
+        super.onDestroy()
+    }
+
+    private fun dismissDialog() {
+        dialog?.dismiss()
+        dialog = null
+    }
+
+    private fun initListeners(types: List<ExternalCredentialType>) {
+        binding.skipScanning.setOnClickListener {
+            displaySkipScanningConfirmationDialog(
+                credentialTypes = types,
+                onConfirm = {
+                    dismissDialog()
+                    findNavController().navigateSafely(
+                        this,
+                        ExternalCredentialSelectFragmentDirections.actionExternalCredentialSelectFragmentToExternalCredentialSkip(),
+                    )
+                },
+                onCancel = ::dismissDialog,
+            )
+        }
+    }
+
+    private fun initViews(types: List<ExternalCredentialType>) {
+        binding.title.text = resources.getQuantityCredentialString(
+            id = IDR.string.mfid_scan_action,
+            specificCredentialRes = resources.getCredentialTypeRes(types.firstOrNull()),
+            multipleCredentialsRes = IDR.string.mfid_type_any_document,
+            credentialTypes = types,
+        )
+    }
+
+    private fun observeChanges() {
+        mainViewModel.externalCredentialTypes.observe(viewLifecycleOwner) { externalCredentialTypes ->
+            updateSelectedCredentialType(null)
+            fillRecyclerView(externalCredentialTypes)
+            initViews(externalCredentialTypes)
+            initListeners(externalCredentialTypes)
+            mainViewModel.selectionStarted()
+        }
+    }
+
+    private fun fillRecyclerView(types: List<ExternalCredentialType>) {
+        with(binding.documentsRecyclerView) {
+            layoutManager = LinearLayoutManager(requireContext())
+            adapter = ExternalCredentialTypeAdapter(types) { selectedType ->
+                updateSelectedCredentialType(selectedType)
+                navigateToScanner(selectedType)
+            }
+        }
+    }
+
+    private fun updateSelectedCredentialType(type: ExternalCredentialType?) {
+        mainViewModel.setSelectedExternalCredentialType(type)
+    }
+
+    private fun navigateToScanner(type: ExternalCredentialType) {
+        when (type) {
+            ExternalCredentialType.NHISCard,
+            ExternalCredentialType.GhanaIdCard,
+            -> startOcr(type.asOcrDocumentType())
+
+            ExternalCredentialType.QRCode -> startQrScan()
+        }
+    }
+
+    private fun startQrScan() {
+        findNavController().navigateSafely(
+            this,
+            ExternalCredentialSelectFragmentDirections.actionExternalCredentialSelectFragmentToExternalCredentialScanQr(),
+        )
+    }
+
+    private fun displaySkipScanningConfirmationDialog(
+        credentialTypes: List<ExternalCredentialType>,
+        onConfirm: () -> Unit,
+        onCancel: () -> Unit,
+    ) {
+        dismissDialog()
+        dialog = BottomSheetDialog(requireContext()).also {
+            val view = layoutInflater
+                .inflate(R.layout.dialog_skip_scan_confirm, null)
+                .also { view ->
+                    val bodyText = view.findViewById<TextView>(R.id.skipDialogBodyText)
+                    val cancelButton = view.findViewById<Button>(R.id.buttonCancel)
+                    val confirmButton = view.findViewById<Button>(R.id.buttonSkip)
+
+                    bodyText.text = resources.getQuantityCredentialString(
+                        id = IDR.string.mfid_skip_scan_dialog_body,
+                        credentialTypes = credentialTypes,
+                        specificCredentialRes = resources.getCredentialTypeRes(credentialTypes.firstOrNull()),
+                        multipleCredentialsRes = IDR.string.mfid_type_any_document,
+                    )
+
+                    confirmButton.setOnClickListener { onConfirm() }
+                    cancelButton.setOnClickListener { onCancel() }
+                }
+            it.setContentView(view)
+            it.setCancelable(true)
+            it.behavior.state = BottomSheetBehavior.STATE_EXPANDED
+            it.behavior.isDraggable = false
+        }
+
+        dialog?.show()
+    }
+
+    private fun startOcr(ocrDocumentType: OcrDocumentType) {
+        findNavController().navigateSafely(
+            this,
+            ExternalCredentialSelectFragmentDirections.actionExternalCredentialSelectFragmentToExternalCredentialScanOcr(ocrDocumentType),
+        )
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/select/view/ExternalCredentialTypeAdapter.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/select/view/ExternalCredentialTypeAdapter.kt
new file mode 100644
index 0000000000..6898a68470
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/select/view/ExternalCredentialTypeAdapter.kt
@@ -0,0 +1,50 @@
+package com.simprints.feature.externalcredential.screens.select.view
+
+import android.view.LayoutInflater
+import android.view.ViewGroup
+import androidx.recyclerview.widget.RecyclerView
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.feature.externalcredential.R
+import com.simprints.feature.externalcredential.databinding.ItemDocumentBinding
+import com.simprints.infra.resources.R as IDR
+
+@ExcludedFromGeneratedTestCoverageReports("UI classes are not unit tested")
+internal class ExternalCredentialTypeAdapter(
+    private val items: List<ExternalCredentialType>,
+    private val onClick: (ExternalCredentialType) -> Unit = {},
+) : RecyclerView.Adapter<ExternalCredentialTypeAdapter.ViewHolder>() {
+    override fun onCreateViewHolder(
+        parent: ViewGroup,
+        viewType: Int,
+    ): ViewHolder = ViewHolder(ItemDocumentBinding.inflate(LayoutInflater.from(parent.context), parent, false))
+
+    override fun onBindViewHolder(
+        holder: ViewHolder,
+        position: Int,
+    ) = holder.bind(items[position])
+
+    override fun getItemCount(): Int = items.size
+
+    inner class ViewHolder(
+        private val binding: ItemDocumentBinding,
+    ) : RecyclerView.ViewHolder(binding.root) {
+        fun bind(credentialType: ExternalCredentialType) {
+            val c = binding.root.context
+            val credentialTypeText = when (credentialType) {
+                ExternalCredentialType.NHISCard -> IDR.string.mfid_type_nhis_card
+                ExternalCredentialType.GhanaIdCard -> IDR.string.mfid_type_ghana_id_card
+                ExternalCredentialType.QRCode -> IDR.string.mfid_type_qr_code
+            }.run(c::getString)
+            val text = c.resources.getString(IDR.string.mfid_scan_action, credentialTypeText)
+            val image = when (credentialType) {
+                ExternalCredentialType.NHISCard -> R.drawable.ghana_nhis_card
+                ExternalCredentialType.GhanaIdCard -> R.drawable.ghana_id_card
+                ExternalCredentialType.QRCode -> R.drawable.qr_code
+            }
+            binding.documentText.text = text
+            binding.documentImage.setImageResource(image)
+            binding.root.setOnClickListener { onClick(credentialType) }
+        }
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/skip/ExternalCredentialSkipFragment.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/skip/ExternalCredentialSkipFragment.kt
new file mode 100644
index 0000000000..e0e7675cc3
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/screens/skip/ExternalCredentialSkipFragment.kt
@@ -0,0 +1,106 @@
+package com.simprints.feature.externalcredential.screens.skip
+
+import android.os.Bundle
+import android.view.View
+import androidx.core.view.isVisible
+import androidx.core.widget.addTextChangedListener
+import androidx.fragment.app.Fragment
+import androidx.fragment.app.activityViewModels
+import androidx.navigation.fragment.findNavController
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
+import com.simprints.feature.externalcredential.R
+import com.simprints.feature.externalcredential.databinding.FragmentExternalCredentialSkipBinding
+import com.simprints.feature.externalcredential.ext.getCredentialTypeString
+import com.simprints.feature.externalcredential.screens.controller.ExternalCredentialViewModel
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSelectionEvent
+import com.simprints.infra.uibase.viewbinding.viewBinding
+import dagger.hilt.android.AndroidEntryPoint
+import com.simprints.infra.resources.R as IDR
+
+@AndroidEntryPoint
+class ExternalCredentialSkipFragment : Fragment(R.layout.fragment_external_credential_skip) {
+    private val binding by viewBinding(FragmentExternalCredentialSkipBinding::bind)
+    private val mainViewModel: ExternalCredentialViewModel by activityViewModels()
+
+    override fun onViewCreated(
+        view: View,
+        savedInstanceState: Bundle?,
+    ) {
+        super.onViewCreated(view, savedInstanceState)
+
+        initObservers()
+    }
+
+    private fun initObservers() {
+        mainViewModel.externalCredentialTypes.observe(viewLifecycleOwner) { credentialTypes ->
+            initViews(credentialTypes)
+            initListeners()
+        }
+    }
+
+    private fun initViews(credentialTypes: List<ExternalCredentialType>) = with(binding) {
+        mapOf(
+            title to IDR.string.mfid_skip_title,
+            skipReasonDoesNotHaveDocument to IDR.string.mfid_skip_reason_does_not_have,
+            skipReasonDidNotBring to IDR.string.mfid_skip_reason_did_not_bring,
+            skipReasonIncorrect to IDR.string.mfid_skip_reason_incorrect,
+            skipReasonDoesNotWantToProvide to IDR.string.mfid_skip_reason_does_not_want_to_provide,
+            skipReasonDamaged to IDR.string.mfid_skip_reason_damaged,
+            skipReasonUnableToScan to IDR.string.mfid_skip_reason_unable_to_scan,
+        ).forEach { (textView, stringRes) ->
+            val credentialText = when (credentialTypes.size) {
+                1 -> resources.getCredentialTypeString(credentialTypes.first())
+                else -> getString(IDR.string.mfid_type_any_document)
+            }
+            textView.text = getString(stringRes, credentialText)
+        }
+    }
+
+    private fun initListeners() = with(binding) {
+        skipCredentialScanRadioGroup.setOnCheckedChangeListener { _, checkedId ->
+            mainViewModel.skipOptionSelected(viewIdToOption(checkedId))
+            reasonTextInputLayout.isVisible = checkedId == R.id.skipReasonOther
+
+            val isSkipButtonEnabled = when (checkedId) {
+                R.id.skipReasonOther -> {
+                    reasonTextInput.text.toString().isNotEmpty()
+                }
+
+                else -> true
+            }
+            buttonSkip.isEnabled = isSkipButtonEnabled
+        }
+        reasonTextInput.addTextChangedListener(
+            afterTextChanged = {
+                val text = it.toString()
+                mainViewModel.skipOtherReasonChanged(text)
+                buttonSkip.isEnabled = text.isNotEmpty()
+            },
+        )
+        buttonGoBack.setOnClickListener {
+            findNavController().popBackStack()
+        }
+
+        // [MS-1166] We should log skip reasons in analytics.
+        buttonSkip.setOnClickListener {
+            mainViewModel.finish(
+                ExternalCredentialSearchResult(
+                    flowType = mainViewModel.params.flowType,
+                    scannedCredential = null,
+                    matchResults = emptyList(),
+                ),
+            )
+        }
+    }
+
+    private fun viewIdToOption(checkedId: Int) = when (checkedId) {
+        R.id.skipReasonDoesNotHaveDocument -> ExternalCredentialSelectionEvent.SkipReason.DOES_NOT_HAVE_ID
+        R.id.skipReasonDidNotBring -> ExternalCredentialSelectionEvent.SkipReason.DID_NOT_BRING_ID
+        R.id.skipReasonIncorrect -> ExternalCredentialSelectionEvent.SkipReason.BROUGHT_INCORRECT_ID
+        R.id.skipReasonDoesNotWantToProvide -> ExternalCredentialSelectionEvent.SkipReason.NO_CONSENT
+        R.id.skipReasonDamaged -> ExternalCredentialSelectionEvent.SkipReason.ID_DAMAGED
+        R.id.skipReasonUnableToScan -> ExternalCredentialSelectionEvent.SkipReason.UNABLE_TO_SCAN
+        else -> ExternalCredentialSelectionEvent.SkipReason.OTHER
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/usecase/AddExternalCredentialToSubjectUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/usecase/AddExternalCredentialToSubjectUseCase.kt
new file mode 100644
index 0000000000..5d7f5ac006
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/usecase/AddExternalCredentialToSubjectUseCase.kt
@@ -0,0 +1,31 @@
+package com.simprints.feature.externalcredential.usecase
+
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.feature.externalcredential.screens.search.model.toExternalCredential
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.infra.enrolment.records.repository.EnrolmentRecordRepository
+import com.simprints.infra.enrolment.records.repository.domain.models.SubjectAction
+import javax.inject.Inject
+
+class AddExternalCredentialToSubjectUseCase @Inject() constructor(
+    private val enrolmentRecordRepository: EnrolmentRecordRepository,
+    private val configManager: ConfigManager,
+) {
+    suspend operator fun invoke(
+        scannedCredential: ScannedCredential,
+        subjectId: String,
+        projectId: String,
+    ) {
+        val project = configManager.getProject(projectId)
+        val updateActions = listOf(
+            SubjectAction.Update(
+                subjectId = subjectId,
+                externalCredentialsToAdd = listOf(scannedCredential.toExternalCredential(subjectId)),
+                faceSamplesToAdd = emptyList(),
+                fingerprintSamplesToAdd = emptyList(),
+                referenceIdsToRemove = emptyList(),
+            ),
+        )
+        enrolmentRecordRepository.performActions(updateActions, project)
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/usecase/ExternalCredentialEventTrackerUseCase.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/usecase/ExternalCredentialEventTrackerUseCase.kt
new file mode 100644
index 0000000000..65a7e57218
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/usecase/ExternalCredentialEventTrackerUseCase.kt
@@ -0,0 +1,138 @@
+package com.simprints.feature.externalcredential.usecase
+
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.tools.time.TimeHelper
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.CalculateLevenshteinDistanceUseCase
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.feature.externalcredential.screens.search.model.toExternalCredential
+import com.simprints.infra.authstore.AuthStore
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.infra.enrolment.records.repository.domain.models.Subject
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureValueEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialConfirmationEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialConfirmationEvent.ExternalCredentialConfirmationResult
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSearchEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSelectionEvent
+import com.simprints.infra.events.session.SessionEventRepository
+import com.simprints.infra.logging.Simber
+import javax.inject.Inject
+
+internal class ExternalCredentialEventTrackerUseCase @Inject constructor(
+    private val timeHelper: TimeHelper,
+    private val authStore: AuthStore,
+    private val configManager: ConfigManager,
+    private val tokenizationProcessor: TokenizationProcessor,
+    private val eventRepository: SessionEventRepository,
+    private val calculateDistance: CalculateLevenshteinDistanceUseCase,
+) {
+    suspend fun saveSearchEvent(
+        startTime: Timestamp,
+        externalCredentialId: String,
+        candidates: List<Subject>,
+    ) {
+        eventRepository.addOrUpdateEvent(
+            ExternalCredentialSearchEvent(
+                createdAt = startTime,
+                endedAt = timeHelper.now(),
+                probeExternalCredentialId = externalCredentialId,
+                candidateIds = candidates.map { it.subjectId },
+            ),
+        )
+    }
+
+    suspend fun saveCaptureEvents(
+        startTime: Timestamp,
+        subjectId: String,
+        scannedCredential: ScannedCredential,
+        selectionEventId: String,
+    ) {
+        Simber.d("Saving External Credential Events for $scannedCredential")
+        val credential = scannedCredential.toExternalCredential(subjectId)
+        eventRepository.addOrUpdateEvent(
+            ExternalCredentialCaptureValueEvent(
+                createdAt = timeHelper.now(),
+                payloadId = scannedCredential.credentialScanId,
+                credential = credential,
+            ),
+        )
+
+        eventRepository.addOrUpdateEvent(
+            ExternalCredentialCaptureEvent(
+                startTime = startTime,
+                endTime = timeHelper.now(),
+                payloadId = scannedCredential.credentialScanId,
+                autoCaptureStartTime = scannedCredential.scanStartTime,
+                autoCaptureEndTime = scannedCredential.scanEndTime,
+                ocrErrorCount = calculateOcrErrorCount(scannedCredential),
+                capturedTextLength = getActualCapturedCredentialLength(scannedCredential),
+                credentialTextLength = getExpectedCredentialValueLength(credential),
+                selectionId = selectionEventId,
+            ),
+        )
+    }
+
+    private fun getActualCapturedCredentialLength(scannedCredential: ScannedCredential): Int = scannedCredential.scannedValue.value.length
+
+    private fun getExpectedCredentialValueLength(credential: ExternalCredential): Int = when (credential.type) {
+        ExternalCredentialType.NHISCard -> NHIS_CARD_ID_LENGTH
+        ExternalCredentialType.GhanaIdCard -> GHANA_ID_CARD_ID_LENGTH
+        ExternalCredentialType.QRCode -> QR_CODE_LENGTH
+    }
+
+    private suspend fun calculateOcrErrorCount(scannedCredential: ScannedCredential): Int {
+        val project = configManager.getProject(authStore.signedInProjectId)
+        val actualCredentialRaw = tokenizationProcessor.decrypt(
+            scannedCredential.credential,
+            TokenKeyType.ExternalCredential,
+            project,
+        )
+        return calculateDistance(
+            scannedCredential.scannedValue.value,
+            actualCredentialRaw.value,
+        )
+    }
+
+    suspend fun saveSelectionEvent(
+        startTime: Timestamp,
+        endTime: Timestamp,
+        selectedType: ExternalCredentialType,
+    ): String {
+        val event = ExternalCredentialSelectionEvent(startTime, endTime, selectedType)
+        eventRepository.addOrUpdateEvent(event)
+        return event.id
+    }
+
+    suspend fun saveSkippedEvent(
+        startTime: Timestamp,
+        skipReason: ExternalCredentialSelectionEvent.SkipReason,
+        skipOther: String?,
+    ) {
+        eventRepository.addOrUpdateEvent(
+            ExternalCredentialSelectionEvent(startTime, timeHelper.now(), skipReason, skipOther),
+        )
+    }
+
+    suspend fun saveConfirmation(
+        startTime: Timestamp,
+        result: ExternalCredentialConfirmationResult,
+    ) {
+        eventRepository.addOrUpdateEvent(
+            ExternalCredentialConfirmationEvent(
+                createdAt = startTime,
+                endedAt = timeHelper.now(),
+                result = result,
+            ),
+        )
+    }
+
+    companion object Companion {
+        private const val NHIS_CARD_ID_LENGTH = 8
+        private const val GHANA_ID_CARD_ID_LENGTH = 15
+        private const val QR_CODE_LENGTH = 6
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/view/DocumentScanMaskView.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/view/DocumentScanMaskView.kt
new file mode 100644
index 0000000000..540139638d
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/view/DocumentScanMaskView.kt
@@ -0,0 +1,109 @@
+package com.simprints.feature.externalcredential.view
+
+import android.content.Context
+import android.graphics.Canvas
+import android.graphics.Paint
+import android.graphics.PorterDuff
+import android.graphics.PorterDuffXfermode
+import android.graphics.Rect
+import android.util.AttributeSet
+import android.view.View
+import android.view.ViewGroup
+import androidx.annotation.ColorInt
+import androidx.core.content.ContextCompat
+import com.simprints.feature.externalcredential.R
+import com.simprints.infra.uibase.annotations.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.infra.resources.R as IDR
+
+@ExcludedFromGeneratedTestCoverageReports("UI Code")
+class DocumentScanMaskView @JvmOverloads constructor(
+    context: Context,
+    attrs: AttributeSet? = null,
+    defStyleAttr: Int = 0,
+) : View(context, attrs, defStyleAttr) {
+    private val bgPaint = Paint()
+    private val clearPaint = Paint().apply {
+        xfermode = PorterDuffXfermode(PorterDuff.Mode.CLEAR)
+        isAntiAlias = true
+    }
+
+    private val rect = Rect()
+    private var targetViewId: Int = NO_ID
+    private var cornerRadius: Float? = null
+    private var insetValue: Float? = null
+
+    init {
+        context.theme
+            .obtainStyledAttributes(
+                attrs,
+                R.styleable.DocumentMaskView,
+                0,
+                0,
+            ).apply {
+                try {
+                    targetViewId = getResourceId(R.styleable.DocumentMaskView_targetViewId, NO_ID)
+
+                    val backgroundColor = getColor(
+                        R.styleable.DocumentMaskView_maskColor,
+                        ContextCompat.getColor(context, IDR.color.simprints_black),
+                    )
+                    bgPaint.color = backgroundColor
+
+                    if (hasValue(R.styleable.DocumentMaskView_cornerRadius)) {
+                        cornerRadius = getDimension(R.styleable.DocumentMaskView_cornerRadius, 0f)
+                    }
+
+                    if (hasValue(R.styleable.DocumentMaskView_inset)) {
+                        insetValue = getDimension(R.styleable.DocumentMaskView_inset, 0f)
+                    }
+                } finally {
+                    recycle()
+                }
+            }
+
+        require(targetViewId != NO_ID) { "targetViewId must be specified" }
+    }
+
+    override fun onDraw(canvas: Canvas) {
+        super.onDraw(canvas)
+        (parent as ViewGroup).findViewById<View>(targetViewId)?.let { targetView ->
+            canvas.drawRect(0f, 0f, width.toFloat(), height.toFloat(), bgPaint)
+
+            // Calculating target view position relative to this view
+            rect.setEmpty()
+            targetView.getGlobalVisibleRect(rect)
+            val offset = IntArray(2)
+            getLocationOnScreen(offset)
+            rect.offset(-offset[0], -offset[1])
+
+            // Apply inset if specified. This might be useful for QR scanners to create sense of depth
+            insetValue?.let { inset ->
+                val insetInt = inset.toInt()
+                rect.inset(insetInt, insetInt)
+            }
+
+            // Cutting out central area. Rounded or rectangular, based on cornerRadius
+            val radius = cornerRadius
+            if (radius != null && radius > 0f) {
+                canvas.drawRoundRect(
+                    rect.left.toFloat(),
+                    rect.top.toFloat(),
+                    rect.right.toFloat(),
+                    rect.bottom.toFloat(),
+                    radius,
+                    radius,
+                    clearPaint,
+                )
+            } else {
+                canvas.drawRect(rect, clearPaint)
+            }
+        }
+    }
+
+    fun setMaskColor(
+        @ColorInt color: Int,
+    ) {
+        bgPaint.color = color
+        invalidate()
+    }
+}
diff --git a/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/view/ScannedCredentialDialog.kt b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/view/ScannedCredentialDialog.kt
new file mode 100644
index 0000000000..9fd5837eff
--- /dev/null
+++ b/feature/external-credential/src/main/java/com/simprints/feature/externalcredential/view/ScannedCredentialDialog.kt
@@ -0,0 +1,137 @@
+package com.simprints.feature.externalcredential.view
+
+import android.content.Context
+import android.graphics.BitmapFactory
+import android.view.LayoutInflater
+import android.view.View
+import android.view.ViewGroup
+import androidx.core.view.isVisible
+import androidx.recyclerview.widget.LinearLayoutManager
+import androidx.recyclerview.widget.RecyclerView
+import com.google.android.material.bottomsheet.BottomSheetBehavior
+import com.google.android.material.bottomsheet.BottomSheetDialog
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.feature.externalcredential.R
+import com.simprints.feature.externalcredential.databinding.DialogScannedCredentialBinding
+import com.simprints.feature.externalcredential.databinding.ItemScannedImageBinding
+import com.simprints.feature.externalcredential.ext.getCredentialFieldTitle
+import com.simprints.feature.externalcredential.ext.getCredentialTypeString
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.infra.resources.R as IDR
+
+@ExcludedFromGeneratedTestCoverageReports("UI class")
+class ScannedCredentialDialog(
+    context: Context,
+    private val credential: ScannedCredential,
+    private val displayedCredential: TokenizableString.Raw,
+    private val onConfirm: () -> Unit,
+    private val onSkip: () -> Unit,
+) : BottomSheetDialog(context) {
+    private val binding: DialogScannedCredentialBinding =
+        DialogScannedCredentialBinding.inflate(LayoutInflater.from(context))
+
+    init {
+        setContentView(binding.root)
+        setCancelable(false)
+        setCanceledOnTouchOutside(false)
+
+        behavior.state = BottomSheetBehavior.STATE_EXPANDED
+        behavior.isDraggable = false
+        behavior.skipCollapsed = true
+
+        initViews()
+        setupRecyclerView()
+    }
+
+    private fun initViews() = with(binding) {
+        val credentialType = credential.credentialType
+        val credential = context.resources.getCredentialTypeString(credentialType)
+        val credentialField = context.resources.getCredentialFieldTitle(credentialType)
+
+        documentField.text = credentialField
+        title.text = context.getString(IDR.string.mfid_add_document_title, credential)
+        credentialValue.text = displayedCredential.value
+        confirmCredentialCheckbox.text =
+            context.getString(IDR.string.mfid_confirmation_checkbox_text, credentialField)
+        confirmCredentialCheckbox.setOnCheckedChangeListener { _, isChecked ->
+            buttonConfirm.isEnabled = isChecked
+        }
+        buttonSkip.setOnClickListener { onSkip() }
+        buttonConfirm.setOnClickListener { onConfirm() }
+    }
+
+    private fun setupRecyclerView() = with(binding) {
+        val imagePaths = buildList {
+            credential.zoomedCredentialImagePath?.let { add(it) }
+            this@ScannedCredentialDialog.credential.documentImagePath?.let { add(it) }
+        }
+
+        if (imagePaths.isEmpty()) {
+            documentsRecyclerView.isVisible = false
+        } else {
+            documentsRecyclerView.layoutManager =
+                LinearLayoutManager(context, LinearLayoutManager.HORIZONTAL, false)
+            documentsRecyclerView.adapter = ImageAdapter(imagePaths)
+            documentsRecyclerView.overScrollMode = View.OVER_SCROLL_NEVER
+            documentsRecyclerView.isVisible = true
+        }
+    }
+
+    @ExcludedFromGeneratedTestCoverageReports("UI class")
+    private inner class ImageAdapter(
+        private val imagePaths: List<String>,
+    ) : RecyclerView.Adapter<ImageAdapter.ImageViewHolder>() {
+        override fun onCreateViewHolder(
+            parent: ViewGroup,
+            viewType: Int,
+        ): ImageViewHolder {
+            val view = LayoutInflater
+                .from(parent.context)
+                .inflate(R.layout.item_scanned_image, parent, false)
+            return ImageViewHolder(view)
+        }
+
+        override fun onBindViewHolder(
+            holder: ImageViewHolder,
+            position: Int,
+        ) {
+            holder.bind(imagePaths[position], position)
+        }
+
+        override fun getItemCount() = imagePaths.size
+
+        @ExcludedFromGeneratedTestCoverageReports("UI class")
+        inner class ImageViewHolder(
+            itemView: View,
+        ) : RecyclerView.ViewHolder(itemView) {
+            private val binding = ItemScannedImageBinding.bind(itemView)
+
+            fun bind(
+                imagePath: String,
+                position: Int,
+            ) = with(binding) {
+                val bitmap = BitmapFactory.decodeFile(imagePath)
+                documentImage.setImageBitmap(bitmap)
+
+                itemView.post {
+                    val recyclerWidth = (itemView.parent as? RecyclerView)?.width ?: 0
+                    if (recyclerWidth > 0) {
+                        val imageWidth = (recyclerWidth * 0.8).toInt()
+                        val imageHeight = (imageWidth * 10 / 16)
+                        val layoutParams = documentImage.layoutParams
+                        layoutParams.width = imageWidth
+                        layoutParams.height = imageHeight
+                        documentImage.layoutParams = layoutParams
+                    }
+                }
+
+                val params = itemView.layoutParams as ViewGroup.MarginLayoutParams
+                if (position == imagePaths.size - 1) {
+                    params.marginEnd = context.resources.getDimensionPixelSize(IDR.dimen.margin_large)
+                }
+                itemView.layoutParams = params
+            }
+        }
+    }
+}
diff --git a/feature/external-credential/src/main/res/drawable/ghana_id_card.webp b/feature/external-credential/src/main/res/drawable/ghana_id_card.webp
new file mode 100644
index 0000000000..8a11e2f71a
Binary files /dev/null and b/feature/external-credential/src/main/res/drawable/ghana_id_card.webp differ
diff --git a/feature/external-credential/src/main/res/drawable/ghana_nhis_card.webp b/feature/external-credential/src/main/res/drawable/ghana_nhis_card.webp
new file mode 100644
index 0000000000..935711129b
Binary files /dev/null and b/feature/external-credential/src/main/res/drawable/ghana_nhis_card.webp differ
diff --git a/feature/external-credential/src/main/res/drawable/glow_background.xml b/feature/external-credential/src/main/res/drawable/glow_background.xml
new file mode 100644
index 0000000000..783e5e04c5
--- /dev/null
+++ b/feature/external-credential/src/main/res/drawable/glow_background.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<shape xmlns:android="http://schemas.android.com/apk/res/android"
+    android:shape="rectangle">
+    <gradient
+        android:type="radial"
+        android:centerX="50%"
+        android:centerY="50%"
+        android:centerColor="@color/transparent"
+        android:gradientRadius="70%"
+        android:endColor="@color/simprints_white"
+        android:startColor="@android:color/transparent" />
+    <corners android:radius="8dp" />
+</shape>
diff --git a/feature/external-credential/src/main/res/drawable/ic_camera_focus_blue.xml b/feature/external-credential/src/main/res/drawable/ic_camera_focus_blue.xml
new file mode 100644
index 0000000000..d58e25d265
--- /dev/null
+++ b/feature/external-credential/src/main/res/drawable/ic_camera_focus_blue.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<vector android:height="200dp" android:viewportHeight="120"
+    android:viewportWidth="120" android:width="200dp" xmlns:android="http://schemas.android.com/apk/res/android">
+    <path android:fillColor="@color/simprints_blue"
+        android:pathData="M0,0l4,0l0,30l-4,0z"/>
+    <path android:fillColor="@color/simprints_blue"
+        android:pathData="M0,0l40,0l0,4l-40,0z"/>
+    <path android:fillColor="@color/simprints_blue"
+        android:pathData="M0,0l4,0l0,40l-4,0z"/>
+    <path android:fillColor="@color/simprints_blue"
+        android:pathData="M80,0l40,0l0,4l-40,0z"/>
+    <path android:fillColor="@color/simprints_blue"
+        android:pathData="M116,0l4,0l0,40l-4,0z"/>
+    <path android:fillColor="@color/simprints_blue"
+        android:pathData="M0,80l4,0l0,40l-4,0z"/>
+    <path android:fillColor="@color/simprints_blue"
+        android:pathData="M0,116l40,0l0,4l-40,0z"/>
+    <path android:fillColor="@color/simprints_blue"
+        android:pathData="M80,116l40,0l0,4l-40,0z"/>
+    <path android:fillColor="@color/simprints_blue"
+        android:pathData="M116,80l4,0l0,36l-4,0z"/>
+</vector>
diff --git a/feature/external-credential/src/main/res/drawable/ic_done.xml b/feature/external-credential/src/main/res/drawable/ic_done.xml
new file mode 100644
index 0000000000..c7ea9bc53a
--- /dev/null
+++ b/feature/external-credential/src/main/res/drawable/ic_done.xml
@@ -0,0 +1,9 @@
+<vector xmlns:android="http://schemas.android.com/apk/res/android"
+    android:width="24dp"
+    android:height="24dp"
+    android:viewportWidth="960"
+    android:viewportHeight="960">
+    <path
+        android:fillColor="#00B3D1"
+        android:pathData="M382,720L154,492L211,435L382,606L749,239L806,296L382,720Z" />
+</vector>
diff --git a/feature/external-credential/src/main/res/drawable/ic_edit.xml b/feature/external-credential/src/main/res/drawable/ic_edit.xml
new file mode 100644
index 0000000000..837aabdeed
--- /dev/null
+++ b/feature/external-credential/src/main/res/drawable/ic_edit.xml
@@ -0,0 +1,10 @@
+<vector xmlns:android="http://schemas.android.com/apk/res/android"
+    android:width="24dp"
+    android:height="24dp"
+    android:viewportWidth="960"
+    android:viewportHeight="960"
+    android:tint="?attr/colorControlNormal">
+    <path
+        android:fillColor="#FF888888"
+        android:pathData="M200,760L257,760L648,369L591,312L200,703L200,760ZM120,840L120,670L648,143Q660,132 674.5,126Q689,120 705,120Q721,120 736,126Q751,132 762,144L817,200Q829,211 834.5,226Q840,241 840,256Q840,272 834.5,286.5Q829,301 817,313L290,840L120,840ZM760,256L760,256L704,200L704,200L760,256ZM619,341L591,312L591,312L648,369L648,369L619,341Z"/>
+</vector>
diff --git a/feature/external-credential/src/main/res/drawable/ic_warning.xml b/feature/external-credential/src/main/res/drawable/ic_warning.xml
new file mode 100644
index 0000000000..22f3a578ad
--- /dev/null
+++ b/feature/external-credential/src/main/res/drawable/ic_warning.xml
@@ -0,0 +1,10 @@
+<vector xmlns:android="http://schemas.android.com/apk/res/android"
+    android:width="24dp"
+    android:height="24dp"
+    android:viewportWidth="960"
+    android:viewportHeight="960">
+    <path
+        android:fillColor="#CE4141"
+        android:fillType="nonZero"
+        android:pathData="M109,840Q98,840 89,834.5Q80,829 75,820Q70,811 69.5,800.5Q69,790 75,780L445,140Q451,130 460.5,125Q470,120 480,120Q490,120 499.5,125Q509,130 515,140L885,780Q891,790 890.5,800.5Q890,811 885,820Q880,829 871,834.5Q862,840 851,840L109,840ZM178,760L782,760L480,240L178,760ZM480,720Q497,720 508.5,708.5Q520,697 520,680Q520,663 508.5,651.5Q497,640 480,640Q463,640 451.5,651.5Q440,663 440,680Q440,697 451.5,708.5Q463,720 480,720ZM480,600Q497,600 508.5,588.5Q520,577 520,560L520,440Q520,423 508.5,411.5Q497,400 480,400Q463,400 451.5,411.5Q440,423 440,440L440,560Q440,577 451.5,588.5Q463,600 480,600ZM480,500L480,500L480,500Z"/>
+</vector>
diff --git a/feature/external-credential/src/main/res/drawable/qr_code.webp b/feature/external-credential/src/main/res/drawable/qr_code.webp
new file mode 100644
index 0000000000..06c8c08dba
Binary files /dev/null and b/feature/external-credential/src/main/res/drawable/qr_code.webp differ
diff --git a/feature/external-credential/src/main/res/drawable/viewfinder_border.xml b/feature/external-credential/src/main/res/drawable/viewfinder_border.xml
new file mode 100644
index 0000000000..b7822c0547
--- /dev/null
+++ b/feature/external-credential/src/main/res/drawable/viewfinder_border.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<shape xmlns:android="http://schemas.android.com/apk/res/android"
+    android:shape="rectangle">
+    <solid android:color="@android:color/transparent" />
+    <stroke
+        android:width="4dp"
+        android:color="@color/simprints_blue" />
+    <corners android:radius="16dp" />
+</shape>
diff --git a/feature/external-credential/src/main/res/layout-land/fragment_external_credential_search.xml b/feature/external-credential/src/main/res/layout-land/fragment_external_credential_search.xml
new file mode 100644
index 0000000000..f38e24ed75
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout-land/fragment_external_credential_search.xml
@@ -0,0 +1,233 @@
+<?xml version="1.0" encoding="utf-8"?>
+<androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent"
+    android:paddingBottom="@dimen/margin_default"
+    android:background="@color/simprints_blue">
+
+    <ScrollView
+        android:layout_width="match_parent"
+        android:layout_height="0dp"
+        app:layout_constraintBottom_toTopOf="@+id/buttonRecapture"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toTopOf="parent">
+
+        <LinearLayout
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:orientation="vertical"
+            android:padding="@dimen/margin_large">
+
+            <com.google.android.material.card.MaterialCardView
+                android:id="@+id/documentPreviewCard"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                app:cardBackgroundColor="@color/simprints_white"
+                app:cardUseCompatPadding="true">
+
+                <androidx.constraintlayout.widget.ConstraintLayout
+                    android:layout_width="match_parent"
+                    android:layout_height="wrap_content">
+
+                    <androidx.constraintlayout.widget.Guideline
+                        android:id="@+id/centerGuideline"
+                        android:layout_width="0dp"
+                        android:layout_height="match_parent"
+                        android:orientation="vertical"
+                        app:layout_constraintGuide_percent="0.5" />
+
+                    <com.google.android.material.imageview.ShapeableImageView
+                        android:id="@+id/documentPreview"
+                        android:layout_width="0dp"
+                        android:layout_height="0dp"
+                        android:elevation="8dp"
+                        android:importantForAccessibility="no"
+                        android:scaleType="centerCrop"
+                        app:layout_constraintDimensionRatio="16:10"
+                        app:layout_constraintEnd_toStartOf="@+id/centerGuideline"
+                        app:layout_constraintStart_toStartOf="parent"
+                        app:layout_constraintTop_toTopOf="parent"
+                        app:shapeAppearanceOverlay="@style/Shape.Simprints.MediumComponent"
+                        tools:src="@drawable/ghana_nhis_card" />
+
+                    <LinearLayout
+                        android:layout_width="0dp"
+                        android:layout_height="wrap_content"
+                        android:orientation="vertical"
+                        app:layout_constraintEnd_toEndOf="parent"
+                        app:layout_constraintStart_toEndOf="@+id/centerGuideline"
+                        app:layout_constraintTop_toTopOf="parent">
+
+                        <TextView
+                            android:id="@+id/documentTypeTitle"
+                            style="@style/Text.Body2.Secondary"
+                            android:layout_width="wrap_content"
+                            android:layout_height="wrap_content"
+                            android:paddingHorizontal="@dimen/margin_large"
+                            android:paddingTop="@dimen/padding_default"
+                            tools:text="Membership number:" />
+
+                        <androidx.constraintlayout.widget.ConstraintLayout
+                            android:layout_width="match_parent"
+                            android:layout_height="wrap_content"
+                            android:orientation="horizontal"
+                            android:paddingHorizontal="@dimen/margin_large">
+
+                            <TextView
+                                android:id="@+id/credentialValue"
+                                style="@style/Text.Headline4.Bold"
+                                android:layout_width="0dp"
+                                android:layout_height="wrap_content"
+                                android:layout_marginEnd="@dimen/margin_large"
+                                android:textColor="@color/simprints_text_black"
+                                app:layout_constraintEnd_toStartOf="@+id/iconEditCredential"
+                                app:layout_constraintStart_toStartOf="parent"
+                                app:layout_constraintTop_toTopOf="parent"
+                                tools:text="GHA-123456789-0" />
+
+                            <EditText
+                                android:id="@+id/credentialEditText"
+                                style="@style/Text.Headline4.Bold"
+                                android:layout_width="0dp"
+                                android:layout_height="wrap_content"
+                                android:layout_marginEnd="@dimen/margin_large"
+                                android:backgroundTint="@color/simprints_blue"
+                                android:focusable="true"
+                                android:focusableInTouchMode="true"
+                                android:inputType="textNoSuggestions"
+                                android:visibility="gone"
+                                app:layout_constraintEnd_toStartOf="@+id/iconEditCredential"
+                                app:layout_constraintStart_toStartOf="parent"
+                                app:layout_constraintTop_toTopOf="parent"
+                                tools:hint="Membership number"
+                                tools:ignore="LabelFor"
+                                tools:text="GHA-123456789-0" />
+
+                            <ImageView
+                                android:id="@+id/iconEditCredential"
+                                android:layout_width="24dp"
+                                android:layout_height="24dp"
+                                android:layout_gravity="center"
+                                android:background="?attr/selectableItemBackground"
+                                android:importantForAccessibility="no"
+                                android:src="@drawable/ic_edit"
+                                app:layout_constraintBottom_toBottomOf="parent"
+                                app:layout_constraintEnd_toEndOf="parent"
+                                app:layout_constraintTop_toTopOf="parent"
+                                app:tint="@color/simprints_text_grey" />
+
+                        </androidx.constraintlayout.widget.ConstraintLayout>
+
+                        <CheckBox
+                            android:id="@+id/confirmCredentialCheckbox"
+                            style="@style/Text.Body2.Secondary"
+                            android:layout_width="wrap_content"
+                            android:layout_height="wrap_content"
+                            android:layout_marginHorizontal="10dp"
+                            android:layout_marginBottom="@dimen/margin_large"
+                            android:buttonTint="@color/simprints_blue"
+                            android:checked="false"
+                            android:paddingStart="@dimen/margin_default"
+                            android:visibility="gone"
+                            tools:text="I confirm that the external credential is scanned correctly"
+                            tools:visibility="visible" />
+                    </LinearLayout>
+                </androidx.constraintlayout.widget.ConstraintLayout>
+            </com.google.android.material.card.MaterialCardView>
+
+            <com.google.android.material.card.MaterialCardView
+                android:id="@+id/searchProgressCard"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:visibility="gone"
+                app:cardBackgroundColor="@color/simprints_white"
+                app:cardUseCompatPadding="true"
+                tools:visibility="visible">
+
+                <LinearLayout
+                    android:layout_width="match_parent"
+                    android:layout_height="wrap_content"
+                    android:gravity="center_vertical"
+                    android:orientation="horizontal"
+                    android:padding="@dimen/padding_default">
+
+                    <com.google.android.material.progressindicator.CircularProgressIndicator
+                        android:layout_width="wrap_content"
+                        android:layout_height="wrap_content"
+                        android:indeterminate="true"
+                        app:indicatorColor="@color/simprints_blue"
+                        app:indicatorSize="24dp" />
+
+                    <TextView
+                        style="@style/Text.Body1"
+                        android:layout_width="wrap_content"
+                        android:layout_height="wrap_content"
+                        android:layout_marginStart="@dimen/margin_large"
+                        android:text="@string/mfid_searching" />
+                </LinearLayout>
+
+            </com.google.android.material.card.MaterialCardView>
+
+            <com.google.android.material.card.MaterialCardView
+                android:id="@+id/searchResultCard"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                app:cardBackgroundColor="@color/simprints_white"
+                app:cardUseCompatPadding="true"
+                tools:visibility="visible">
+
+                <LinearLayout
+                    android:layout_width="match_parent"
+                    android:layout_height="wrap_content"
+                    android:gravity="center_vertical"
+                    android:orientation="horizontal"
+                    android:padding="@dimen/padding_default"
+                    tools:ignore="UseCompoundDrawables">
+
+                    <ImageView
+                        android:id="@+id/iconSearchResult"
+                        android:layout_width="24dp"
+                        android:layout_height="24dp"
+                        android:layout_marginEnd="@dimen/margin_large"
+                        android:importantForAccessibility="no"
+                        tools:src="@drawable/ic_done" />
+
+                    <TextView
+                        android:id="@+id/textSearchResult"
+                        style="@style/Text.Body1"
+                        android:layout_width="wrap_content"
+                        android:layout_height="wrap_content"
+                        android:text="@string/mfid_searching"
+                        tools:text="Record found" />
+                </LinearLayout>
+
+            </com.google.android.material.card.MaterialCardView>
+
+        </LinearLayout>
+    </ScrollView>
+
+    <Button
+        android:id="@+id/buttonRecapture"
+        style="@style/Widget.Simprints.Button.White"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:layout_marginHorizontal="@dimen/margin_large"
+        android:text="@string/face_capture_recapture_button"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toStartOf="@id/buttonConfirm"
+        app:layout_constraintStart_toStartOf="parent" />
+
+    <Button
+        android:id="@+id/buttonConfirm"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:layout_marginEnd="@dimen/margin_large"
+        android:enabled="false"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toEndOf="@id/buttonRecapture"
+        tools:text="Go to record" />
+</androidx.constraintlayout.widget.ConstraintLayout>
diff --git a/feature/external-credential/src/main/res/layout-land/item_document.xml b/feature/external-credential/src/main/res/layout-land/item_document.xml
new file mode 100644
index 0000000000..586c3b2ecf
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout-land/item_document.xml
@@ -0,0 +1,42 @@
+<com.google.android.material.card.MaterialCardView xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="wrap_content"
+    android:background="@color/simprints_white"
+    android:elevation="@dimen/cardview_default_elevation"
+    app:cardUseCompatPadding="true">
+
+    <androidx.constraintlayout.widget.ConstraintLayout
+        android:padding="@dimen/margin_default"
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content">
+
+        <ImageView
+            android:id="@+id/documentImage"
+            android:layout_width="0dp"
+            android:layout_height="0dp"
+            android:elevation="4dp"
+            android:scaleType="centerCrop"
+            android:src="@drawable/ghana_nhis_card"
+            app:layout_constraintBottom_toBottomOf="parent"
+            app:layout_constraintDimensionRatio="H,16:10"
+            app:layout_constraintEnd_toStartOf="@id/documentText"
+            app:layout_constraintStart_toStartOf="parent"
+            app:layout_constraintTop_toTopOf="parent"
+            app:layout_constraintWidth_percent="0.3" />
+
+        <TextView
+            android:id="@+id/documentText"
+            style="@style/Text.Body2"
+            android:layout_width="0dp"
+            android:layout_height="0dp"
+            android:gravity="center"
+            app:layout_constraintBottom_toBottomOf="parent"
+            app:layout_constraintEnd_toEndOf="parent"
+            app:layout_constraintStart_toEndOf="@id/documentImage"
+            app:layout_constraintTop_toTopOf="parent"
+            tools:text="Scan this document" />
+
+    </androidx.constraintlayout.widget.ConstraintLayout>
+</com.google.android.material.card.MaterialCardView>
diff --git a/feature/external-credential/src/main/res/layout/dialog_qr_wrong_value.xml b/feature/external-credential/src/main/res/layout/dialog_qr_wrong_value.xml
new file mode 100644
index 0000000000..f960d726df
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout/dialog_qr_wrong_value.xml
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ScrollView xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="wrap_content"
+    android:clipToPadding="false"
+    android:fillViewport="true"
+    android:padding="@dimen/margin_large">
+
+    <LinearLayout
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content"
+        android:orientation="vertical">
+
+
+        <LinearLayout
+            android:id="@+id/titleLayout"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:orientation="vertical"
+            app:layout_constraintEnd_toEndOf="parent"
+            app:layout_constraintStart_toStartOf="parent"
+            app:layout_constraintTop_toTopOf="parent">
+
+            <TextView
+                style="@style/Text.Headline5"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:text="@string/mfid_dialog_wrong_qr_title" />
+
+            <View
+                android:layout_width="match_parent"
+                android:layout_height="1dp"
+                android:layout_marginVertical="@dimen/margin_large"
+                android:background="@color/simprints_grey_light" />
+
+            <TextView
+                style="@style/Text.Body1"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:text="@string/mfid_dialog_wrong_qr_body_top" />
+
+            <TextView
+                android:id="@+id/qrValue"
+                style="@style/Text.Subtitle1.Bold"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:gravity="center"
+                android:paddingVertical="@dimen/padding_default"
+                tools:text="WRONG-QR-VALUE" />
+
+            <TextView
+                style="@style/Text.Body1"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:text="@string/mfid_dialog_wrong_qr_body_bottom" />
+
+
+        </LinearLayout>
+
+        <Button
+            android:id="@+id/buttonRescan"
+            style="@style/Widget.Simprints.Button.Blue"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:layout_marginTop="@dimen/margin_large"
+            android:text="@string/mfid_dialog_wrong_qr_rescan" />
+    </LinearLayout>
+</ScrollView>
diff --git a/feature/external-credential/src/main/res/layout/dialog_scanned_credential.xml b/feature/external-credential/src/main/res/layout/dialog_scanned_credential.xml
new file mode 100644
index 0000000000..5a1ec274d8
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout/dialog_scanned_credential.xml
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="utf-8"?>
+<androidx.core.widget.NestedScrollView xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="wrap_content"
+    tools:layout_gravity="bottom">
+
+    <LinearLayout
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content"
+        android:orientation="vertical">
+
+        <TextView
+            android:id="@+id/title"
+            style="@style/Text.Headline5.Blue.Bold"
+            android:layout_width="match_parent"
+            android:layout_height="match_parent"
+            android:paddingHorizontal="@dimen/margin_large"
+            android:paddingTop="@dimen/padding_default"
+            android:paddingBottom="@dimen/margin_default"
+            tools:text="Add this document?" />
+
+        <View
+            android:id="@+id/bottomDivider"
+            android:layout_width="match_parent"
+            android:layout_height="1dp"
+            android:layout_marginHorizontal="@dimen/margin_large"
+            android:background="@color/simprints_grey_light" />
+
+        <androidx.recyclerview.widget.RecyclerView
+            android:id="@+id/documentsRecyclerView"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            tools:itemCount="4"
+            tools:layoutManager="androidx.recyclerview.widget.LinearLayoutManager"
+            tools:listitem="@layout/item_scanned_image"
+            tools:orientation="horizontal" />
+
+        <TextView
+            android:id="@+id/documentField"
+            style="@style/Text.Body2.Secondary"
+            android:layout_width="wrap_content"
+            android:layout_height="wrap_content"
+            android:paddingHorizontal="@dimen/margin_large"
+            tools:text="Membership number:" />
+
+        <TextView
+            android:id="@+id/credentialValue"
+            style="@style/Text.Headline4.Bold"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:layout_marginEnd="@dimen/margin_large"
+            android:paddingHorizontal="@dimen/margin_large"
+            android:textColor="@color/simprints_text_black"
+            tools:text="GHA-123456789-0" />
+
+        <CheckBox
+            android:id="@+id/confirmCredentialCheckbox"
+            style="@style/Text.Body2.Secondary"
+            android:layout_width="wrap_content"
+            android:layout_height="wrap_content"
+            android:layout_marginHorizontal="10dp"
+            android:layout_marginBottom="@dimen/margin_large"
+            android:buttonTint="@color/simprints_blue"
+            android:checked="false"
+            android:paddingStart="@dimen/margin_default"
+            tools:text="I confirm that the external credential is scanned correctly" />
+
+        <LinearLayout
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:orientation="horizontal"
+            android:paddingHorizontal="@dimen/margin_large"
+            android:paddingVertical="@dimen/margin_default">
+
+            <Button
+                android:id="@+id/buttonSkip"
+                style="@style/Widget.Simprints.Button.TextButton.Red"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:layout_weight="1"
+                android:text="@string/mfid_action_skip" />
+
+            <Button
+                android:id="@+id/buttonConfirm"
+                style="@style/Widget.Simprints.Button.Blue"
+                android:enabled="false"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:layout_marginStart="@dimen/margin_large"
+                android:layout_weight="1"
+                android:text="@string/mfid_action_add" />
+        </LinearLayout>
+    </LinearLayout>
+</androidx.core.widget.NestedScrollView>
diff --git a/feature/external-credential/src/main/res/layout/dialog_skip_scan_confirm.xml b/feature/external-credential/src/main/res/layout/dialog_skip_scan_confirm.xml
new file mode 100644
index 0000000000..7a98e07ac1
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout/dialog_skip_scan_confirm.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ScrollView xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="wrap_content"
+    android:clipToPadding="false"
+    android:fillViewport="true"
+    android:padding="@dimen/margin_large">
+
+    <LinearLayout
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content"
+        android:orientation="vertical">
+
+
+        <LinearLayout
+            android:id="@+id/titleLayout"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:orientation="vertical"
+            app:layout_constraintEnd_toEndOf="parent"
+            app:layout_constraintStart_toStartOf="parent"
+            app:layout_constraintTop_toTopOf="parent">
+
+            <TextView
+                style="@style/Text.Headline5"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:text="@string/mfid_skip_scan_dialog_title" />
+
+            <View
+                android:layout_width="match_parent"
+                android:layout_height="1dp"
+                android:layout_marginVertical="@dimen/margin_large"
+                android:background="@color/simprints_grey_light" />
+
+            <TextView
+                android:id="@+id/skipDialogBodyText"
+                style="@style/Text.Body1"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                tools:text="Scanning a document is required by this project. Are you sure you want to skip this step?" />
+
+
+        </LinearLayout>
+
+
+        <Button
+            android:id="@+id/buttonSkip"
+            style="@style/Widget.Simprints.Button.White"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:layout_marginTop="16dp"
+            android:text="@string/mfid_skip_scan_dialog_confirm"
+            android:textColor="@color/simprints_red" />
+
+        <Button
+            android:id="@+id/buttonCancel"
+            style="@style/Widget.Simprints.Button.Blue"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:text="@string/dashboard_select_modules_confirm_no" />
+    </LinearLayout>
+</ScrollView>
diff --git a/feature/external-credential/src/main/res/layout/fragment_external_credential_controller.xml b/feature/external-credential/src/main/res/layout/fragment_external_credential_controller.xml
new file mode 100644
index 0000000000..2da94202c5
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout/fragment_external_credential_controller.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<androidx.fragment.app.FragmentContainerView xmlns:android="http://schemas.android.com/apk/res/android"
+    android:id="@+id/external_credential_host_fragment"
+    android:name="androidx.navigation.fragment.NavHostFragment"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent" />
diff --git a/feature/external-credential/src/main/res/layout/fragment_external_credential_scan_ocr.xml b/feature/external-credential/src/main/res/layout/fragment_external_credential_scan_ocr.xml
new file mode 100644
index 0000000000..57ce405d24
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout/fragment_external_credential_scan_ocr.xml
@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="utf-8"?>
+<androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent">
+
+    <androidx.camera.view.PreviewView
+        android:id="@+id/preview"
+        android:layout_width="match_parent"
+        android:layout_height="match_parent"
+        android:scaleType="fitCenter"
+        tools:background="@tools:sample/backgrounds/scenic" />
+
+    <com.simprints.feature.externalcredential.view.DocumentScanMaskView
+        android:id="@+id/viewfinderMask"
+        android:layout_width="match_parent"
+        android:layout_height="match_parent"
+        android:alpha="0.5"
+        android:clickable="false"
+        android:focusable="false"
+        app:cornerRadius="16dp"
+        app:maskColor="@color/simprints_black"
+        app:targetViewId="@+id/documentScannerArea"
+        tools:visibility="visible" />
+
+    <TextView
+        android:id="@+id/instructionsText"
+        style="@style/Text.Headline5.White"
+        android:layout_width="wrap_content"
+        android:layout_height="wrap_content"
+        android:layout_margin="@dimen/padding_default"
+        android:visibility="gone"
+        app:layout_constraintBottom_toTopOf="@+id/documentScannerArea"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        tools:text="Place document code in window"
+        tools:visibility="visible" />
+
+    <View
+        android:id="@+id/documentScannerArea"
+        android:layout_width="0dp"
+        android:layout_height="0dp"
+        android:layout_margin="@dimen/margin_large"
+        android:background="@drawable/viewfinder_border"
+        android:visibility="invisible"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintDimensionRatio="16:10"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toTopOf="parent"
+        tools:visibility="visible" />
+
+    <LinearLayout
+        android:id="@+id/progressContainer"
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content"
+        android:orientation="vertical"
+        android:padding="@dimen/padding_default"
+        android:visibility="gone"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toBottomOf="@+id/documentScannerArea"
+        tools:visibility="visible">
+
+        <FrameLayout
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content">
+
+            <com.google.android.material.progressindicator.LinearProgressIndicator
+                android:id="@+id/progressBar"
+                style="@style/Widget.Simprints.LinearProgressIndicator.Blue.Large"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:layout_gravity="center"
+                app:layout_constraintBottom_toBottomOf="parent"
+                app:layout_constraintEnd_toEndOf="parent"
+                app:layout_constraintHorizontal_bias="0.5"
+                app:layout_constraintStart_toStartOf="parent"
+                app:layout_constraintTop_toBottomOf="@+id/connect_title"
+                tools:progress="43" />
+
+            <ImageView
+                android:id="@+id/iconScanComplete"
+                android:layout_width="36dp"
+                android:layout_height="36dp"
+                android:alpha="0"
+                tools:alpha="1"
+                android:layout_gravity="center"
+                android:importantForAccessibility="no"
+                android:src="@drawable/ic_checked_green_large"/>
+        </FrameLayout>
+
+        <TextView
+            android:id="@+id/scanInstructions"
+            style="@style/Text.Body1"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:gravity="center"
+            android:paddingTop="@dimen/padding_default"
+            android:text="@string/mfid_ocr_progress_title" />
+
+    </LinearLayout>
+
+    <com.simprints.infra.view.PermissionRequestView
+        android:id="@+id/permissionRequestView"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:layout_margin="@dimen/margin_large"
+        android:visibility="gone"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toTopOf="parent"
+        tools:visibility="gone" />
+
+    <Button
+        android:id="@+id/buttonScan"
+        style="@style/Widget.Simprints.Button.Blue"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:layout_margin="16dp"
+        android:text="@string/face_capture_start_capture"
+        android:visibility="gone"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        tools:visibility="visible" />
+
+</androidx.constraintlayout.widget.ConstraintLayout>
diff --git a/feature/external-credential/src/main/res/layout/fragment_external_credential_scan_qr.xml b/feature/external-credential/src/main/res/layout/fragment_external_credential_scan_qr.xml
new file mode 100644
index 0000000000..a6ec010214
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout/fragment_external_credential_scan_qr.xml
@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="utf-8"?>
+<androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent">
+
+    <androidx.camera.view.PreviewView
+        android:id="@+id/qrScannerPreview"
+        android:layout_width="match_parent"
+        android:layout_height="match_parent"
+        tools:visibility="gone" />
+
+    <com.simprints.feature.externalcredential.view.DocumentScanMaskView
+        android:id="@+id/viewfinderMask"
+        android:layout_width="match_parent"
+        android:layout_height="match_parent"
+        android:alpha="0.5"
+        android:clickable="false"
+        android:focusable="false"
+        app:inset="8dp"
+        app:maskColor="@color/simprints_black"
+        app:targetViewId="@+id/qrScannerArea"
+        tools:visibility="visible" />
+
+    <TextView
+        android:id="@+id/qrInstructionsText"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintBottom_toTopOf="@+id/qrScannerArea"
+        tools:text="Place QR code in window"
+        style="@style/Text.Headline5.White"
+        android:layout_margin="@dimen/padding_default"
+        android:layout_width="wrap_content"
+        android:layout_height="wrap_content"/>
+
+    <ImageView
+        android:id="@+id/qrScannerArea"
+        android:layout_width="200dp"
+        android:layout_height="200dp"
+        android:importantForAccessibility="no"
+        android:src="@drawable/ic_camera_focus_blue"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toTopOf="parent" />
+
+    <com.google.android.material.card.MaterialCardView
+        android:id="@+id/qrPreviewCard"
+        android:layout_width="wrap_content"
+        android:layout_height="wrap_content"
+        android:layout_marginHorizontal="16dp"
+        android:layout_marginTop="16dp"
+        android:visibility="gone"
+        app:cardBackgroundColor="@color/simprints_blue"
+        app:cardUseCompatPadding="true"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toBottomOf="@+id/qrScannerArea"
+        tools:visibility="visible">
+
+        <TextView
+            android:id="@+id/qrPreviewText"
+            style="@style/Text.Body1.White"
+            android:layout_width="wrap_content"
+            android:layout_height="wrap_content"
+            android:layout_margin="8dp"
+            tools:text="QR_CODE" />
+    </com.google.android.material.card.MaterialCardView>
+
+    <Button
+        android:id="@+id/buttonScan"
+        style="@style/Widget.Simprints.Button.Blue"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:layout_marginHorizontal="16dp"
+        android:layout_marginBottom="16dp"
+        android:enabled="false"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        tools:text="No QR code detected" />
+
+    <com.simprints.infra.view.PermissionRequestView
+        android:id="@+id/permissionRequestView"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:layout_margin="@dimen/margin_large"
+        android:visibility="gone"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toTopOf="parent"
+        tools:visibility="gone" />
+</androidx.constraintlayout.widget.ConstraintLayout>
diff --git a/feature/external-credential/src/main/res/layout/fragment_external_credential_search.xml b/feature/external-credential/src/main/res/layout/fragment_external_credential_search.xml
new file mode 100644
index 0000000000..96b349c4a5
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout/fragment_external_credential_search.xml
@@ -0,0 +1,214 @@
+<?xml version="1.0" encoding="utf-8"?>
+<androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent"
+    android:background="@color/simprints_blue"
+    android:padding="@dimen/margin_large">
+
+    <com.google.android.material.card.MaterialCardView
+        android:id="@+id/documentPreviewCard"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        app:cardBackgroundColor="@color/simprints_white"
+        app:cardUseCompatPadding="true"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toTopOf="parent">
+
+        <androidx.constraintlayout.widget.ConstraintLayout
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content">
+
+            <com.google.android.material.imageview.ShapeableImageView
+                android:id="@+id/documentPreview"
+                android:layout_width="0dp"
+                android:layout_height="0dp"
+                android:elevation="8dp"
+                android:importantForAccessibility="no"
+                android:scaleType="centerCrop"
+                app:layout_constraintDimensionRatio="16:10"
+                app:layout_constraintEnd_toEndOf="parent"
+                app:layout_constraintStart_toStartOf="parent"
+                app:layout_constraintTop_toTopOf="parent"
+                app:shapeAppearanceOverlay="@style/Shape.Simprints.MediumComponent"
+                tools:src="@drawable/ghana_nhis_card" />
+
+            <LinearLayout
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:orientation="vertical"
+                app:layout_constraintEnd_toEndOf="parent"
+                app:layout_constraintStart_toStartOf="parent"
+                app:layout_constraintTop_toBottomOf="@+id/documentPreview">
+
+                <TextView
+                    android:id="@+id/documentTypeTitle"
+                    style="@style/Text.Body2.Secondary"
+                    android:layout_width="wrap_content"
+                    android:layout_height="wrap_content"
+                    android:paddingHorizontal="@dimen/margin_large"
+                    android:paddingTop="@dimen/padding_default"
+                    tools:text="Membership number:" />
+
+                <androidx.constraintlayout.widget.ConstraintLayout
+                    android:layout_width="match_parent"
+                    android:layout_height="wrap_content"
+                    android:orientation="horizontal"
+                    android:paddingHorizontal="@dimen/margin_large">
+
+                    <TextView
+                        android:id="@+id/credentialValue"
+                        style="@style/Text.Headline4.Bold"
+                        android:layout_width="0dp"
+                        android:layout_height="wrap_content"
+                        android:layout_marginEnd="@dimen/margin_large"
+                        android:textColor="@color/simprints_text_black"
+                        app:layout_constraintEnd_toStartOf="@+id/iconEditCredential"
+                        app:layout_constraintStart_toStartOf="parent"
+                        app:layout_constraintTop_toTopOf="parent"
+                        tools:text="GHA-123456789-0" />
+
+                    <EditText
+                        android:id="@+id/credentialEditText"
+                        style="@style/Text.Headline4.Bold"
+                        android:layout_width="0dp"
+                        android:layout_height="wrap_content"
+                        android:layout_marginEnd="@dimen/margin_large"
+                        android:backgroundTint="@color/simprints_blue"
+                        android:focusable="true"
+                        android:focusableInTouchMode="true"
+                        android:inputType="textNoSuggestions"
+                        android:visibility="gone"
+                        app:layout_constraintEnd_toStartOf="@+id/iconEditCredential"
+                        app:layout_constraintStart_toStartOf="parent"
+                        app:layout_constraintTop_toTopOf="parent"
+                        tools:hint="Membership number"
+                        tools:ignore="LabelFor"
+                        tools:text="GHA-123456789-0" />
+
+                    <ImageView
+                        android:id="@+id/iconEditCredential"
+                        android:layout_width="24dp"
+                        android:layout_height="24dp"
+                        android:layout_gravity="center"
+                        android:background="?attr/selectableItemBackground"
+                        android:importantForAccessibility="no"
+                        android:src="@drawable/ic_edit"
+                        app:layout_constraintBottom_toBottomOf="parent"
+                        app:layout_constraintEnd_toEndOf="parent"
+                        app:layout_constraintTop_toTopOf="parent"/>
+
+                </androidx.constraintlayout.widget.ConstraintLayout>
+
+                <CheckBox
+                    android:id="@+id/confirmCredentialCheckbox"
+                    style="@style/Text.Body2.Secondary"
+                    android:layout_width="wrap_content"
+                    android:layout_height="wrap_content"
+                    android:layout_marginHorizontal="10dp"
+                    android:layout_marginBottom="@dimen/margin_large"
+                    android:buttonTint="@color/simprints_blue"
+                    android:checked="false"
+                    android:paddingStart="@dimen/margin_default"
+                    android:visibility="gone"
+                    tools:text="I confirm that the external credential is scanned correctly"
+                    tools:visibility="visible" />
+            </LinearLayout>
+        </androidx.constraintlayout.widget.ConstraintLayout>
+    </com.google.android.material.card.MaterialCardView>
+
+    <com.google.android.material.card.MaterialCardView
+        android:id="@+id/searchProgressCard"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:visibility="gone"
+        app:cardBackgroundColor="@color/simprints_white"
+        app:cardUseCompatPadding="true"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toBottomOf="@+id/documentPreviewCard">
+
+        <LinearLayout
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:gravity="center_vertical"
+            android:orientation="horizontal"
+            android:padding="@dimen/padding_default">
+
+            <com.google.android.material.progressindicator.CircularProgressIndicator
+                android:layout_width="wrap_content"
+                android:layout_height="wrap_content"
+                android:indeterminate="true"
+                app:indicatorColor="@color/simprints_blue"
+                app:indicatorSize="24dp" />
+
+            <TextView
+                style="@style/Text.Body1"
+                android:layout_width="wrap_content"
+                android:layout_height="wrap_content"
+                android:layout_marginStart="@dimen/margin_large"
+                android:text="@string/mfid_searching" />
+        </LinearLayout>
+
+    </com.google.android.material.card.MaterialCardView>
+
+    <com.google.android.material.card.MaterialCardView
+        android:id="@+id/searchResultCard"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        app:cardBackgroundColor="@color/simprints_white"
+        app:cardUseCompatPadding="true"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toBottomOf="@+id/documentPreviewCard">
+
+        <LinearLayout
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:gravity="center_vertical"
+            android:orientation="horizontal"
+            android:padding="@dimen/padding_default"
+            tools:ignore="UseCompoundDrawables">
+
+            <ImageView
+                android:id="@+id/iconSearchResult"
+                android:layout_width="24dp"
+                android:layout_height="24dp"
+                android:layout_marginEnd="@dimen/margin_large"
+                android:importantForAccessibility="no"
+                tools:src="@drawable/ic_done" />
+
+            <TextView
+                android:id="@+id/textSearchResult"
+                style="@style/Text.Body1"
+                android:layout_width="wrap_content"
+                android:layout_height="wrap_content"
+                android:text="@string/mfid_searching"
+                tools:text="Record found" />
+        </LinearLayout>
+
+    </com.google.android.material.card.MaterialCardView>
+
+    <Button
+        android:id="@+id/buttonRecapture"
+        style="@style/Widget.Simprints.Button.White"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:text="@string/face_capture_recapture_button"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toStartOf="@id/buttonConfirm"
+        app:layout_constraintStart_toStartOf="parent" />
+
+    <Button
+        android:id="@+id/buttonConfirm"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:layout_marginStart="@dimen/margin_large"
+        android:enabled="false"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toEndOf="@id/buttonRecapture"
+        tools:text="Go to record" />
+</androidx.constraintlayout.widget.ConstraintLayout>
diff --git a/feature/external-credential/src/main/res/layout/fragment_external_credential_select.xml b/feature/external-credential/src/main/res/layout/fragment_external_credential_select.xml
new file mode 100644
index 0000000000..cc35c6b141
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout/fragment_external_credential_select.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="utf-8"?>
+<androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent"
+    android:background="@color/simprints_blue">
+
+    <TextView
+        android:id="@+id/title"
+        style="@style/Text.Headline5.White.Bold"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:gravity="center"
+        android:padding="@dimen/padding_default"
+        tools:text="Scan a document"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toTopOf="parent" />
+
+    <FrameLayout
+        android:layout_width="0dp"
+        android:layout_height="0dp"
+        app:layout_constraintBottom_toTopOf="@id/skipScanning"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toBottomOf="@id/title">
+
+        <androidx.recyclerview.widget.RecyclerView
+            android:id="@+id/documentsRecyclerView"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:layout_gravity="center"
+            android:clipToPadding="false"
+            android:paddingHorizontal="14dp"
+            tools:itemCount="3"
+            tools:listitem="@layout/item_document" />
+    </FrameLayout>
+
+    <TextView
+        android:id="@+id/skipScanning"
+        style="@style/Text.Body2.White"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:background="?attr/selectableItemBackground"
+        android:clickable="true"
+        android:focusable="true"
+        android:gravity="center"
+        android:padding="@dimen/padding_default"
+        android:text="@string/mfid_scanner_selection_skip"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent" />
+
+</androidx.constraintlayout.widget.ConstraintLayout>
diff --git a/feature/external-credential/src/main/res/layout/fragment_external_credential_skip.xml b/feature/external-credential/src/main/res/layout/fragment_external_credential_skip.xml
new file mode 100644
index 0000000000..25d8233497
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout/fragment_external_credential_skip.xml
@@ -0,0 +1,156 @@
+<?xml version="1.0" encoding="utf-8"?>
+<androidx.constraintlayout.widget.ConstraintLayout xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="match_parent"
+    android:background="@color/simprints_blue">
+
+
+    <TextView
+        android:id="@+id/title"
+        style="@style/Text.Headline5.White"
+        android:layout_width="wrap_content"
+        android:layout_height="wrap_content"
+        android:gravity="center"
+        android:padding="@dimen/padding_default"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toTopOf="parent"
+        tools:text="Why did you skip the document scan?" />
+
+    <ScrollView
+        android:layout_width="0dp"
+        android:layout_height="0dp"
+        android:paddingHorizontal="6dp"
+        app:layout_constraintBottom_toTopOf="@+id/buttonGoBack"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toStartOf="parent"
+        app:layout_constraintTop_toBottomOf="@id/title">
+
+        <com.google.android.material.card.MaterialCardView
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:clipToPadding="true"
+            android:theme="@style/Theme.Simprints"
+            app:cardCornerRadius="8dp"
+            app:cardElevation="4dp"
+            app:cardUseCompatPadding="true">
+
+            <LinearLayout
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:orientation="vertical"
+                android:paddingHorizontal="@dimen/margin_default"
+                android:paddingVertical="@dimen/margin_large">
+
+
+                <RadioGroup
+                    android:id="@+id/skipCredentialScanRadioGroup"
+                    android:layout_width="match_parent"
+                    android:layout_height="wrap_content"
+                    app:layout_constraintEnd_toEndOf="parent"
+                    app:layout_constraintStart_toStartOf="parent"
+                    app:layout_constraintTop_toTopOf="parent">
+
+                    <com.google.android.material.radiobutton.MaterialRadioButton
+                        android:id="@+id/skipReasonDoesNotHaveDocument"
+                        style="@style/Widget.Simprints.RadioButton"
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        tools:text="Does not have document" />
+
+                    <com.google.android.material.radiobutton.MaterialRadioButton
+                        android:id="@+id/skipReasonDidNotBring"
+                        style="@style/Widget.Simprints.RadioButton"
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        tools:text="Did not bring document" />
+
+                    <com.google.android.material.radiobutton.MaterialRadioButton
+                        android:id="@+id/skipReasonIncorrect"
+                        style="@style/Widget.Simprints.RadioButton"
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        tools:text="Brought incorrect document" />
+
+                    <com.google.android.material.radiobutton.MaterialRadioButton
+                        android:id="@+id/skipReasonDoesNotWantToProvide"
+                        style="@style/Widget.Simprints.RadioButton"
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        tools:text="Does not want to provide document" />
+
+                    <com.google.android.material.radiobutton.MaterialRadioButton
+                        android:id="@+id/skipReasonDamaged"
+                        style="@style/Widget.Simprints.RadioButton"
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        tools:text="Document damaged or unreadable" />
+
+                    <com.google.android.material.radiobutton.MaterialRadioButton
+                        android:id="@+id/skipReasonUnableToScan"
+                        style="@style/Widget.Simprints.RadioButton"
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        tools:text="Unable to scan document" />
+
+                    <com.google.android.material.radiobutton.MaterialRadioButton
+                        android:id="@+id/skipReasonOther"
+                        style="@style/Widget.Simprints.RadioButton"
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:text="@string/mfid_skip_reason_other" />
+                </RadioGroup>
+
+
+                <com.google.android.material.textfield.TextInputLayout
+                    android:id="@+id/reasonTextInputLayout"
+                    android:layout_width="match_parent"
+                    android:layout_height="wrap_content"
+                    android:hint="@string/mfid_skip_reason_hint"
+                    android:visibility="gone"
+                    app:helperText="@string/mfid_skip_reason_helper_text"
+                    app:helperTextTextColor="@color/simprints_grey"
+                    app:hintTextColor="@color/simprints_grey"
+                    tools:visibility="visible">
+
+                    <com.google.android.material.textfield.TextInputEditText
+                        android:id="@+id/reasonTextInput"
+                        android:layout_width="match_parent"
+                        android:layout_height="wrap_content"
+                        android:inputType="textMultiLine"
+                        android:maxLength="100"
+                        android:maxLines="4" />
+                </com.google.android.material.textfield.TextInputLayout>
+            </LinearLayout>
+
+        </com.google.android.material.card.MaterialCardView>
+    </ScrollView>
+
+    <Button
+        android:id="@+id/buttonGoBack"
+        style="@style/Widget.Simprints.Button.White"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:layout_marginStart="@dimen/padding_default"
+        android:layout_marginBottom="@dimen/padding_default"
+        android:text="@string/mfid_skip_go_back"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toStartOf="@id/buttonSkip"
+        app:layout_constraintStart_toStartOf="parent" />
+
+    <Button
+        android:id="@+id/buttonSkip"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:layout_marginStart="@dimen/margin_large"
+        android:layout_marginEnd="@dimen/padding_default"
+        android:layout_marginBottom="@dimen/padding_default"
+        android:enabled="false"
+        android:text="@string/mfid_skip_confirm"
+        app:layout_constraintBottom_toBottomOf="parent"
+        app:layout_constraintEnd_toEndOf="parent"
+        app:layout_constraintStart_toEndOf="@id/buttonGoBack" />
+
+</androidx.constraintlayout.widget.ConstraintLayout>
diff --git a/feature/external-credential/src/main/res/layout/item_document.xml b/feature/external-credential/src/main/res/layout/item_document.xml
new file mode 100644
index 0000000000..f2b8d0e5e9
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout/item_document.xml
@@ -0,0 +1,42 @@
+<com.google.android.material.card.MaterialCardView xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="match_parent"
+    android:layout_height="wrap_content"
+    android:background="@color/simprints_white"
+    android:elevation="@dimen/cardview_default_elevation"
+    app:cardUseCompatPadding="true">
+
+    <androidx.constraintlayout.widget.ConstraintLayout
+        android:padding="@dimen/margin_default"
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content">
+
+        <ImageView
+            android:id="@+id/documentImage"
+            android:layout_width="0dp"
+            android:layout_height="0dp"
+            android:elevation="4dp"
+            android:scaleType="centerCrop"
+            tools:src="@drawable/ghana_nhis_card"
+            app:layout_constraintBottom_toBottomOf="parent"
+            app:layout_constraintDimensionRatio="H,16:10"
+            app:layout_constraintEnd_toStartOf="@id/documentText"
+            app:layout_constraintStart_toStartOf="parent"
+            app:layout_constraintTop_toTopOf="parent"
+            app:layout_constraintWidth_percent="0.5" />
+
+        <TextView
+            android:id="@+id/documentText"
+            style="@style/Text.Body2"
+            android:layout_width="0dp"
+            android:layout_height="0dp"
+            android:gravity="center"
+            app:layout_constraintBottom_toBottomOf="parent"
+            app:layout_constraintEnd_toEndOf="parent"
+            app:layout_constraintStart_toEndOf="@id/documentImage"
+            app:layout_constraintTop_toTopOf="parent"
+            tools:text="Scan this document" />
+
+    </androidx.constraintlayout.widget.ConstraintLayout>
+</com.google.android.material.card.MaterialCardView>
diff --git a/feature/external-credential/src/main/res/layout/item_scanned_image.xml b/feature/external-credential/src/main/res/layout/item_scanned_image.xml
new file mode 100644
index 0000000000..801e358c70
--- /dev/null
+++ b/feature/external-credential/src/main/res/layout/item_scanned_image.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<com.google.android.material.card.MaterialCardView xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:layout_width="wrap_content"
+    android:layout_height="wrap_content"
+    android:layout_marginVertical="4dp"
+    android:layout_marginStart="16dp"
+    android:clipToPadding="true"
+    app:cardUseCompatPadding="true"
+    android:theme="@style/Theme.Simprints"
+    app:cardCornerRadius="8dp"
+    app:cardElevation="4dp">
+
+    <ImageView
+
+        android:id="@+id/documentImage"
+        android:layout_width="match_parent"
+        android:layout_height="match_parent"
+        android:scaleType="centerCrop"
+        tools:src="@tools:sample/avatars" />
+
+
+</com.google.android.material.card.MaterialCardView>
diff --git a/feature/external-credential/src/main/res/navigation/graph_external_credential.xml b/feature/external-credential/src/main/res/navigation/graph_external_credential.xml
new file mode 100644
index 0000000000..4f18491e1c
--- /dev/null
+++ b/feature/external-credential/src/main/res/navigation/graph_external_credential.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<navigation xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    android:id="@+id/graph_external_credential"
+    app:startDestination="@id/externalCredentialControllerFragment">
+
+    <fragment
+        android:id="@+id/externalCredentialControllerFragment"
+        android:name="com.simprints.feature.externalcredential.screens.controller.ExternalCredentialControllerFragment"
+        android:label="ExternalCredentialController">
+        <argument
+            android:name="params"
+            app:argType="com.simprints.core.domain.step.StepParams"/>
+    </fragment>
+
+    <include app:graph="@navigation/graph_exit_form" />
+    <action
+        android:id="@+id/action_global_refusalFragment"
+        app:destination="@+id/graph_exit_form" />
+</navigation>
diff --git a/feature/external-credential/src/main/res/navigation/graph_external_credential_internal.xml b/feature/external-credential/src/main/res/navigation/graph_external_credential_internal.xml
new file mode 100644
index 0000000000..47d96644a7
--- /dev/null
+++ b/feature/external-credential/src/main/res/navigation/graph_external_credential_internal.xml
@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="utf-8"?>
+<navigation xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools"
+    android:id="@+id/graph_external_credential_internal"
+    app:startDestination="@id/externalCredentialSelectFragment">
+
+    <fragment
+        android:id="@+id/externalCredentialSelectFragment"
+        android:name="com.simprints.feature.externalcredential.screens.select.ExternalCredentialSelectFragment"
+        android:label="fragment_external_credential_select"
+        tools:layout="@layout/fragment_external_credential_select">
+        <action
+            android:id="@+id/action_externalCredentialSelectFragment_to_externalCredentialScanQr"
+            app:destination="@+id/externalCredentialScanQr" />
+        <action
+            android:id="@+id/action_externalCredentialSelectFragment_to_externalCredentialScanOcr"
+            app:destination="@+id/externalCredentialScanOcr" />
+        <action
+            android:id="@+id/action_externalCredentialSelectFragment_to_externalCredentialSkip"
+            app:destination="@+id/externalCredentialSkip" />
+    </fragment>
+
+    <fragment
+        android:id="@+id/externalCredentialScanQr"
+        android:name="com.simprints.feature.externalcredential.screens.scanqr.ExternalCredentialScanQrFragment"
+        android:label="ExternalCredentialScanQrFragment"
+        tools:layout="@layout/fragment_external_credential_scan_qr">
+        <action
+            android:id="@+id/action_externalCredentialSelectScanQr_to_externalCredentialSearch"
+            app:destination="@+id/externalCredentialSearch"
+            app:popUpTo="@+id/graph_external_credential_internal"
+            app:popUpToInclusive="true" />
+    </fragment>
+
+    <fragment
+        android:id="@+id/externalCredentialSearch"
+        android:name="com.simprints.feature.externalcredential.screens.search.ExternalCredentialSearchFragment"
+        android:label="ExternalCredentialSearchFragment"
+        tools:layout="@layout/fragment_external_credential_search">
+
+        <action
+            android:id="@+id/action_externalCredentialSearch_to_externalCredentialSelectFragment"
+            app:destination="@+id/externalCredentialSelectFragment"
+            app:popUpTo="@+id/graph_external_credential_internal"
+            app:popUpToInclusive="true" />
+        <argument
+            android:name="scannedCredential"
+            app:argType="com.simprints.feature.externalcredential.screens.search.model.ScannedCredential"
+            app:nullable="false" />
+    </fragment>
+
+    <fragment
+        android:id="@+id/externalCredentialScanOcr"
+        android:name="com.simprints.feature.externalcredential.screens.scanocr.ExternalCredentialScanOcrFragment"
+        android:label="ExternalCredentialScanOcrFragment"
+        tools:layout="@layout/fragment_external_credential_scan_ocr">
+        <action
+            android:id="@+id/action_externalCredentialScanOcr_to_externalCredentialSearch"
+            app:destination="@+id/externalCredentialSearch"
+            app:popUpTo="@+id/graph_external_credential_internal"
+            app:popUpToInclusive="true" />
+        <argument
+            android:name="ocrDocumentType"
+            app:argType="com.simprints.feature.externalcredential.screens.scanocr.model.OcrDocumentType"
+            app:nullable="false" />
+    </fragment>
+
+    <fragment
+        android:id="@+id/externalCredentialSkip"
+        android:name="com.simprints.feature.externalcredential.screens.skip.ExternalCredentialSkipFragment"
+        android:label="ExternalCredentialSkipFragment"
+        tools:layout="@layout/fragment_external_credential_skip" />
+
+    <action
+        android:id="@+id/action_global_external_credential_select"
+        app:destination="@+id/externalCredentialSelectFragment"
+        app:popUpTo="@+id/graph_external_credential_internal"
+        app:popUpToInclusive="true" />
+
+</navigation>
diff --git a/feature/external-credential/src/main/res/values/attrs.xml b/feature/external-credential/src/main/res/values/attrs.xml
new file mode 100644
index 0000000000..a4886a9148
--- /dev/null
+++ b/feature/external-credential/src/main/res/values/attrs.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<resources>
+    <declare-styleable name="DocumentMaskView">
+        <attr name="targetViewId" format="reference" />
+        <attr name="cornerRadius" format="dimension" />
+        <attr name="maskColor" format="color" />
+        <attr name="inset" format="dimension" />
+    </declare-styleable>
+</resources>
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/ext/ResourceExtTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/ext/ResourceExtTest.kt
new file mode 100644
index 0000000000..59e57b844e
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/ext/ResourceExtTest.kt
@@ -0,0 +1,44 @@
+package com.simprints.feature.externalcredential.ext
+
+import android.content.res.Resources
+import com.google.common.truth.Truth.*
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import io.mockk.*
+import org.junit.Test
+import com.simprints.infra.resources.R as IDR
+
+class ResourceExtTest {
+    private val mockResources = mockk<Resources>(relaxed = true)
+
+    @Test
+    fun `getCredentialTypeRes returns correct resource ids`() {
+        assertThat(mockResources.getCredentialTypeRes(ExternalCredentialType.NHISCard))
+            .isEqualTo(IDR.string.mfid_type_nhis_card)
+        assertThat(mockResources.getCredentialTypeRes(ExternalCredentialType.GhanaIdCard))
+            .isEqualTo(IDR.string.mfid_type_ghana_id_card)
+        assertThat(mockResources.getCredentialTypeRes(ExternalCredentialType.QRCode))
+            .isEqualTo(IDR.string.mfid_type_qr_code)
+        assertThat(mockResources.getCredentialTypeRes(null))
+            .isEqualTo(IDR.string.mfid_type_any_document)
+    }
+
+    @Test
+    fun `getCredentialFieldTitle returns correct resource ids for each type`() {
+        every { mockResources.getString(any()) } returns ""
+        mockResources.getCredentialFieldTitle(ExternalCredentialType.NHISCard)
+        verify { mockResources.getString(IDR.string.mfid_nhis_card_credential_field) }
+        mockResources.getCredentialFieldTitle(ExternalCredentialType.GhanaIdCard)
+        verify { mockResources.getString(IDR.string.mfid_ghana_id_credential_field) }
+        mockResources.getCredentialFieldTitle(ExternalCredentialType.QRCode)
+        verify { mockResources.getString(IDR.string.mfid_qr_credential_field) }
+    }
+
+    @Test
+    fun `getCredentialTypeString calls getString with correct resource id`() {
+        val expected = "expected"
+        every { mockResources.getString(any()) } returns expected
+        val result = mockResources.getCredentialTypeString(ExternalCredentialType.NHISCard)
+        verify { mockResources.getString(IDR.string.mfid_type_nhis_card) }
+        assertThat(result).isEqualTo(expected)
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/controller/ExternalCredentialViewModelTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/controller/ExternalCredentialViewModelTest.kt
new file mode 100644
index 0000000000..669d457236
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/controller/ExternalCredentialViewModelTest.kt
@@ -0,0 +1,234 @@
+package com.simprints.feature.externalcredential.screens.controller
+
+import androidx.arch.core.executor.testing.InstantTaskExecutorRule
+import com.google.common.truth.Truth.assertThat
+import com.jraska.livedata.test
+import com.simprints.core.domain.common.FlowType
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
+import com.simprints.core.domain.tokenization.asTokenizableRaw
+import com.simprints.core.tools.time.TimeHelper
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
+import com.simprints.feature.externalcredential.model.BoundingBox
+import com.simprints.feature.externalcredential.model.ExternalCredentialParams
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.feature.externalcredential.usecase.ExternalCredentialEventTrackerUseCase
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSelectionEvent
+import com.simprints.testtools.common.coroutines.TestCoroutineRule
+import io.mockk.MockKAnnotations
+import io.mockk.coEvery
+import io.mockk.coVerify
+import io.mockk.every
+import io.mockk.impl.annotations.MockK
+import io.mockk.mockk
+import kotlinx.coroutines.test.runTest
+import org.junit.Before
+import org.junit.Rule
+import org.junit.Test
+
+internal class ExternalCredentialViewModelTest {
+    @get:Rule
+    val rule = InstantTaskExecutorRule()
+
+    @get:Rule
+    val testCoroutineRule = TestCoroutineRule()
+
+    @MockK
+    lateinit var eventsTracker: ExternalCredentialEventTrackerUseCase
+
+    @MockK
+    lateinit var timeHelper: TimeHelper
+
+    @MockK
+    private lateinit var configManager: ConfigManager
+    private lateinit var viewModel: ExternalCredentialViewModel
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        viewModel = ExternalCredentialViewModel(
+            configManager = configManager,
+            timeHelper = timeHelper,
+            eventsTracker = eventsTracker,
+        )
+        every { timeHelper.now() } returns Timestamp(1L)
+    }
+
+    @Test
+    fun `initial state is EMPTY`() {
+        val observer = viewModel.stateLiveData.test()
+        assertThat(observer.value()).isEqualTo(ExternalCredentialState.EMPTY)
+    }
+
+    @Test
+    fun `setSelectedExternalCredentialType updates state`() {
+        val observer = viewModel.stateLiveData.test()
+
+        viewModel.selectionStarted()
+        viewModel.setSelectedExternalCredentialType(ExternalCredentialType.GhanaIdCard)
+
+        assertThat(observer.value()?.selectedType).isEqualTo(ExternalCredentialType.GhanaIdCard)
+    }
+
+    @Test
+    fun `setSelectedExternalCredentialType null resets state`() {
+        val observer = viewModel.stateLiveData.test()
+
+        viewModel.setSelectedExternalCredentialType(null)
+
+        assertThat(observer.value()?.selectedType).isNull()
+    }
+
+    @Test
+    fun `setExternalCredentialValue updates state`() {
+        val observer = viewModel.stateLiveData.test()
+        val value = "value"
+        viewModel.setExternalCredentialValue(value)
+        assertThat(observer.value()?.credentialValue).isEqualTo(value)
+    }
+
+    @Test
+    fun `init sets state only once`() {
+        val observer = viewModel.stateLiveData.test()
+        val subjectId = "subjectId"
+        val flowType = FlowType.IDENTIFY
+        val params = createParams(subjectId = subjectId, flowType)
+        val paramsSecond = createParams(subjectId = "other", flowType)
+
+        viewModel.init(params)
+        val firstState = observer.value()
+
+        viewModel.init(paramsSecond)
+
+        assertThat(observer.value()).isEqualTo(firstState)
+        assertThat(observer.value()?.subjectId).isEqualTo(subjectId)
+        assertThat(observer.value()?.flowType).isEqualTo(flowType)
+    }
+
+    @Test
+    fun `finish sends result to finishEvent`() = runTest {
+        val mockResult = mockk<ExternalCredentialSearchResult>(relaxed = true) {
+            every { scannedCredential } returns null
+        }
+        viewModel.finish(mockResult)
+        val observer = viewModel.finishEvent
+            .test()
+            .value()
+            .getContentIfNotHandled()
+
+        assertThat(observer).isNotNull()
+        assertThat(observer).isEqualTo(mockResult)
+    }
+
+    @Test
+    fun `finish handles non-null scannedCredential in result`() = runTest {
+        val subjectId = "subjectId"
+        val flowType = FlowType.IDENTIFY
+        val params = createParams(subjectId, flowType)
+        val credentialSearchResult = mockk<ExternalCredentialSearchResult>(relaxed = true) {
+            every { scannedCredential } returns createScannedCredential()
+        }
+        viewModel.init(params)
+        viewModel.selectionStarted()
+        viewModel.setSelectedExternalCredentialType(ExternalCredentialType.QRCode) // init capture timer
+        viewModel.finish(credentialSearchResult)
+
+        val observer = viewModel.finishEvent
+            .test()
+            .value()
+            .getContentIfNotHandled()
+
+        assertThat(observer).isEqualTo(credentialSearchResult)
+    }
+
+    @Test
+    fun `finish saves success flow events`() = runTest {
+        val mockResult = mockk<ExternalCredentialSearchResult>(relaxed = true) {
+            every { scannedCredential } returns mockk(relaxed = true)
+        }
+        coEvery { eventsTracker.saveSelectionEvent(any(), any(), any()) } returns "selectionId"
+
+        viewModel.selectionStarted()
+        viewModel.init(createParams(subjectId = "subjectId", FlowType.IDENTIFY))
+        viewModel.setSelectedExternalCredentialType(ExternalCredentialType.QRCode) // init capture timer
+        viewModel.finish(mockResult)
+
+        coVerify { eventsTracker.saveSelectionEvent(any(), any(), any()) }
+        coVerify { eventsTracker.saveCaptureEvents(any(), any(), any(), any()) }
+    }
+
+    @Test
+    fun `finish saves skip event`() = runTest {
+        val mockResult = mockk<ExternalCredentialSearchResult>(relaxed = true) {
+            every { scannedCredential } returns null
+        }
+        viewModel.selectionStarted()
+        viewModel.skipOptionSelected(ExternalCredentialSelectionEvent.SkipReason.OTHER)
+        viewModel.skipOtherReasonChanged("other")
+        viewModel.finish(mockResult)
+
+        coVerify { eventsTracker.saveSkippedEvent(any(), any(), any()) }
+    }
+
+    @Test
+    fun `init block loads allowed external credentials from config`() = runTest {
+        val allowedCredentials = listOf(
+            ExternalCredentialType.NHISCard,
+            ExternalCredentialType.GhanaIdCard,
+        )
+        val viewModel = setupViewModel(allowedCredentials = allowedCredentials)
+        val observer = viewModel.externalCredentialTypes.test()
+        assertThat(observer.value()).isEqualTo(allowedCredentials)
+    }
+
+    @Test
+    fun `init block sets empty list if no allowed credentials configured`() = runTest {
+        val viewModel = setupViewModel(allowedCredentials = emptyList())
+        val observer = viewModel.externalCredentialTypes.test()
+        assertThat(observer.value()).isEmpty()
+    }
+
+    private fun setupViewModel(allowedCredentials: List<ExternalCredentialType>): ExternalCredentialViewModel {
+        coEvery { configManager.getProjectConfiguration() } returns mockk {
+            every { multifactorId } returns mockk {
+                every { allowedExternalCredentials } returns allowedCredentials
+            }
+        }
+        return ExternalCredentialViewModel(
+            configManager = configManager,
+            timeHelper = timeHelper,
+            eventsTracker = eventsTracker,
+        )
+    }
+
+    private fun createScannedCredential(
+        credential: String = "credential",
+        credentialType: ExternalCredentialType = ExternalCredentialType.NHISCard,
+        documentImagePath: String? = "documentImagePath",
+        zoomedCredentialImagePath: String? = "zoomedCredentialImagePath",
+        credentialBoundingBox: BoundingBox? = BoundingBox(0, 0, 100, 100),
+    ) = ScannedCredential(
+        credential = credential.asTokenizableEncrypted(),
+        credentialType = credentialType,
+        documentImagePath = documentImagePath,
+        zoomedCredentialImagePath = zoomedCredentialImagePath,
+        credentialBoundingBox = credentialBoundingBox,
+        scanStartTime = Timestamp(1L),
+        scanEndTime = Timestamp(2L),
+        scannedValue = credential.asTokenizableRaw(),
+    )
+
+    private fun createParams(
+        subjectId: String,
+        flowType: FlowType,
+    ) = ExternalCredentialParams(
+        subjectId = subjectId,
+        flowType = flowType,
+        ageGroup = null,
+        probeReferenceId = null,
+        faceSamples = emptyList(),
+        fingerprintSamples = emptyList(),
+    )
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/ExternalCredentialScanOcrViewModelTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/ExternalCredentialScanOcrViewModelTest.kt
new file mode 100644
index 0000000000..bf70d7fc5c
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/ExternalCredentialScanOcrViewModelTest.kt
@@ -0,0 +1,221 @@
+package com.simprints.feature.externalcredential.screens.scanocr
+
+import android.graphics.Bitmap
+import androidx.arch.core.executor.testing.InstantTaskExecutorRule
+import com.google.common.truth.Truth.*
+import com.jraska.livedata.test
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.tools.time.TimeHelper
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.feature.externalcredential.model.BoundingBox
+import com.simprints.feature.externalcredential.screens.scanocr.model.DetectedOcrBlock
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrCropConfig
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrDocumentType
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.CropDocumentFromPreviewUseCase
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.GetCredentialCoordinatesUseCase
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.KeepOnlyBestDetectedBlockUseCase
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.NormalizeBitmapToPreviewUseCase
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.ZoomOntoCredentialUseCase
+import com.simprints.infra.authstore.AuthStore
+import com.simprints.infra.config.store.models.Project
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.infra.credential.store.CredentialImageRepository
+import com.simprints.infra.resources.R
+import com.simprints.testtools.common.coroutines.TestCoroutineRule
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import kotlinx.coroutines.test.runTest
+import org.junit.Before
+import org.junit.Rule
+import org.junit.Test
+import kotlin.concurrent.timer
+
+internal class ExternalCredentialScanOcrViewModelTest {
+    @get:Rule
+    val rule = InstantTaskExecutorRule()
+
+    @get:Rule
+    val testCoroutineRule = TestCoroutineRule()
+
+    @MockK
+    private lateinit var timeHelper: TimeHelper
+
+    @MockK
+    private lateinit var normalizeBitmapToPreviewUseCase: NormalizeBitmapToPreviewUseCase
+
+    @MockK
+    private lateinit var cropDocumentFromPreviewUseCase: CropDocumentFromPreviewUseCase
+
+    @MockK
+    private lateinit var getCredentialCoordinatesUseCase: GetCredentialCoordinatesUseCase
+
+    @MockK
+    private lateinit var keepOnlyBestDetectedBlockUseCase: KeepOnlyBestDetectedBlockUseCase
+
+    @MockK
+    private lateinit var zoomOntoCredentialUseCase: ZoomOntoCredentialUseCase
+
+    @MockK
+    private lateinit var credentialImageRepository: CredentialImageRepository
+
+    @MockK
+    private lateinit var tokenizationProcessor: TokenizationProcessor
+
+    @MockK
+    private lateinit var authStore: AuthStore
+
+    @MockK
+    private lateinit var configManager: ConfigManager
+
+    @MockK
+    private lateinit var bitmap: Bitmap
+
+    @MockK
+    private lateinit var cropConfig: OcrCropConfig
+
+    private lateinit var viewModel: ExternalCredentialScanOcrViewModel
+
+    private val documentType = OcrDocumentType.NhisCard
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        viewModel = initViewModel(documentType)
+
+        every { timeHelper.now() } returns Timestamp(1L)
+    }
+
+    private fun initViewModel(documentType: OcrDocumentType) = ExternalCredentialScanOcrViewModel(
+        ocrDocumentType = documentType,
+        timeHelper = timeHelper,
+        normalizeBitmapToPreviewUseCase = normalizeBitmapToPreviewUseCase,
+        cropDocumentFromPreviewUseCase = cropDocumentFromPreviewUseCase,
+        getCredentialCoordinatesUseCase = getCredentialCoordinatesUseCase,
+        keepOnlyBestDetectedBlockUseCase = keepOnlyBestDetectedBlockUseCase,
+        zoomOntoCredentialUseCase = zoomOntoCredentialUseCase,
+        credentialImageRepository = credentialImageRepository,
+        bgDispatcher = testCoroutineRule.testCoroutineDispatcher,
+        tokenizationProcessor = tokenizationProcessor,
+        configManager = configManager,
+        authStore = authStore,
+    )
+
+    @Test
+    fun `ocrStarted updates state to ScanningInProgress`() {
+        val observer = viewModel.stateLiveData.test()
+        viewModel.ocrStarted()
+
+        val state = observer.value() as ScanOcrState.ScanningInProgress
+        assertThat(state.ocrDocumentType).isEqualTo(documentType)
+        assertThat(state.successfulCaptures).isEqualTo(0)
+        assertThat(state.scansRequired).isEqualTo(5)
+    }
+
+    @Test
+    fun `runOcrOnFrame updates detected blocks and state when successful`() = runTest {
+        val mockDetectedBlock = mockk<DetectedOcrBlock>()
+        val mockNormalizedBitmap = mockk<Bitmap>()
+        val mockCroppedBitmap = mockk<Bitmap>()
+        coEvery { normalizeBitmapToPreviewUseCase(bitmap, cropConfig) } returns mockNormalizedBitmap
+        coEvery { cropDocumentFromPreviewUseCase(mockNormalizedBitmap, any()) } returns mockCroppedBitmap
+        coEvery { getCredentialCoordinatesUseCase(mockCroppedBitmap, documentType) } returns mockDetectedBlock
+
+        val observer = viewModel.stateLiveData.test()
+        viewModel.ocrOnFrameStarted()
+        viewModel.runOcrOnFrame(bitmap, cropConfig)
+
+        val state = observer.value() as ScanOcrState.ScanningInProgress
+        assertThat(state.successfulCaptures).isEqualTo(1)
+        assertThat(viewModel.isRunningOcrOnFrame).isFalse()
+        assertThat(viewModel.isOcrActive).isTrue()
+    }
+
+    @Test
+    fun `processOcrResultsAndFinish sends finish event with scanned credential`() = runTest {
+        val detectedBlockImagePath = "detectedBlockImagePath"
+        val readoutValue = "readoutValue"
+        val zoomedImagePath = "zoomedImagePath"
+        val projectId = "projectId"
+        val mockBoundingBox = mockk<BoundingBox>()
+        val mockBitmap = mockk<Bitmap>()
+        val mockProject = mockk<Project>()
+        val mockTokenizedCredential = mockk<TokenizableString.Tokenized>()
+
+        val mockBestBlock = mockk<DetectedOcrBlock> {
+            every { documentType } returns OcrDocumentType.NhisCard
+            every { blockBoundingBox } returns mockBoundingBox
+            every { imagePath } returns detectedBlockImagePath
+            every { this@mockk.readoutValue } returns readoutValue
+        }
+
+        coEvery { authStore.signedInProjectId } returns projectId
+        coEvery { configManager.getProject(projectId) } returns mockProject
+        coEvery { keepOnlyBestDetectedBlockUseCase(any(), documentType) } returns mockBestBlock
+        coEvery { tokenizationProcessor.encrypt(any(), TokenKeyType.ExternalCredential, mockProject) } returns mockTokenizedCredential
+        coEvery { zoomOntoCredentialUseCase(detectedBlockImagePath, mockBoundingBox) } returns mockBitmap
+        coEvery { credentialImageRepository.saveCredentialScan(mockBitmap, any()) } returns zoomedImagePath
+
+        val finishObserver = viewModel.finishOcrEvent.test()
+        val stateObserver = viewModel.stateLiveData.test()
+
+        viewModel.ocrStarted() // Initialises capture timing
+        viewModel.processOcrResultsAndFinish()
+
+        val scannedCredential = finishObserver.value()?.peekContent()
+        assertThat(scannedCredential?.credential).isEqualTo(mockTokenizedCredential)
+        assertThat(scannedCredential?.documentImagePath).isEqualTo(detectedBlockImagePath)
+        assertThat(scannedCredential?.zoomedCredentialImagePath).isEqualTo(zoomedImagePath)
+        assertThat(scannedCredential?.credentialBoundingBox).isEqualTo(mockBoundingBox)
+        assertThat(stateObserver.value()).isEqualTo(ScanOcrState.Complete)
+        assertThat(viewModel.isOcrActive).isFalse()
+    }
+
+    @Test
+    fun `processOcrResultsAndFinish sets null zoomed image path when zoom fails`() = runTest {
+        val detectedBlockImagePath = "detectedBlockImagePath"
+        val readoutValue = "readoutValue"
+        val projectId = "projectId"
+        val mockBoundingBox = mockk<BoundingBox>()
+        val mockProject = mockk<Project>()
+        val mockTokenizedCredential = mockk<TokenizableString.Tokenized>()
+
+        val mockBestBlock = mockk<DetectedOcrBlock> {
+            every { documentType } returns OcrDocumentType.NhisCard
+            every { blockBoundingBox } returns mockBoundingBox
+            every { imagePath } returns detectedBlockImagePath
+            every { this@mockk.readoutValue } returns readoutValue
+        }
+
+        coEvery { authStore.signedInProjectId } returns projectId
+        coEvery { configManager.getProject(projectId) } returns mockProject
+        coEvery { keepOnlyBestDetectedBlockUseCase(any(), documentType) } returns mockBestBlock
+        coEvery { tokenizationProcessor.encrypt(any(), TokenKeyType.ExternalCredential, mockProject) } returns mockTokenizedCredential
+        coEvery { zoomOntoCredentialUseCase(detectedBlockImagePath, mockBoundingBox) } throws Exception("Zoom failed")
+
+        val finishObserver = viewModel.finishOcrEvent.test()
+
+        viewModel.ocrStarted() // Initialises capture timing
+        viewModel.processOcrResultsAndFinish()
+
+        val scannedCredential = finishObserver.value()?.peekContent()
+        assertThat(scannedCredential?.zoomedCredentialImagePath).isNull()
+        assertThat(scannedCredential?.credential).isEqualTo(mockTokenizedCredential)
+        assertThat(scannedCredential?.documentImagePath).isEqualTo(detectedBlockImagePath)
+    }
+
+    @Test
+    fun `getDocumentTypeRes returns correct resource for NHIS card`() {
+        viewModel = initViewModel(OcrDocumentType.NhisCard)
+        val result = viewModel.getDocumentTypeRes()
+        assertThat(result).isEqualTo(R.string.mfid_type_nhis_card)
+    }
+
+    @Test
+    fun `getDocumentTypeRes returns correct resource for Ghana ID card`() {
+        viewModel = initViewModel(OcrDocumentType.GhanaIdCard)
+        val result = viewModel.getDocumentTypeRes()
+        assertThat(result).isEqualTo(R.string.mfid_type_ghana_id_card)
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/BuildOcrCropConfigUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/BuildOcrCropConfigUseCaseTest.kt
new file mode 100644
index 0000000000..df1a040d2a
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/BuildOcrCropConfigUseCaseTest.kt
@@ -0,0 +1,88 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import android.graphics.Rect
+import android.view.View
+import com.google.common.truth.Truth.assertThat
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrCropConfig
+import io.mockk.MockKAnnotations
+import io.mockk.every
+import io.mockk.mockk
+import org.junit.Before
+import org.junit.Test
+
+internal class BuildOcrCropConfigUseCaseTest {
+    private lateinit var getBoundsRelativeToParentUseCase: GetBoundsRelativeToParentUseCase
+    private lateinit var useCase: BuildOcrCropConfigUseCase
+
+    private val mockCameraPreview = mockk<View>()
+    private val mockDocumentScannerArea = mockk<View>()
+    private val mockRect = mockk<Rect>()
+    private val width800 = 800
+    private val height600 = 600
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        getBoundsRelativeToParentUseCase = mockk()
+        useCase = BuildOcrCropConfigUseCase(getBoundsRelativeToParentUseCase)
+
+        every { mockCameraPreview.width } returns width800
+        every { mockCameraPreview.height } returns height600
+        every { getBoundsRelativeToParentUseCase(mockCameraPreview, mockDocumentScannerArea) } returns mockRect
+    }
+
+    private fun runUseCaseTest(rotationDegrees: Int = 0) = useCase(rotationDegrees, mockCameraPreview, mockDocumentScannerArea)
+
+    @Test
+    fun `creates config with correct rotation degrees`() {
+        val rotationDegrees = 90
+        val result = runUseCaseTest(rotationDegrees)
+        assertThat(result.rotationDegrees).isEqualTo(rotationDegrees)
+    }
+
+    @Test
+    fun `creates config with correct preview dimensions`() {
+        val result = runUseCaseTest()
+        assertThat(result.previewViewWidth).isEqualTo(800)
+        assertThat(result.previewViewHeight).isEqualTo(600)
+    }
+
+    @Test
+    fun `creates config with cutout rect from bounds use case`() {
+        val result = runUseCaseTest()
+        assertThat(result.cutoutRect).isEqualTo(mockRect)
+    }
+
+    @Test
+    fun `creates complete config with all parameters`() {
+        val rotationDegrees = 180
+        val result = runUseCaseTest(rotationDegrees)
+        assertThat(result).isEqualTo(
+            OcrCropConfig(
+                rotationDegrees = rotationDegrees,
+                cutoutRect = mockRect,
+                previewViewWidth = width800,
+                previewViewHeight = height600,
+            ),
+        )
+    }
+
+    @Test
+    fun `handles zero rotation degrees`() {
+        val result = runUseCaseTest(0)
+        assertThat(result.rotationDegrees).isEqualTo(0)
+    }
+
+    @Test
+    fun `handles different preview dimensions`() {
+        val expectedWith = 1920
+        val expectedHeight = 1080
+        every { mockCameraPreview.width } returns expectedWith
+        every { mockCameraPreview.height } returns expectedHeight
+
+        val result = runUseCaseTest()
+
+        assertThat(result.previewViewWidth).isEqualTo(expectedWith)
+        assertThat(result.previewViewHeight).isEqualTo(expectedHeight)
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/CalculateLevenshteinDistanceUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/CalculateLevenshteinDistanceUseCaseTest.kt
new file mode 100644
index 0000000000..2c13ec5540
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/CalculateLevenshteinDistanceUseCaseTest.kt
@@ -0,0 +1,108 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import com.google.common.truth.Truth.assertThat
+import io.mockk.MockKAnnotations
+import org.junit.Before
+import org.junit.Test
+
+internal class CalculateLevenshteinDistanceUseCaseTest {
+    private lateinit var useCase: CalculateLevenshteinDistanceUseCase
+
+    private val kitten = "kitten"
+    private val sitting = "sitting"
+    private val abc = "ABC"
+    private val acd = "ACD"
+    private val hello = "hello"
+    private val emptyString = ""
+    private val singleChar = "A"
+    private val differentSingleChar = "B"
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        useCase = CalculateLevenshteinDistanceUseCase()
+    }
+
+    private fun calculateDistance(
+        s1: String,
+        s2: String,
+    ) = useCase(s1, s2)
+
+    @Test
+    fun `returns zero for identical strings`() {
+        val result = calculateDistance(hello, hello)
+        assertThat(result).isEqualTo(0)
+    }
+
+    @Test
+    fun `calculates correct distance for kitten to sitting example`() {
+        val expected = 3
+        val result = calculateDistance(kitten, sitting)
+        assertThat(result).isEqualTo(expected)
+    }
+
+    @Test
+    fun `calculates correct distance for ABC to ACD example`() {
+        val expected = 2
+        val result = calculateDistance(abc, acd)
+        assertThat(result).isEqualTo(expected)
+    }
+
+    @Test
+    fun `returns length when one string is empty`() {
+        val result1 = calculateDistance(emptyString, hello)
+        val result2 = calculateDistance(hello, emptyString)
+
+        assertThat(result1).isEqualTo(hello.length)
+        assertThat(result2).isEqualTo(hello.length)
+    }
+
+    @Test
+    fun `returns zero for two empty strings`() {
+        val result = calculateDistance(emptyString, emptyString)
+        assertThat(result).isEqualTo(0)
+    }
+
+    @Test
+    fun `calculates distance for single character strings`() {
+        val expectedSame = 0
+        val expectedDifferent = 1
+
+        val resultSame = calculateDistance(singleChar, singleChar)
+        val resultDifferent = calculateDistance(singleChar, differentSingleChar)
+
+        assertThat(resultSame).isEqualTo(expectedSame)
+        assertThat(resultDifferent).isEqualTo(expectedDifferent)
+    }
+
+    @Test
+    fun `handles strings with different lengths`() {
+        val short = "cat"
+        val long = "catching"
+        val expected = 5
+
+        val result = calculateDistance(short, long)
+        assertThat(result).isEqualTo(expected)
+    }
+
+    @Test
+    fun `calculates symmetric distance`() {
+        val s1 = "algorithm"
+        val s2 = "altruistic"
+
+        val result1 = calculateDistance(s1, s2)
+        val result2 = calculateDistance(s2, s1)
+
+        assertThat(result1).isEqualTo(result2)
+    }
+
+    @Test
+    fun `calculates distance for completely different strings of same length`() {
+        val s1 = "ABCD"
+        val s2 = "EFGH"
+        val expected = 4
+
+        val result = calculateDistance(s1, s2)
+        assertThat(result).isEqualTo(expected)
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/CropDocumentFromPreviewUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/CropDocumentFromPreviewUseCaseTest.kt
new file mode 100644
index 0000000000..6f6e034ec6
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/CropDocumentFromPreviewUseCaseTest.kt
@@ -0,0 +1,177 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import android.graphics.Bitmap
+import android.graphics.Rect
+import androidx.test.ext.junit.runners.AndroidJUnit4
+import com.google.common.truth.Truth.assertThat
+import io.mockk.MockKAnnotations
+import io.mockk.every
+import io.mockk.impl.annotations.MockK
+import io.mockk.mockkStatic
+import io.mockk.unmockkStatic
+import io.mockk.verify
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+@RunWith(AndroidJUnit4::class)
+internal class CropDocumentFromPreviewUseCaseTest {
+    @MockK
+    lateinit var sourceBitmap: Bitmap
+
+    @MockK
+    lateinit var croppedBitmap: Bitmap
+
+    private lateinit var useCase: CropDocumentFromPreviewUseCase
+
+    private val bitmapWidth = 1080
+    private val bitmapHeight = 1920
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+
+        every { sourceBitmap.width } returns bitmapWidth
+        every { sourceBitmap.height } returns bitmapHeight
+
+        useCase = CropDocumentFromPreviewUseCase()
+    }
+
+    @Test
+    fun `crops bitmap with valid cutout rect`() {
+        val cutoutRect = Rect(200, 300, 800, 1500)
+
+        mockkStatic(Bitmap::class)
+        every {
+            Bitmap.createBitmap(
+                sourceBitmap,
+                cutoutRect.left,
+                cutoutRect.top,
+                cutoutRect.width(),
+                cutoutRect.height(),
+            )
+        } returns croppedBitmap
+
+        val result = useCase(sourceBitmap, cutoutRect)
+
+        assertThat(result).isEqualTo(croppedBitmap)
+        verify {
+            Bitmap.createBitmap(
+                sourceBitmap,
+                cutoutRect.left,
+                cutoutRect.top,
+                cutoutRect.width(),
+                cutoutRect.height(),
+            )
+        }
+        unmockkStatic(Bitmap::class)
+    }
+
+    @Test
+    fun `clamps cutout rect that extends beyond bitmap bounds`() {
+        val cutoutRect = Rect(-100, -50, bitmapWidth + 200, bitmapHeight + 100)
+        val expectedLeft = 0
+        val expectedTop = 0
+        val expectedRight = bitmapWidth
+        val expectedBottom = bitmapHeight
+
+        mockkStatic(Bitmap::class)
+        every {
+            Bitmap.createBitmap(
+                sourceBitmap,
+                expectedLeft,
+                expectedTop,
+                expectedRight - expectedLeft,
+                expectedBottom - expectedTop,
+            )
+        } returns croppedBitmap
+
+        val result = useCase(sourceBitmap, cutoutRect)
+
+        assertThat(result).isEqualTo(croppedBitmap)
+        verify {
+            Bitmap.createBitmap(
+                sourceBitmap,
+                expectedLeft,
+                expectedTop,
+                expectedRight - expectedLeft,
+                expectedBottom - expectedTop,
+            )
+        }
+        unmockkStatic(Bitmap::class)
+    }
+
+    @Test
+    fun `handles cutout rect with negative coordinates`() {
+        val left = -100
+        val top = -200
+        val right = 500
+        val bottom = 1000
+        val expectedLeft = 0
+        val expectedTop = 0
+        val expectedWidth = right - expectedLeft
+        val expectedHeight = bottom - expectedTop
+        val cutoutRect = Rect(left, top, right, bottom)
+
+        mockkStatic(Bitmap::class)
+        every {
+            Bitmap.createBitmap(
+                sourceBitmap,
+                expectedLeft,
+                expectedTop,
+                expectedWidth,
+                expectedHeight,
+            )
+        } returns croppedBitmap
+
+        val result = useCase(sourceBitmap, cutoutRect)
+
+        assertThat(result).isEqualTo(croppedBitmap)
+        verify {
+            Bitmap.createBitmap(
+                sourceBitmap,
+                expectedLeft,
+                expectedTop,
+                expectedWidth,
+                expectedHeight,
+            )
+        }
+        unmockkStatic(Bitmap::class)
+    }
+
+    @Test
+    fun `handles cutout rect exceeding right and bottom bounds`() {
+        val left = 500
+        val top = 1000
+        val cutoutRect = Rect(left, top, bitmapWidth + 100, bitmapHeight + 200)
+        val expectedRight = bitmapWidth
+        val expectedBottom = bitmapHeight
+        val expectedWidth = expectedRight - left
+        val expectedHeight = expectedBottom - top
+
+        mockkStatic(Bitmap::class)
+        every {
+            Bitmap.createBitmap(
+                sourceBitmap,
+                left,
+                top,
+                expectedWidth,
+                expectedHeight,
+            )
+        } returns croppedBitmap
+
+        val result = useCase(sourceBitmap, cutoutRect)
+
+        assertThat(result).isEqualTo(croppedBitmap)
+        verify {
+            Bitmap.createBitmap(
+                sourceBitmap,
+                left,
+                top,
+                expectedWidth,
+                expectedHeight,
+            )
+        }
+        unmockkStatic(Bitmap::class)
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/FindBestTextBlockForCredentialUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/FindBestTextBlockForCredentialUseCaseTest.kt
new file mode 100644
index 0000000000..867f2bb634
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/FindBestTextBlockForCredentialUseCaseTest.kt
@@ -0,0 +1,146 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import com.google.common.truth.Truth.assertThat
+import com.simprints.feature.externalcredential.screens.scanocr.model.DetectedOcrBlock
+import io.mockk.MockKAnnotations
+import io.mockk.every
+import io.mockk.impl.annotations.MockK
+import io.mockk.mockk
+import io.mockk.verify
+import org.junit.Before
+import org.junit.Test
+
+internal class FindBestTextBlockForCredentialUseCaseTest {
+    @MockK
+    private lateinit var calculateLevenshteinDistanceUseCase: CalculateLevenshteinDistanceUseCase
+
+    @MockK
+    private lateinit var useCase: FindBestTextBlockForCredentialUseCase
+
+    private val targetCredential = "GHA-123456789-0"
+    private val exactMatch = "GHA-123456789-0"
+    private val closeMatch = "GHA-123456789-1"
+    private val distantMatch = "ABC-987654321-9"
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        useCase = FindBestTextBlockForCredentialUseCase(calculateLevenshteinDistanceUseCase)
+    }
+
+    private fun createBlock(readoutValue: String) = mockk<DetectedOcrBlock> {
+        every { this@mockk.readoutValue } returns readoutValue
+        every { copy(readoutValue = any()) } returns this@mockk
+    }
+
+    @Test(expected = IllegalArgumentException::class)
+    fun `throws exception when block list is empty`() {
+        val emptyBlocks = emptyList<DetectedOcrBlock>()
+
+        useCase(targetCredential, emptyBlocks)
+    }
+
+    @Test
+    fun `returns exact match when found`() {
+        val exactMatchBlock = createBlock(exactMatch)
+        val otherBlock = createBlock(closeMatch)
+        val blocks = listOf(otherBlock, exactMatchBlock)
+
+        val result = useCase(targetCredential, blocks)
+
+        assertThat(result).isEqualTo(exactMatchBlock)
+        verify(exactly = 0) { calculateLevenshteinDistanceUseCase(any(), any()) }
+    }
+
+    @Test
+    fun `returns last exact match when multiple found`() {
+        val firstExactMatch = createBlock(exactMatch)
+        val secondExactMatch = createBlock(exactMatch)
+        val blocks = listOf(firstExactMatch, secondExactMatch)
+
+        val result = useCase(targetCredential, blocks)
+
+        assertThat(result).isEqualTo(secondExactMatch)
+    }
+
+    @Test
+    fun `searches blocks in reverse order for exact match`() {
+        val firstBlock = createBlock(closeMatch)
+        val lastBlock = createBlock(exactMatch)
+        val blocks = listOf(firstBlock, lastBlock)
+
+        val result = useCase(targetCredential, blocks)
+
+        assertThat(result).isEqualTo(lastBlock)
+    }
+
+    @Test
+    fun `uses levenshtein distance when no exact match found`() {
+        val closeBlock = createBlock(closeMatch)
+        val distantBlock = createBlock(distantMatch)
+        val blocks = listOf(distantBlock, closeBlock)
+
+        every { calculateLevenshteinDistanceUseCase(targetCredential, closeMatch) } returns 1
+        every { calculateLevenshteinDistanceUseCase(targetCredential, distantMatch) } returns 10
+
+        useCase(targetCredential, blocks)
+
+        verify { calculateLevenshteinDistanceUseCase.invoke(targetCredential, closeMatch) }
+        verify { calculateLevenshteinDistanceUseCase.invoke(targetCredential, distantMatch) }
+        verify { closeBlock.copy(readoutValue = targetCredential) }
+    }
+
+    @Test
+    fun `returns block with smallest levenshtein distance`() {
+        val closeBlock = createBlock(closeMatch)
+        val distantBlock = createBlock(distantMatch)
+        val blocks = listOf(closeBlock, distantBlock)
+
+        every { calculateLevenshteinDistanceUseCase(targetCredential, closeMatch) } returns 1
+        every { calculateLevenshteinDistanceUseCase(targetCredential, distantMatch) } returns 10
+
+        useCase(targetCredential, blocks)
+
+        verify { closeBlock.copy(readoutValue = targetCredential) }
+    }
+
+    @Test
+    fun `updates credential value when using levenshtein distance`() {
+        val block = createBlock(closeMatch)
+        val blocks = listOf(block)
+        val updatedBlock = mockk<DetectedOcrBlock>()
+
+        every { calculateLevenshteinDistanceUseCase(targetCredential, closeMatch) } returns 1
+        every { block.copy(readoutValue = targetCredential) } returns updatedBlock
+
+        val result = useCase(targetCredential, blocks)
+
+        assertThat(result).isEqualTo(updatedBlock)
+        verify { block.copy(readoutValue = targetCredential) }
+    }
+
+    @Test
+    fun `handles single block with exact match`() {
+        val block = createBlock(exactMatch)
+        val blocks = listOf(block)
+
+        val result = useCase(targetCredential, blocks)
+
+        assertThat(result).isEqualTo(block)
+        verify(exactly = 0) { calculateLevenshteinDistanceUseCase.invoke(any(), any()) }
+    }
+
+    @Test
+    fun `handles equal levenshtein distances by returning first found`() {
+        val firstBlock = createBlock(closeMatch)
+        val secondBlock = createBlock(distantMatch)
+        val blocks = listOf(firstBlock, secondBlock)
+
+        every { calculateLevenshteinDistanceUseCase(targetCredential, closeMatch) } returns 1
+        every { calculateLevenshteinDistanceUseCase(targetCredential, distantMatch) } returns 1
+
+        useCase(targetCredential, blocks)
+
+        verify { firstBlock.copy(readoutValue = targetCredential) }
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetBoundsRelativeToParentUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetBoundsRelativeToParentUseCaseTest.kt
new file mode 100644
index 0000000000..674f5a62da
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetBoundsRelativeToParentUseCaseTest.kt
@@ -0,0 +1,156 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import android.graphics.Rect
+import android.view.View
+import androidx.test.ext.junit.runners.AndroidJUnit4
+import com.google.common.truth.Truth.assertThat
+import io.mockk.MockKAnnotations
+import io.mockk.every
+import io.mockk.mockk
+import io.mockk.mockkStatic
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+@RunWith(AndroidJUnit4::class)
+internal class GetBoundsRelativeToParentUseCaseTest {
+    private lateinit var useCase: GetBoundsRelativeToParentUseCase
+
+    companion object {
+        private const val PARENT_WIDTH_LARGE = 1000
+        private const val PARENT_HEIGHT_LARGE = 2000
+        private const val PARENT_WIDTH_MEDIUM = 800
+        private const val PARENT_HEIGHT_MEDIUM = 1200
+        private const val PARENT_WIDTH_SMALL = 500
+        private const val PARENT_HEIGHT_SMALL = 500
+
+        private const val CHILD_WIDTH_MEDIUM = 300
+        private const val CHILD_HEIGHT_MEDIUM = 400
+        private const val CHILD_WIDTH_SMALL = 250
+        private const val CHILD_HEIGHT_SMALL = 350
+        private const val CHILD_WIDTH_LARGE = 200
+        private const val CHILD_HEIGHT_LARGE = 200
+
+        private const val LOCATION_X_ORIGIN = 100
+        private const val LOCATION_Y_ORIGIN = 200
+        private const val LOCATION_X_OFFSET = 150
+        private const val LOCATION_Y_OFFSET = 250
+        private const val LOCATION_X_DIFFERENT = 50
+        private const val LOCATION_Y_DIFFERENT = 75
+        private const val LOCATION_X_FAR = 200
+        private const val LOCATION_Y_FAR = 300
+        private const val LOCATION_X_OUTSIDE = 50
+        private const val LOCATION_Y_OUTSIDE = 50
+    }
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        useCase = GetBoundsRelativeToParentUseCase()
+    }
+
+    @Test
+    fun `calculates bounds when child is at parent origin`() {
+        val (parent, child) = setupViews(
+            parentLocation = intArrayOf(LOCATION_X_ORIGIN, LOCATION_Y_ORIGIN),
+            childLocation = intArrayOf(LOCATION_X_ORIGIN, LOCATION_Y_ORIGIN),
+            parentWidth = PARENT_WIDTH_LARGE,
+            parentHeight = PARENT_HEIGHT_LARGE,
+            childWidth = CHILD_WIDTH_MEDIUM,
+            childHeight = CHILD_HEIGHT_MEDIUM,
+        )
+
+        val result = useCase(parent, child)
+
+        val expectedRect = Rect(0, 0, CHILD_WIDTH_MEDIUM, CHILD_HEIGHT_MEDIUM)
+        assertThat(result).isEqualTo(expectedRect)
+    }
+
+    @Test
+    fun `calculates bounds when child is offset from parent`() {
+        val (parent, child) = setupViews(
+            parentLocation = intArrayOf(LOCATION_X_ORIGIN, LOCATION_Y_ORIGIN),
+            childLocation = intArrayOf(LOCATION_X_OFFSET, LOCATION_Y_OFFSET),
+            parentWidth = PARENT_WIDTH_LARGE,
+            parentHeight = PARENT_HEIGHT_LARGE,
+            childWidth = CHILD_WIDTH_MEDIUM,
+            childHeight = CHILD_HEIGHT_MEDIUM,
+        )
+
+        val result = useCase(parent, child)
+
+        val offsetX = LOCATION_X_OFFSET - LOCATION_X_ORIGIN
+        val offsetY = LOCATION_Y_OFFSET - LOCATION_Y_ORIGIN
+        val expectedRect = Rect(offsetX, offsetY, offsetX + CHILD_WIDTH_MEDIUM, offsetY + CHILD_HEIGHT_MEDIUM)
+        assertThat(result).isEqualTo(expectedRect)
+    }
+
+    @Test
+    fun `calculates bounds when parent and child have different screen positions`() {
+        val (parent, child) = setupViews(
+            parentLocation = intArrayOf(LOCATION_X_DIFFERENT, LOCATION_Y_DIFFERENT),
+            childLocation = intArrayOf(LOCATION_X_FAR, LOCATION_Y_FAR),
+            parentWidth = PARENT_WIDTH_MEDIUM,
+            parentHeight = PARENT_HEIGHT_MEDIUM,
+            childWidth = CHILD_WIDTH_SMALL,
+            childHeight = CHILD_HEIGHT_SMALL,
+        )
+
+        val result = useCase(parent, child)
+
+        val offsetX = LOCATION_X_FAR - LOCATION_X_DIFFERENT
+        val offsetY = LOCATION_Y_FAR - LOCATION_Y_DIFFERENT
+        val expectedRect = Rect(offsetX, offsetY, offsetX + CHILD_WIDTH_SMALL, offsetY + CHILD_HEIGHT_SMALL)
+        assertThat(result).isEqualTo(expectedRect)
+    }
+
+    @Test
+    fun `calculates bounds when child is partially outside parent bounds`() {
+        val (parent, child) = setupViews(
+            parentLocation = intArrayOf(LOCATION_X_ORIGIN, LOCATION_Y_ORIGIN),
+            childLocation = intArrayOf(LOCATION_X_OUTSIDE, LOCATION_Y_OUTSIDE),
+            parentWidth = PARENT_WIDTH_SMALL,
+            parentHeight = PARENT_HEIGHT_SMALL,
+            childWidth = CHILD_WIDTH_LARGE,
+            childHeight = CHILD_HEIGHT_LARGE,
+        )
+
+        val result = useCase(parent, child)
+
+        val offsetX = LOCATION_X_OUTSIDE - LOCATION_X_ORIGIN
+        val offsetY = LOCATION_Y_OUTSIDE - LOCATION_Y_ORIGIN
+        val expectedRect = Rect(offsetX, offsetY, offsetX + CHILD_WIDTH_LARGE, offsetY + CHILD_HEIGHT_LARGE)
+        assertThat(result).isEqualTo(expectedRect)
+    }
+
+    private fun setupViews(
+        parentLocation: IntArray,
+        childLocation: IntArray,
+        parentWidth: Int,
+        parentHeight: Int,
+        childWidth: Int,
+        childHeight: Int,
+    ): Pair<View, View> {
+        val parent = mockk<View>()
+        val child = mockk<View>()
+
+        mockkStatic("android.view.View")
+        every { parent.getLocationOnScreen(any()) } answers {
+            val location = firstArg<IntArray>()
+            location[0] = parentLocation[0]
+            location[1] = parentLocation[1]
+        }
+        every { child.getLocationOnScreen(any()) } answers {
+            val location = firstArg<IntArray>()
+            location[0] = childLocation[0]
+            location[1] = childLocation[1]
+        }
+
+        every { parent.width } returns parentWidth
+        every { parent.height } returns parentHeight
+        every { child.width } returns childWidth
+        every { child.height } returns childHeight
+
+        return Pair(parent, child)
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetExternalCredentialBasedOnConfidenceUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetExternalCredentialBasedOnConfidenceUseCaseTest.kt
new file mode 100644
index 0000000000..f01f85ad15
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GetExternalCredentialBasedOnConfidenceUseCaseTest.kt
@@ -0,0 +1,137 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import com.google.common.truth.Truth.assertThat
+import com.simprints.feature.externalcredential.screens.scanocr.model.DetectedOcrBlock
+import io.mockk.MockKAnnotations
+import io.mockk.every
+import io.mockk.mockk
+import org.junit.Before
+import org.junit.Test
+
+internal class GetExternalCredentialBasedOnConfidenceUseCaseTest {
+    private lateinit var useCase: GetExternalCredentialBasedOnConfidenceUseCase
+
+    private val credentialLength3 = 3
+    private val credentialLengthNhis = 8
+    private val credentialLengthGhanaID = 15
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        useCase = GetExternalCredentialBasedOnConfidenceUseCase()
+    }
+
+    private fun createBlock(value: String) = mockk<DetectedOcrBlock> {
+        every { readoutValue } returns value
+    }
+
+    @Test
+    fun `returns most frequent character at each position`() {
+        val blocks = listOf(
+            createBlock("ABC"),
+            createBlock("ACD"),
+            createBlock("CCD"),
+        )
+
+        val result = useCase(blocks, credentialLength3)
+
+        assertThat(result).isEqualTo("ACD")
+    }
+
+    @Test
+    fun `returns single value when only one block provided`() {
+        val nhisMembership = "12345678"
+        val blocks = listOf(createBlock(nhisMembership))
+
+        val result = useCase(blocks, credentialLengthNhis)
+
+        assertThat(result).isEqualTo(nhisMembership)
+    }
+
+    @Test
+    fun `filters out blocks with different lengths`() {
+        val blocks = listOf(
+            createBlock("ABCDE"),
+            createBlock("ACD"),
+            createBlock("ACDGH"),
+        )
+
+        val result = useCase(blocks, credentialLength3)
+
+        assertThat(result).isEqualTo("ACD")
+    }
+
+    @Test
+    fun `handles identical strings correctly`() {
+        val nhisMembership = "12345678"
+        val blocks = listOf(
+            createBlock(nhisMembership),
+            createBlock(nhisMembership),
+            createBlock(nhisMembership),
+        )
+
+        val result = useCase(blocks, credentialLengthNhis)
+
+        assertThat(result).isEqualTo(nhisMembership)
+    }
+
+    @Test(expected = IllegalArgumentException::class)
+    fun `throws exception when block list is empty`() {
+        val blocks = emptyList<DetectedOcrBlock>()
+
+        useCase(blocks, credentialLength3)
+    }
+
+    @Test(expected = IllegalArgumentException::class)
+    fun `throws exception when all blocks filtered out by length`() {
+        val blocks = listOf(
+            createBlock("AB"),
+            createBlock("ABCD"),
+            createBlock("ABCDE"),
+        )
+
+        useCase(blocks, credentialLength3)
+    }
+
+    @Test
+    fun `handles single character strings`() {
+        val blocks = listOf(
+            createBlock("A"),
+            createBlock("B"),
+            createBlock("A"),
+        )
+
+        val result = useCase(blocks, 1)
+
+        assertThat(result).isEqualTo("A")
+    }
+
+    @Test
+    fun `constructs credential from multiple varying positions`() {
+        val ghanaId = "GHA-123456789-0"
+        val blocks = listOf(
+            createBlock("GHA-123456789-0"),
+            createBlock("GHA-123456789-1"),
+            createBlock("GHA-123456789-0"),
+        )
+
+        val result = useCase(blocks, credentialLengthGhanaID)
+
+        assertThat(result).isEqualTo(ghanaId)
+    }
+
+    @Test
+    fun `uses only blocks matching credential length`() {
+        val targetLength = 5
+        val blocks = listOf(
+            createBlock("ABCDE"),
+            createBlock("FGHIJ"),
+            createBlock("AB"),
+            createBlock("ABCDEFGH"),
+        )
+
+        val result = useCase(blocks, targetLength)
+
+        assertThat(result.length).isEqualTo(targetLength)
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GhanaIdCardOcrSelectorUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GhanaIdCardOcrSelectorUseCaseTest.kt
new file mode 100644
index 0000000000..121662b35b
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GhanaIdCardOcrSelectorUseCaseTest.kt
@@ -0,0 +1,49 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import com.google.common.truth.Truth.assertThat
+import io.mockk.MockKAnnotations
+import org.junit.Before
+import org.junit.Test
+
+internal class GhanaIdCardOcrSelectorUseCaseTest {
+    private lateinit var useCase: GhanaIdCardOcrSelectorUseCase
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        useCase = GhanaIdCardOcrSelectorUseCase()
+    }
+
+    @Test
+    fun `Returns true for valid Ghana ID formats`() {
+        val validIds = listOf(
+            "GHA-123456789-0",
+            "GHA-987654321-5",
+            "GHA-000000000-9",
+        )
+
+        validIds.forEach { id ->
+            assertThat(useCase(id)).isTrue()
+        }
+    }
+
+    @Test
+    fun `Returns false for invalid Ghana ID formats`() {
+        val invalidIds = listOf(
+            "GHB-123456789-0",
+            "GHA123456789-0",
+            "GHA-1234567890",
+            "GHA-12345678-0",
+            "GHA-1234567890-0",
+            "GHA-12345678A-0",
+            "GHA-123456789-A",
+            "GHA-123456789-01",
+            "",
+            "GHA-123456789-0 ",
+        )
+
+        invalidIds.forEach { id ->
+            assertThat(useCase(id)).isFalse()
+        }
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GhanaNhisCardOcrSelectorUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GhanaNhisCardOcrSelectorUseCaseTest.kt
new file mode 100644
index 0000000000..52816d93ec
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/GhanaNhisCardOcrSelectorUseCaseTest.kt
@@ -0,0 +1,44 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import com.google.common.truth.Truth.assertThat
+import io.mockk.MockKAnnotations
+import org.junit.Before
+import org.junit.Test
+
+internal class GhanaNhisCardOcrSelectorUseCaseTest {
+    private lateinit var useCase: GhanaNhisCardOcrSelectorUseCase
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        useCase = GhanaNhisCardOcrSelectorUseCase()
+    }
+
+    @Test
+    fun `Returns true for valid NHIS membership numbers`() {
+        val validNumbers = listOf(
+            "12345678",
+            "98765432",
+            "00000000",
+        )
+
+        validNumbers.forEach { number ->
+            assertThat(useCase(number)).isTrue()
+        }
+    }
+
+    @Test
+    fun `Returns false for invalid NHIS membership numbers`() {
+        val invalidNumbers = listOf(
+            "1234567",
+            "123456789",
+            "1234567A",
+            "12345-78",
+            "",
+        )
+
+        invalidNumbers.forEach { number ->
+            assertThat(useCase(number)).isFalse()
+        }
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/KeepOnlyBestDetectedBlockUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/KeepOnlyBestDetectedBlockUseCaseTest.kt
new file mode 100644
index 0000000000..0a21921094
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/KeepOnlyBestDetectedBlockUseCaseTest.kt
@@ -0,0 +1,159 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import com.google.common.truth.Truth.*
+import com.simprints.feature.externalcredential.screens.scanocr.model.DetectedOcrBlock
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrDocumentType
+import com.simprints.infra.credential.store.CredentialImageRepository
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import kotlinx.coroutines.test.runTest
+import org.junit.Before
+import org.junit.Test
+
+internal class KeepOnlyBestDetectedBlockUseCaseTest {
+    @MockK
+    private lateinit var getExternalCredentialBasedOnConfidenceUseCase: GetExternalCredentialBasedOnConfidenceUseCase
+
+    @MockK
+    private lateinit var findBestTextBlockForCredentialUseCase: FindBestTextBlockForCredentialUseCase
+
+    @MockK
+    private lateinit var credentialImageRepository: CredentialImageRepository
+
+    private lateinit var useCase: KeepOnlyBestDetectedBlockUseCase
+
+    private val bestBlockImagePath = "/path/to/best/image.jpg"
+    private val otherBlockImagePath1 = "/path/to/other1/image.jpg"
+    private val otherBlockImagePath2 = "/path/to/other2/image.jpg"
+    private val credentialNhis = "12345678"
+    private val credentialGhanaId = "GHA-123456789-0"
+    private val credentialLengthNhis = credentialNhis.length
+    private val credentialLengthGhanaID = credentialGhanaId.length
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        useCase = KeepOnlyBestDetectedBlockUseCase(
+            getExternalCredentialBasedOnConfidenceUseCase = getExternalCredentialBasedOnConfidenceUseCase,
+            findBestTextBlockForCredentialUseCase = findBestTextBlockForCredentialUseCase,
+            credentialImageRepository = credentialImageRepository,
+        )
+    }
+
+    private fun createMockBlock(imagePath: String) = mockk<DetectedOcrBlock> {
+        every { this@mockk.imagePath } returns imagePath
+    }
+
+    @Test
+    fun `returns best block and deletes other cached images for NHIS card`() = runTest {
+        val bestBlock = createMockBlock(bestBlockImagePath)
+        val otherBlock1 = createMockBlock(otherBlockImagePath1)
+        val otherBlock2 = createMockBlock(otherBlockImagePath2)
+        val allBlocks = listOf(bestBlock, otherBlock1, otherBlock2)
+
+        every { getExternalCredentialBasedOnConfidenceUseCase(allBlocks, credentialLengthNhis) } returns credentialNhis
+        every { findBestTextBlockForCredentialUseCase(credentialNhis, allBlocks) } returns bestBlock
+
+        val result = useCase(allBlocks, OcrDocumentType.NhisCard)
+
+        assertThat(result).isEqualTo(bestBlock)
+        coVerify { credentialImageRepository.deleteByPath(otherBlockImagePath1) }
+        coVerify { credentialImageRepository.deleteByPath(otherBlockImagePath2) }
+        coVerify(exactly = 0) { credentialImageRepository.deleteByPath(bestBlockImagePath) }
+    }
+
+    @Test
+    fun `returns best block and deletes other cached images for Ghana ID card`() = runTest {
+        val bestBlock = createMockBlock(bestBlockImagePath)
+        val otherBlock1 = createMockBlock(otherBlockImagePath1)
+        val otherBlock2 = createMockBlock(otherBlockImagePath2)
+        val allBlocks = listOf(bestBlock, otherBlock1, otherBlock2)
+
+        every { getExternalCredentialBasedOnConfidenceUseCase(allBlocks, credentialLengthGhanaID) } returns credentialGhanaId
+        every { findBestTextBlockForCredentialUseCase(credentialGhanaId, allBlocks) } returns bestBlock
+
+        val result = useCase(allBlocks, OcrDocumentType.GhanaIdCard)
+
+        assertThat(result).isEqualTo(bestBlock)
+        coVerify { credentialImageRepository.deleteByPath(otherBlockImagePath1) }
+        coVerify { credentialImageRepository.deleteByPath(otherBlockImagePath2) }
+        coVerify(exactly = 0) { credentialImageRepository.deleteByPath(bestBlockImagePath) }
+    }
+
+    @Test
+    fun `uses correct credential length for NHIS card`() = runTest {
+        val bestBlock = createMockBlock(bestBlockImagePath)
+        val allBlocks = listOf(bestBlock)
+
+        every { getExternalCredentialBasedOnConfidenceUseCase(allBlocks, credentialLengthNhis) } returns credentialNhis
+        every { findBestTextBlockForCredentialUseCase(credentialNhis, allBlocks) } returns bestBlock
+
+        useCase(allBlocks, OcrDocumentType.NhisCard)
+
+        verify { getExternalCredentialBasedOnConfidenceUseCase(allBlocks, credentialLengthNhis) }
+    }
+
+    @Test
+    fun `uses correct credential length for Ghana ID card`() = runTest {
+        val bestBlock = createMockBlock(bestBlockImagePath)
+        val allBlocks = listOf(bestBlock)
+
+        every { getExternalCredentialBasedOnConfidenceUseCase(allBlocks, credentialLengthGhanaID) } returns credentialGhanaId
+        every { findBestTextBlockForCredentialUseCase(credentialGhanaId, allBlocks) } returns bestBlock
+
+        useCase(allBlocks, OcrDocumentType.GhanaIdCard)
+
+        verify { getExternalCredentialBasedOnConfidenceUseCase(allBlocks, credentialLengthGhanaID) }
+    }
+
+    @Test
+    fun `does not delete any images when only one block exists`() = runTest {
+        val singleBlock = createMockBlock(bestBlockImagePath)
+        val allBlocks = listOf(singleBlock)
+
+        every { getExternalCredentialBasedOnConfidenceUseCase(allBlocks, credentialLengthNhis) } returns credentialNhis
+        every { findBestTextBlockForCredentialUseCase(credentialNhis, allBlocks) } returns singleBlock
+
+        val result = useCase(allBlocks, OcrDocumentType.NhisCard)
+
+        assertThat(result).isEqualTo(singleBlock)
+        coVerify(exactly = 0) { credentialImageRepository.deleteByPath(any()) }
+    }
+
+    @Test
+    fun `passes credential to find best block use case`() = runTest {
+        val bestBlock = createMockBlock(bestBlockImagePath)
+        val allBlocks = listOf(bestBlock)
+
+        every { getExternalCredentialBasedOnConfidenceUseCase(allBlocks, credentialLengthNhis) } returns credentialNhis
+        every { findBestTextBlockForCredentialUseCase(credentialNhis, allBlocks) } returns bestBlock
+
+        useCase(allBlocks, OcrDocumentType.NhisCard)
+
+        verify { findBestTextBlockForCredentialUseCase(credentialNhis, allBlocks) }
+    }
+
+    @Test
+    fun `deletes multiple other images but keeps best block image`() = runTest {
+        val bestBlock = createMockBlock(bestBlockImagePath)
+        val blocks = listOf(
+            createMockBlock("/path1.jpg"),
+            createMockBlock("/path2.jpg"),
+            bestBlock,
+            createMockBlock("/path3.jpg"),
+            createMockBlock("/path4.jpg"),
+        )
+        val mockCredential = "GHA-123456789-0"
+
+        every { getExternalCredentialBasedOnConfidenceUseCase(blocks, credentialLengthGhanaID) } returns mockCredential
+        every { findBestTextBlockForCredentialUseCase(mockCredential, blocks) } returns bestBlock
+
+        useCase(blocks, OcrDocumentType.GhanaIdCard)
+
+        coVerify { credentialImageRepository.deleteByPath("/path1.jpg") }
+        coVerify { credentialImageRepository.deleteByPath("/path2.jpg") }
+        coVerify { credentialImageRepository.deleteByPath("/path3.jpg") }
+        coVerify { credentialImageRepository.deleteByPath("/path4.jpg") }
+        coVerify(exactly = 0) { credentialImageRepository.deleteByPath(bestBlockImagePath) }
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/NormalizeBitmapToPreviewUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/NormalizeBitmapToPreviewUseCaseTest.kt
new file mode 100644
index 0000000000..468212b0d5
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/NormalizeBitmapToPreviewUseCaseTest.kt
@@ -0,0 +1,103 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import android.graphics.Bitmap
+import android.graphics.Matrix
+import android.graphics.Rect
+import androidx.core.graphics.scale
+import com.google.common.truth.Truth.*
+import com.simprints.feature.externalcredential.screens.scanocr.model.OcrCropConfig
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import kotlinx.coroutines.test.runTest
+import org.junit.After
+import org.junit.Before
+import org.junit.Test
+
+internal class NormalizeBitmapToPreviewUseCaseTest {
+    @MockK
+    private lateinit var inputBitmap: Bitmap
+
+    @MockK
+    private lateinit var rotatedBitmap: Bitmap
+
+    @MockK
+    private lateinit var croppedBitmap: Bitmap
+
+    @MockK
+    private lateinit var scaledBitmap: Bitmap
+
+    private lateinit var useCase: NormalizeBitmapToPreviewUseCase
+
+    private val inputWidth = 1920
+    private val inputHeight = 1080
+    private val previewWidth = 800
+    private val previewHeight = 600
+    private val rotationDegrees = 90
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+
+        mockkStatic(Bitmap::class)
+        mockkStatic("androidx.core.graphics.BitmapKt")
+        mockkConstructor(Matrix::class)
+
+        every { inputBitmap.width } returns inputWidth
+        every { inputBitmap.height } returns inputHeight
+        every { rotatedBitmap.width } returns inputHeight
+        every { rotatedBitmap.height } returns inputWidth
+        every { anyConstructed<Matrix>().postRotate(any()) } returns true
+        every { croppedBitmap.scale(any(), any()) } returns scaledBitmap
+
+        useCase = NormalizeBitmapToPreviewUseCase()
+    }
+
+    @After
+    fun tearDown() {
+        unmockkStatic(Bitmap::class)
+        unmockkStatic("androidx.core.graphics.BitmapKt")
+        unmockkConstructor(Matrix::class)
+    }
+
+    @Test
+    fun `returns original bitmap when no rotation is needed`() = runTest {
+        val cropConfig = createCropConfig(rotationDegrees = 0)
+
+        every {
+            Bitmap.createBitmap(inputBitmap, any(), any(), any(), any())
+        } returns croppedBitmap
+
+        val result = useCase(inputBitmap, cropConfig)
+
+        assertThat(result).isEqualTo(scaledBitmap)
+        verify(exactly = 0) { Bitmap.createBitmap(inputBitmap, 0, 0, inputWidth, inputHeight, any(), true) }
+        verify { Bitmap.createBitmap(inputBitmap, any(), any(), any(), any()) }
+        verify { croppedBitmap.scale(previewWidth, previewHeight) }
+    }
+
+    @Test
+    fun `returns scaled bitmap after rotation cropping and scaling`() = runTest {
+        val cropConfig = createCropConfig(rotationDegrees)
+
+        every {
+            Bitmap.createBitmap(inputBitmap, 0, 0, inputWidth, inputHeight, any(), true)
+        } returns rotatedBitmap
+
+        every {
+            Bitmap.createBitmap(rotatedBitmap, any(), any(), any(), any())
+        } returns croppedBitmap
+
+        val result = useCase(inputBitmap, cropConfig)
+
+        assertThat(result).isEqualTo(scaledBitmap)
+        verify { Bitmap.createBitmap(inputBitmap, 0, 0, inputWidth, inputHeight, any(), true) }
+        verify { croppedBitmap.scale(previewWidth, previewHeight) }
+    }
+
+    private fun createCropConfig(rotationDegrees: Int) = OcrCropConfig(
+        rotationDegrees = rotationDegrees,
+        cutoutRect = Rect(0, 0, 100, 100),
+        previewViewWidth = previewWidth,
+        previewViewHeight = previewHeight,
+    )
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/ZoomOntoCredentialUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/ZoomOntoCredentialUseCaseTest.kt
new file mode 100644
index 0000000000..47f2bec24b
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanocr/usecase/ZoomOntoCredentialUseCaseTest.kt
@@ -0,0 +1,153 @@
+package com.simprints.feature.externalcredential.screens.scanocr.usecase
+
+import android.graphics.Bitmap
+import android.graphics.BitmapFactory
+import com.google.common.truth.Truth.*
+import com.simprints.feature.externalcredential.model.BoundingBox
+import io.mockk.*
+import org.junit.Before
+import org.junit.Test
+
+class ZoomOntoCredentialUseCaseTest {
+    private lateinit var useCase: ZoomOntoCredentialUseCase
+    private lateinit var mockBitmap: Bitmap
+    private val bitmapWidth = 1600
+    private val bitmapHeight = 1000 // 16:10
+    private val imagePath = "path"
+
+    @Before
+    fun setUp() {
+        useCase = ZoomOntoCredentialUseCase()
+        mockkStatic(BitmapFactory::class)
+        mockBitmap = mockk {
+            every { width } returns bitmapWidth
+            every { height } returns bitmapHeight
+        }
+        every { BitmapFactory.decodeFile(any()) } returns mockBitmap
+    }
+
+    @Test
+    fun `returns original bitmap when bounding box has zero width`() {
+        val boundingBox = BoundingBox(left = 100, top = 100, right = 100, bottom = 200)
+        val result = useCase(imagePath, boundingBox)
+        assertThat(result).isEqualTo(mockBitmap)
+    }
+
+    @Test
+    fun `returns original bitmap when bounding box has zero height`() {
+        val boundingBox = BoundingBox(left = 100, top = 100, right = 200, bottom = 100)
+        val result = useCase(imagePath, boundingBox)
+        assertThat(result).isEqualTo(mockBitmap)
+    }
+
+    @Test
+    fun `adjusts crop area to fit 16 to 10 aspect ratio when box is wider`() {
+        val boundingBox = BoundingBox(left = 100, top = 400, right = 500, bottom = 500)
+        runAspectRatioTest(boundingBox)
+    }
+
+    @Test
+    fun `adjusts crop area to fit 16 to 10 aspect ratio when box is taller`() {
+        val boundingBox = BoundingBox(left = 400, top = 100, right = 500, bottom = 500)
+        runAspectRatioTest(boundingBox)
+    }
+
+    @Test
+    fun `clamps crop area to bitmap boundaries when expansion exceeds left edge`() {
+        val boundingBox = BoundingBox(left = 10, top = 400, right = 110, bottom = 500)
+        runEdgeClampingTest(boundingBox)
+    }
+
+    @Test
+    fun `clamps crop area to bitmap boundaries when expansion exceeds right edge`() {
+        val boundingBox = BoundingBox(left = 890, top = 400, right = 990, bottom = 500)
+        runEdgeClampingTest(boundingBox)
+    }
+
+    @Test
+    fun `clamps crop area to bitmap boundaries when expansion exceeds top edge`() {
+        val boundingBox = BoundingBox(left = 400, top = 10, right = 500, bottom = 110)
+        runEdgeClampingTest(boundingBox)
+    }
+
+    @Test
+    fun `clamps crop area to bitmap boundaries when expansion exceeds bottom edge`() {
+        val boundingBox = BoundingBox(left = 400, top = 890, right = 500, bottom = 990)
+        runEdgeClampingTest(boundingBox)
+    }
+
+    @Test
+    fun `handles bounding box in center of image correctly`() {
+        val boundingBox = BoundingBox(left = 400, top = 400, right = 600, bottom = 500)
+        val croppedBitmap = mockk<Bitmap>()
+        val capturedLeft = slot<Int>()
+        val capturedTop = slot<Int>()
+        val capturedWidth = slot<Int>()
+        val capturedHeight = slot<Int>()
+        mockkStatic(Bitmap::class)
+        every {
+            Bitmap.createBitmap(
+                any<Bitmap>(),
+                capture(capturedLeft),
+                capture(capturedTop),
+                capture(capturedWidth),
+                capture(capturedHeight),
+            )
+        } returns croppedBitmap
+        useCase(imagePath, boundingBox)
+
+        // Double checking that aspect ratio remains 16:10
+        val aspectRatio = capturedWidth.captured.toFloat() / capturedHeight.captured.toFloat()
+        assertThat(aspectRatio).isWithin(0.01f).of(1.6f)
+
+        assertThat(capturedLeft.captured).isAtLeast(0)
+        assertThat(capturedTop.captured).isAtLeast(0)
+        assertThat(capturedLeft.captured + capturedWidth.captured).isAtMost(bitmapWidth)
+        assertThat(capturedTop.captured + capturedHeight.captured).isAtMost(bitmapHeight)
+    }
+
+    private fun runAspectRatioTest(boundingBox: BoundingBox) {
+        val croppedBitmap = mockk<Bitmap>()
+        val capturedWidth = slot<Int>()
+        val capturedHeight = slot<Int>()
+        mockkStatic(Bitmap::class)
+        every {
+            Bitmap.createBitmap(any<Bitmap>(), any(), any(), capture(capturedWidth), capture(capturedHeight))
+        } returns croppedBitmap
+
+        useCase(imagePath, boundingBox)
+        val aspectRatio = capturedWidth.captured.toFloat() / capturedHeight.captured.toFloat()
+        assertThat(aspectRatio).isWithin(0.01f).of(1.6f)
+    }
+
+    private fun runEdgeClampingTest(boundingBox: BoundingBox) {
+        val croppedBitmap = mockk<Bitmap>()
+        val capturedLeft = slot<Int>()
+        val capturedTop = slot<Int>()
+        val capturedWidth = slot<Int>()
+        val capturedHeight = slot<Int>()
+        mockkStatic(Bitmap::class)
+        every {
+            Bitmap.createBitmap(
+                any<Bitmap>(),
+                capture(capturedLeft),
+                capture(capturedTop),
+                capture(capturedWidth),
+                capture(capturedHeight),
+            )
+        } returns croppedBitmap
+
+        useCase(imagePath, boundingBox)
+
+        // Crop area should stay within the bitmap boundaries
+        assertThat(capturedLeft.captured).isAtLeast(0)
+        assertThat(capturedTop.captured).isAtLeast(0)
+        assertThat(capturedLeft.captured + capturedWidth.captured).isAtMost(bitmapWidth)
+        assertThat(capturedTop.captured + capturedHeight.captured).isAtMost(bitmapHeight)
+    }
+
+    private fun mockBitmapCreation(croppedBitmap: Bitmap) {
+        mockkStatic(Bitmap::class)
+        every { Bitmap.createBitmap(any<Bitmap>(), any(), any(), any(), any()) } returns croppedBitmap
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanqr/ExternalCredentialScanQrViewModelTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanqr/ExternalCredentialScanQrViewModelTest.kt
new file mode 100644
index 0000000000..eaa430a722
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/scanqr/ExternalCredentialScanQrViewModelTest.kt
@@ -0,0 +1,135 @@
+package com.simprints.feature.externalcredential.screens.scanqr
+
+import androidx.arch.core.executor.testing.InstantTaskExecutorRule
+import com.google.common.truth.Truth.*
+import com.jraska.livedata.test
+import com.simprints.core.domain.permission.PermissionStatus
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.domain.tokenization.asTokenizableRaw
+import com.simprints.core.tools.time.TimeHelper
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.feature.externalcredential.screens.scanqr.usecase.ExternalCredentialQrCodeValidatorUseCase
+import com.simprints.infra.authstore.AuthStore
+import com.simprints.infra.config.store.models.Project
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.testtools.common.coroutines.TestCoroutineRule
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import kotlinx.coroutines.test.runTest
+import org.junit.Before
+import org.junit.Rule
+import org.junit.Test
+
+internal class ExternalCredentialScanQrViewModelTest {
+    @get:Rule
+    val testCoroutineRule = TestCoroutineRule()
+
+    @get:Rule
+    val instantExecutorRule = InstantTaskExecutorRule()
+
+    @MockK
+    private lateinit var timeHelper: TimeHelper
+
+    @MockK
+    private lateinit var validator: ExternalCredentialQrCodeValidatorUseCase
+
+    @MockK
+    private lateinit var tokenizationProcessor: TokenizationProcessor
+
+    @MockK
+    private lateinit var authStore: AuthStore
+
+    @MockK
+    private lateinit var configManager: ConfigManager
+
+    private lateinit var viewModel: ExternalCredentialScanQrViewModel
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        viewModel = ExternalCredentialScanQrViewModel(
+            timeHelper = timeHelper,
+            externalCredentialQrCodeValidator = validator,
+            tokenizationProcessor = tokenizationProcessor,
+            configManager = configManager,
+            authStore = authStore,
+        )
+
+        every { timeHelper.now() } returns Timestamp(1L)
+    }
+
+    @Test
+    fun `initial state is ReadyToScan`() {
+        val observer = viewModel.stateLiveData.test()
+        assertThat(observer.value()).isEqualTo(ScanQrState.ReadyToScan)
+    }
+
+    @Test
+    fun `updateCapturedValue with null sets ReadyToScan`() = runTest {
+        val observer = viewModel.stateLiveData.test()
+        viewModel.updateCapturedValue(null)
+        assertThat(observer.value()).isEqualTo(ScanQrState.ReadyToScan)
+    }
+
+    @Test
+    fun `updateCapturedValue with non-null sets QrCodeCaptured`() = runTest {
+        val observer = viewModel.stateLiveData.test()
+        val value = "value"
+        val projectId = "projectId"
+        val mockProject = mockk<Project>()
+        val mockTokenizedCredential = mockk<TokenizableString.Tokenized>()
+
+        every { authStore.signedInProjectId } returns projectId
+        coEvery { configManager.getProject(projectId) } returns mockProject
+        coEvery { tokenizationProcessor.encrypt(any(), TokenKeyType.ExternalCredential, mockProject) } returns mockTokenizedCredential
+
+        viewModel.updateCameraPermissionStatus(permissionStatus = PermissionStatus.Granted) // inits the capture timing
+        viewModel.updateCapturedValue(value)
+
+        val expected = ScanQrState.QrCodeCaptured(
+            scanStartTime = Timestamp(1L),
+            scanEndTime = Timestamp(1L),
+            qrCode = value.asTokenizableRaw(),
+            qrCodeEncrypted = mockTokenizedCredential,
+        )
+        assertThat(observer.value()).isEqualTo(expected)
+    }
+
+    @Test
+    fun `updateCameraPermissionStatus with Granted sets ReadyToScan`() {
+        val observer = viewModel.stateLiveData.test()
+        viewModel.updateCameraPermissionStatus(PermissionStatus.Granted)
+        assertThat(observer.value()).isEqualTo(ScanQrState.ReadyToScan)
+    }
+
+    @Test
+    fun `updateCameraPermissionStatus with Denied sets NoCameraPermission false`() {
+        val observer = viewModel.stateLiveData.test()
+        viewModel.updateCameraPermissionStatus(PermissionStatus.Denied)
+        assertThat(observer.value()).isEqualTo(
+            ScanQrState.NoCameraPermission(shouldOpenPhoneSettings = false),
+        )
+    }
+
+    @Test
+    fun `updateCameraPermissionStatus with DeniedNeverAskAgain sets NoCameraPermission true`() {
+        val observer = viewModel.stateLiveData.test()
+        viewModel.updateCameraPermissionStatus(PermissionStatus.DeniedNeverAskAgain)
+        assertThat(observer.value()).isEqualTo(
+            ScanQrState.NoCameraPermission(shouldOpenPhoneSettings = true),
+        )
+    }
+
+    @Test
+    fun `isValidQrCodeFormat uses validator to validate`() {
+        val validValue = "validValue".asTokenizableRaw()
+        val invalidValue = "invalidValue".asTokenizableRaw()
+        every { validator.invoke(validValue.value) } returns true
+        every { validator.invoke(invalidValue.value) } returns false
+
+        assertThat(viewModel.isValidQrCodeFormat(validValue)).isTrue()
+        assertThat(viewModel.isValidQrCodeFormat(invalidValue)).isFalse()
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/search/ExternalCredentialSearchViewModelTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/search/ExternalCredentialSearchViewModelTest.kt
new file mode 100644
index 0000000000..e72cf4d9a9
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/search/ExternalCredentialSearchViewModelTest.kt
@@ -0,0 +1,306 @@
+package com.simprints.feature.externalcredential.screens.search
+
+import android.text.InputType
+import androidx.arch.core.executor.testing.InstantTaskExecutorRule
+import com.google.common.truth.Truth.*
+import com.jraska.livedata.test
+import com.simprints.core.domain.common.FlowType
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.domain.tokenization.asTokenizableRaw
+import com.simprints.core.tools.time.TimeHelper
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.feature.externalcredential.model.CredentialMatch
+import com.simprints.feature.externalcredential.model.ExternalCredentialParams
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.feature.externalcredential.screens.search.model.SearchCredentialState
+import com.simprints.feature.externalcredential.screens.search.model.SearchState
+import com.simprints.feature.externalcredential.screens.search.usecase.MatchCandidatesUseCase
+import com.simprints.feature.externalcredential.usecase.ExternalCredentialEventTrackerUseCase
+import com.simprints.infra.authstore.AuthStore
+import com.simprints.infra.config.store.models.ProjectConfiguration
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.infra.enrolment.records.repository.EnrolmentRecordRepository
+import com.simprints.infra.enrolment.records.repository.domain.models.Subject
+import com.simprints.testtools.common.coroutines.TestCoroutineRule
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import kotlinx.coroutines.test.runTest
+import org.junit.Before
+import org.junit.Rule
+import org.junit.Test
+import com.simprints.infra.resources.R as IDR
+
+internal class ExternalCredentialSearchViewModelTest {
+    @get:Rule
+    val rule = InstantTaskExecutorRule()
+
+    @get:Rule
+    val testCoroutineRule = TestCoroutineRule()
+
+    @MockK
+    lateinit var timeHelper: TimeHelper
+
+    @MockK
+    lateinit var authStore: AuthStore
+
+    @MockK
+    lateinit var configManager: ConfigManager
+
+    @MockK
+    lateinit var matchCandidatesUseCase: MatchCandidatesUseCase
+
+    @MockK
+    lateinit var project: com.simprints.infra.config.store.models.Project
+
+    @MockK
+    lateinit var projectConfig: ProjectConfiguration
+
+    @MockK
+    lateinit var subject: Subject
+
+    @MockK
+    lateinit var candidateMatch: CredentialMatch
+
+    @MockK
+    lateinit var mockScannedCredential: ScannedCredential
+
+    @MockK
+    lateinit var externalCredentialParams: ExternalCredentialParams
+
+    @MockK
+    private lateinit var tokenizationProcessor: TokenizationProcessor
+
+    @MockK
+    private lateinit var enrolmentRecordRepository: EnrolmentRecordRepository
+
+    @MockK
+    lateinit var eventsTracker: ExternalCredentialEventTrackerUseCase
+
+    private lateinit var viewModel: ExternalCredentialSearchViewModel
+
+    private val projectId = "projectId"
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        every { timeHelper.now() } returns Timestamp(1L)
+        every { authStore.signedInProjectId } returns projectId
+        coEvery { configManager.getProject(projectId) } returns project
+        coEvery { configManager.getProjectConfiguration() } returns projectConfig
+        coJustRun { eventsTracker.saveSearchEvent(any(), any(), any()) }
+        coJustRun { eventsTracker.saveConfirmation(any(), any()) }
+        viewModel = createViewModel()
+    }
+
+    fun createViewModel() = ExternalCredentialSearchViewModel(
+        scannedCredential = mockScannedCredential,
+        externalCredentialParams = externalCredentialParams,
+        timeHelper = timeHelper,
+        authStore = authStore,
+        configManager = configManager,
+        matchCandidatesUseCase = matchCandidatesUseCase,
+        tokenizationProcessor = tokenizationProcessor,
+        enrolmentRecordRepository = enrolmentRecordRepository,
+        eventsTracker = eventsTracker,
+    )
+
+    @Test
+    fun `initial state starts searching when credential not found`() = runTest {
+        val decryptedCredential = mockk<TokenizableString.Raw>()
+        coEvery { tokenizationProcessor.decrypt(any(), TokenKeyType.ExternalCredential, project) } returns decryptedCredential
+        coEvery { enrolmentRecordRepository.load(any()) } returns emptyList()
+
+        viewModel = createViewModel()
+        val observer = viewModel.stateLiveData.test()
+
+        assertThat(observer.value()?.searchState).isEqualTo(SearchState.CredentialNotFound)
+        assertThat(observer.value()?.scannedCredential).isEqualTo(mockScannedCredential)
+        assertThat(observer.value()?.isConfirmed).isFalse()
+        assertThat(observer.value()?.displayedCredential).isEqualTo(decryptedCredential)
+        coVerify { eventsTracker.saveSearchEvent(any(), any(), any()) }
+    }
+
+    @Test
+    fun `initial state searches and finds linked credential`() = runTest {
+        val decryptedCredential = mockk<TokenizableString.Raw>()
+        coEvery { tokenizationProcessor.decrypt(any(), TokenKeyType.ExternalCredential, project) } returns decryptedCredential
+        coEvery { enrolmentRecordRepository.load(any()) } returns listOf(subject)
+        coEvery {
+            matchCandidatesUseCase(any(), any(), any(), any(), any())
+        } returns listOf(candidateMatch)
+
+        viewModel = createViewModel()
+
+        val searchState = viewModel.stateLiveData.value?.searchState as SearchState.CredentialLinked
+        assertThat(searchState.matchResults).hasSize(1)
+        assertThat(searchState.matchResults.first()).isEqualTo(candidateMatch)
+        coVerify { eventsTracker.saveSearchEvent(any(), any(), any()) }
+    }
+
+    @Test
+    fun `updateConfirmation updates isConfirmed state`() = runTest {
+        val decryptedCredential = mockk<TokenizableString.Raw>()
+        coEvery { tokenizationProcessor.decrypt(any(), TokenKeyType.ExternalCredential, project) } returns decryptedCredential
+        coEvery { enrolmentRecordRepository.load(any()) } returns emptyList()
+
+        viewModel = createViewModel()
+        val observer = viewModel.stateLiveData.test()
+
+        viewModel.updateConfirmation(true)
+        assertThat(observer.value()?.isConfirmed).isTrue()
+        viewModel.updateConfirmation(false)
+        assertThat(observer.value()?.isConfirmed).isFalse()
+    }
+
+    @Test
+    fun `confirmCredentialUpdate triggers new search and encrypts credential`() = runTest {
+        val decryptedCredential = mockk<TokenizableString.Raw>()
+        val newCredential = "newCredential".asTokenizableRaw()
+        val encryptedCredential = mockk<TokenizableString.Tokenized>()
+
+        coEvery { tokenizationProcessor.decrypt(any(), TokenKeyType.ExternalCredential, project) } returns decryptedCredential
+        coEvery { enrolmentRecordRepository.load(any()) } returns emptyList()
+        coEvery { tokenizationProcessor.encrypt(newCredential, TokenKeyType.ExternalCredential, project) } returns encryptedCredential
+
+        viewModel = createViewModel()
+
+        viewModel.confirmCredentialUpdate(newCredential)
+
+        coVerify { tokenizationProcessor.encrypt(newCredential, TokenKeyType.ExternalCredential, project) }
+        coVerify { enrolmentRecordRepository.load(match { it.externalCredential == encryptedCredential }) }
+        assertThat(viewModel.stateLiveData.value?.displayedCredential).isEqualTo(newCredential)
+    }
+
+    @Test
+    fun `getButtonTextResource returns null when searching`() = runTest {
+        val result = viewModel.getButtonTextResource(SearchState.Searching, FlowType.IDENTIFY)
+        assertThat(result).isNull()
+    }
+
+    @Test
+    fun `getButtonTextResource returns 'enrol anyway' when credential linked and flow is ENROL`() = runTest {
+        val searchState = SearchState.CredentialLinked(emptyList())
+        val result = viewModel.getButtonTextResource(searchState, FlowType.ENROL)
+        assertThat(result).isEqualTo(IDR.string.mfid_action_enrol_anyway)
+    }
+
+    @Test
+    fun `getButtonTextResource returns 'continue' when credential linked and not verified and flow is IDENTIFY`() = runTest {
+        coEvery { enrolmentRecordRepository.load(any()) } returns emptyList()
+        val searchState = SearchState.CredentialLinked(listOf(candidateMatch))
+        every { candidateMatch.isVerificationSuccessful } returns false
+        val result = viewModel.getButtonTextResource(searchState, FlowType.IDENTIFY)
+        assertThat(result).isEqualTo(IDR.string.mfid_action_continue)
+    }
+
+    @Test
+    fun `getButtonTextResource returns 'enrol' when credential not found and flow is ENROL`() = runTest {
+        val result = viewModel.getButtonTextResource(SearchState.CredentialNotFound, FlowType.ENROL)
+        assertThat(result).isEqualTo(IDR.string.mfid_action_enrol)
+    }
+
+    @Test
+    fun `getKeyBoardInputType returns number for NHIS card`() = runTest {
+        every { mockScannedCredential.credentialType } returns ExternalCredentialType.NHISCard
+        viewModel = createViewModel()
+        val result = viewModel.getKeyBoardInputType()
+        assertThat(result).isEqualTo(InputType.TYPE_CLASS_NUMBER)
+    }
+
+    @Test
+    fun `getKeyBoardInputType returns text for Ghana ID card`() = runTest {
+        every { mockScannedCredential.credentialType } returns ExternalCredentialType.GhanaIdCard
+        viewModel = createViewModel()
+        val result = viewModel.getKeyBoardInputType()
+        assertThat(result).isEqualTo(InputType.TYPE_CLASS_TEXT)
+    }
+
+    @Test
+    fun `getKeyBoardInputType returns text for QR code`() = runTest {
+        every { mockScannedCredential.credentialType } returns ExternalCredentialType.QRCode
+        viewModel = createViewModel()
+        val result = viewModel.getKeyBoardInputType()
+        assertThat(result).isEqualTo(InputType.TYPE_CLASS_TEXT)
+    }
+
+    @Test
+    fun `finish sends empty matches when credential not found`() = runTest {
+        viewModel = createViewModel()
+        val state = mockk<SearchCredentialState> {
+            every { scannedCredential } returns mockScannedCredential
+            every { searchState } returns SearchState.CredentialNotFound
+        }
+        viewModel.finish(state)
+        val finishEvent = viewModel.finishEvent.value?.peekContent()
+        assertThat(finishEvent).isNotNull()
+        assertThat(finishEvent?.matchResults).isEmpty()
+        assertThat(finishEvent?.scannedCredential).isEqualTo(mockScannedCredential)
+    }
+
+    @Test
+    fun `finish sends empty matches when still searching`() = runTest {
+        viewModel = createViewModel()
+        val state = mockk<SearchCredentialState> {
+            every { scannedCredential } returns mockScannedCredential
+            every { searchState } returns SearchState.Searching
+        }
+        viewModel.finish(state)
+        val finishEvent = viewModel.finishEvent.value?.peekContent()
+        assertThat(finishEvent).isNotNull()
+        assertThat(finishEvent?.matchResults).isEmpty()
+    }
+
+    @Test
+    fun `finish sends match results when credential linked`() = runTest {
+        val state = mockk<SearchCredentialState> {
+            every { scannedCredential } returns mockScannedCredential
+            every { searchState } returns mockk<SearchState.CredentialLinked> {
+                every { matchResults } returns listOf(candidateMatch)
+            }
+        }
+        viewModel.finish(state)
+        val finishEvent = viewModel.finishEvent.value?.peekContent()
+        assertThat(finishEvent).isNotNull()
+        assertThat(finishEvent?.matchResults).hasSize(1)
+        assertThat(finishEvent?.matchResults?.first()).isEqualTo(candidateMatch)
+        assertThat(finishEvent?.scannedCredential).isEqualTo(mockScannedCredential)
+    }
+
+    @Test
+    fun `trackRecapture sends confirmation event`() = runTest {
+        viewModel.trackRecapture()
+
+        coVerify { eventsTracker.saveConfirmation(any(), any()) }
+    }
+
+    @Test
+    fun `finish sends confirmation event`() = runTest {
+        val state = mockk<SearchCredentialState> {
+            every { scannedCredential } returns mockScannedCredential
+            every { searchState } returns mockk<SearchState.CredentialLinked> {
+                every { matchResults } returns listOf(candidateMatch)
+            }
+        }
+        viewModel.finish(state)
+
+        coVerify { eventsTracker.saveConfirmation(any(), any()) }
+    }
+
+    @Test
+    fun `decryptCredentialToDisplay updates displayedCredential state`() = runTest {
+        val encryptedCredential = mockk<TokenizableString.Tokenized>()
+        val decryptedCredential = "decryptedValue".asTokenizableRaw()
+
+        every { mockScannedCredential.credential } returns encryptedCredential
+        coEvery { tokenizationProcessor.decrypt(encryptedCredential, TokenKeyType.ExternalCredential, project) } returns decryptedCredential
+        coEvery { enrolmentRecordRepository.load(any()) } returns emptyList()
+
+        viewModel = createViewModel()
+
+        assertThat(viewModel.stateLiveData.value?.displayedCredential).isEqualTo(decryptedCredential)
+        coVerify { tokenizationProcessor.decrypt(encryptedCredential, TokenKeyType.ExternalCredential, project) }
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/search/model/ScannedCredentialTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/search/model/ScannedCredentialTest.kt
new file mode 100644
index 0000000000..bffc349cd3
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/search/model/ScannedCredentialTest.kt
@@ -0,0 +1,37 @@
+package com.simprints.feature.externalcredential.screens.search.model
+
+import com.google.common.truth.Truth.*
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
+import com.simprints.core.domain.tokenization.asTokenizableRaw
+import com.simprints.core.tools.time.Timestamp
+import org.junit.Test
+
+class ScannedCredentialTest {
+    private val testUuid = "testUuid"
+    private val subjectId = "subjectId"
+
+    @Test
+    fun `toExternalCredential maps fields correctly`() {
+        val tokenizedValue = "tokenizedValue".asTokenizableEncrypted()
+        val scannedCredential = ScannedCredential(
+            credentialScanId = testUuid,
+            credential = tokenizedValue,
+            credentialType = ExternalCredentialType.NHISCard,
+            documentImagePath = null,
+            zoomedCredentialImagePath = null,
+            credentialBoundingBox = null,
+            scanStartTime = Timestamp(1L),
+            scanEndTime = Timestamp(2L),
+            scannedValue = "".asTokenizableRaw(),
+        )
+
+        val result = scannedCredential.toExternalCredential(subjectId)
+
+        assertThat(result.id).isEqualTo(testUuid)
+        assertThat(result.value).isEqualTo(tokenizedValue)
+        assertThat(result.subjectId).isEqualTo(subjectId)
+        assertThat(result.type).isEqualTo(ExternalCredentialType.NHISCard)
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/search/usecase/CreateMatchParamsUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/search/usecase/CreateMatchParamsUseCaseTest.kt
new file mode 100644
index 0000000000..c3c7da0ce5
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/search/usecase/CreateMatchParamsUseCaseTest.kt
@@ -0,0 +1,211 @@
+package com.simprints.feature.externalcredential.screens.search.usecase
+
+import com.google.common.truth.Truth.*
+import com.simprints.core.domain.common.FlowType
+import com.simprints.infra.config.store.models.AgeGroup
+import com.simprints.infra.config.store.models.FaceConfiguration
+import com.simprints.infra.config.store.models.FingerprintConfiguration
+import com.simprints.infra.config.store.models.GeneralConfiguration
+import com.simprints.infra.config.store.models.ProjectConfiguration
+import com.simprints.infra.config.store.models.determineFaceSDKs
+import com.simprints.infra.config.store.models.determineFingerprintSDKs
+import com.simprints.infra.enrolment.records.repository.domain.models.BiometricDataSource
+import com.simprints.infra.matching.MatchParams
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import org.junit.Before
+import org.junit.Test
+
+internal class CreateMatchParamsUseCaseTest {
+    private val useCase = CreateMatchParamsUseCase()
+
+    private val subjectId = "subjectId"
+    private val probeReferenceId = "probeReferenceId"
+    private val flowType = FlowType.IDENTIFY
+    private val ageGroup = AgeGroup(25, 30)
+
+    @MockK
+    private lateinit var faceSample: MatchParams.FaceSample
+
+    @MockK
+    private lateinit var fingerprintSample: MatchParams.FingerprintSample
+
+    @MockK
+    private lateinit var generalConfiguration: GeneralConfiguration
+
+    @MockK
+    private lateinit var projectConfiguration: ProjectConfiguration
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        mockkStatic("com.simprints.infra.config.store.models.ProjectConfigurationKt")
+        every { projectConfiguration.general } returns generalConfiguration
+    }
+
+    @Test
+    fun ` creates correct MatchParams for face modality`() {
+        every { projectConfiguration.determineFaceSDKs(ageGroup) } returns listOf(
+            FaceConfiguration.BioSdk.RANK_ONE,
+            FaceConfiguration.BioSdk.SIM_FACE,
+        )
+        every { projectConfiguration.determineFingerprintSDKs(ageGroup) } returns emptyList()
+        every { generalConfiguration.matchingModalities } returns listOf(GeneralConfiguration.Modality.FACE)
+
+        val result = useCase(
+            candidateSubjectId = subjectId,
+            flowType = flowType,
+            probeReferenceId = probeReferenceId,
+            projectConfiguration = projectConfiguration,
+            faceSamples = listOf(faceSample),
+            fingerprintSamples = emptyList(),
+            ageGroup = ageGroup,
+        )
+
+        assertThat(result).hasSize(2)
+        result.forEach { matchParams ->
+            assertThat(matchParams.probeReferenceId).isEqualTo(probeReferenceId)
+            assertThat(matchParams.flowType).isEqualTo(flowType)
+            assertThat(matchParams.queryForCandidates.subjectId).isEqualTo(subjectId)
+            assertThat(matchParams.biometricDataSource).isEqualTo(BiometricDataSource.Simprints)
+            assertThat(matchParams.probeFaceSamples).containsExactly(faceSample)
+            assertThat(matchParams.faceSDK).isNotNull()
+        }
+        assertThat(result[0].faceSDK).isEqualTo(FaceConfiguration.BioSdk.RANK_ONE)
+        assertThat(result[1].faceSDK).isEqualTo(FaceConfiguration.BioSdk.SIM_FACE)
+    }
+
+    @Test
+    fun ` creates correct  MatchParams for fingerprint modality`() {
+        every { projectConfiguration.determineFaceSDKs(ageGroup) } returns emptyList()
+        every { projectConfiguration.determineFingerprintSDKs(ageGroup) } returns listOf(
+            FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER,
+            FingerprintConfiguration.BioSdk.NEC,
+        )
+        every { generalConfiguration.matchingModalities } returns listOf(GeneralConfiguration.Modality.FINGERPRINT)
+
+        val result = useCase(
+            candidateSubjectId = subjectId,
+            flowType = flowType,
+            probeReferenceId = probeReferenceId,
+            projectConfiguration = projectConfiguration,
+            faceSamples = emptyList(),
+            fingerprintSamples = listOf(fingerprintSample),
+            ageGroup = ageGroup,
+        )
+
+        assertThat(result).hasSize(2)
+        result.forEach { matchParams ->
+            assertThat(matchParams.probeReferenceId).isEqualTo(probeReferenceId)
+            assertThat(matchParams.flowType).isEqualTo(flowType)
+            assertThat(matchParams.queryForCandidates.subjectId).isEqualTo(subjectId)
+            assertThat(matchParams.biometricDataSource).isEqualTo(BiometricDataSource.Simprints)
+            assertThat(matchParams.probeFingerprintSamples).containsExactly(fingerprintSample)
+            assertThat(matchParams.fingerprintSDK).isNotNull()
+        }
+        assertThat(result[0].fingerprintSDK).isEqualTo(FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER)
+        assertThat(result[1].fingerprintSDK).isEqualTo(FingerprintConfiguration.BioSdk.NEC)
+    }
+
+    @Test
+    fun ` creates correct  MatchParams for multiple`() {
+        every { generalConfiguration.matchingModalities } returns listOf(
+            GeneralConfiguration.Modality.FACE,
+            GeneralConfiguration.Modality.FINGERPRINT,
+        )
+        every { projectConfiguration.determineFaceSDKs(ageGroup) } returns listOf(
+            FaceConfiguration.BioSdk.RANK_ONE,
+        )
+        every { projectConfiguration.determineFingerprintSDKs(ageGroup) } returns listOf(
+            FingerprintConfiguration.BioSdk.NEC,
+        )
+
+        val result = useCase(
+            candidateSubjectId = subjectId,
+            flowType = flowType,
+            probeReferenceId = probeReferenceId,
+            projectConfiguration = projectConfiguration,
+            faceSamples = listOf(faceSample),
+            fingerprintSamples = listOf(fingerprintSample),
+            ageGroup = ageGroup,
+        )
+
+        assertThat(result).hasSize(2)
+
+        val faceMatch = result.find { it.faceSDK != null }
+        assertThat(faceMatch).isNotNull()
+        assertThat(faceMatch?.faceSDK).isEqualTo(FaceConfiguration.BioSdk.RANK_ONE)
+        assertThat(faceMatch?.probeFaceSamples).containsExactly(faceSample)
+
+        val fingerprintMatch = result.find { it.fingerprintSDK != null }
+        assertThat(fingerprintMatch).isNotNull()
+        assertThat(fingerprintMatch?.fingerprintSDK).isEqualTo(FingerprintConfiguration.BioSdk.NEC)
+        assertThat(fingerprintMatch?.probeFingerprintSamples).containsExactly(fingerprintSample)
+    }
+
+    @Test
+    fun ` handles null ageGroup`() {
+        every { projectConfiguration.determineFaceSDKs(null) } returns listOf(
+            FaceConfiguration.BioSdk.RANK_ONE,
+        )
+        every { projectConfiguration.determineFingerprintSDKs(null) } returns emptyList()
+        every { generalConfiguration.matchingModalities } returns listOf(GeneralConfiguration.Modality.FACE)
+
+        val result = useCase(
+            candidateSubjectId = subjectId,
+            flowType = flowType,
+            probeReferenceId = probeReferenceId,
+            projectConfiguration = projectConfiguration,
+            faceSamples = listOf(faceSample),
+            fingerprintSamples = emptyList(),
+            ageGroup = null,
+        )
+
+        assertThat(result).hasSize(1)
+    }
+
+    @Test
+    fun ` returns empty list when no SDKs available`() {
+        every { projectConfiguration.determineFaceSDKs(ageGroup) } returns emptyList()
+        every { projectConfiguration.determineFingerprintSDKs(ageGroup) } returns emptyList()
+
+        val result = useCase(
+            candidateSubjectId = subjectId,
+            flowType = flowType,
+            probeReferenceId = probeReferenceId,
+            projectConfiguration = projectConfiguration,
+            faceSamples = listOf(faceSample),
+            fingerprintSamples = listOf(fingerprintSample),
+            ageGroup = ageGroup,
+        )
+
+        assertThat(result).isEmpty()
+    }
+
+    @Test
+    fun ` creates multiple MatchParams for multiple face SDKs`() {
+        every { projectConfiguration.determineFaceSDKs(ageGroup) } returns listOf(
+            FaceConfiguration.BioSdk.RANK_ONE,
+            FaceConfiguration.BioSdk.SIM_FACE,
+        )
+        every { projectConfiguration.determineFingerprintSDKs(ageGroup) } returns emptyList()
+        every { generalConfiguration.matchingModalities } returns listOf(GeneralConfiguration.Modality.FACE)
+
+        val faceSamples = listOf(faceSample, mockk(relaxed = true))
+
+        val result = useCase(
+            candidateSubjectId = subjectId,
+            flowType = flowType,
+            probeReferenceId = probeReferenceId,
+            projectConfiguration = projectConfiguration,
+            faceSamples = faceSamples,
+            fingerprintSamples = emptyList(),
+            ageGroup = ageGroup,
+        )
+
+        assertThat(result).hasSize(2)
+        result.forEach { matchParams ->
+            assertThat(matchParams.probeFaceSamples).hasSize(2)
+        }
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/search/usecase/MatchCandidatesUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/search/usecase/MatchCandidatesUseCaseTest.kt
new file mode 100644
index 0000000000..b7e07b2fe1
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/screens/search/usecase/MatchCandidatesUseCaseTest.kt
@@ -0,0 +1,278 @@
+package com.simprints.feature.externalcredential.screens.search.usecase
+
+import com.google.common.truth.Truth.*
+import com.simprints.core.domain.common.FlowType
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
+import com.simprints.feature.externalcredential.model.ExternalCredentialParams
+import com.simprints.infra.config.store.models.AgeGroup
+import com.simprints.infra.config.store.models.FaceConfiguration
+import com.simprints.infra.config.store.models.FingerprintConfiguration
+import com.simprints.infra.config.store.models.Project
+import com.simprints.infra.config.store.models.ProjectConfiguration
+import com.simprints.infra.enrolment.records.repository.domain.models.Subject
+import com.simprints.infra.matching.MatchParams
+import com.simprints.infra.matching.MatchResultItem
+import com.simprints.infra.matching.usecase.FaceMatcherUseCase
+import com.simprints.infra.matching.usecase.FingerprintMatcherUseCase
+import com.simprints.infra.matching.usecase.MatcherUseCase.MatcherState
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import kotlinx.coroutines.flow.flowOf
+import kotlinx.coroutines.test.runTest
+import org.junit.Before
+import org.junit.Test
+
+internal class MatchCandidatesUseCaseTest {
+    private lateinit var useCase: MatchCandidatesUseCase
+
+    @MockK
+    private lateinit var createMatchParamsUseCase: CreateMatchParamsUseCase
+
+    @MockK
+    private lateinit var faceMatcher: FaceMatcherUseCase
+
+    @MockK
+    private lateinit var fingerprintMatcher: FingerprintMatcherUseCase
+
+    @MockK
+    private lateinit var subject: Subject
+
+    @MockK
+    private lateinit var project: Project
+
+    @MockK
+    private lateinit var projectConfig: ProjectConfiguration
+
+    @MockK
+    private lateinit var externalCredentialParams: ExternalCredentialParams
+
+    @MockK
+    private lateinit var faceConfig: FaceConfiguration
+
+    @MockK
+    private lateinit var fingerprintConfig: FingerprintConfiguration
+
+    @MockK
+    private lateinit var faceSdkConfig: FaceConfiguration.FaceSdkConfiguration
+
+    @MockK
+    private lateinit var fingerprintSdkConfig: FingerprintConfiguration.FingerprintSdkConfiguration
+
+    @MockK
+    private lateinit var matchResultItem: MatchResultItem
+
+    @MockK
+    private lateinit var matchParams: MatchParams
+
+    @MockK
+    private lateinit var faceSample: MatchParams.FaceSample
+
+    @MockK
+    private lateinit var fingerprintSample: MatchParams.FingerprintSample
+
+    @MockK
+    private lateinit var ageGroup: AgeGroup
+
+    @MockK
+    private lateinit var matcherSuccess: MatcherState.Success
+
+    private val credential = "credential".asTokenizableEncrypted()
+    private val subjectId = "subjectId"
+    private val probeReferenceId = "probeReferenceId"
+    private val verificationMatchThreshold = 50.0f
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        useCase = MatchCandidatesUseCase(
+            createMatchParamsUseCase = createMatchParamsUseCase,
+            faceMatcher = faceMatcher,
+            fingerprintMatcher = fingerprintMatcher,
+        )
+
+        every { subject.subjectId } returns subjectId
+        every { externalCredentialParams.probeReferenceId } returns probeReferenceId
+        every { externalCredentialParams.flowType } returns FlowType.VERIFY
+        every { externalCredentialParams.faceSamples } returns listOf(faceSample)
+        every { externalCredentialParams.fingerprintSamples } returns listOf(fingerprintSample)
+        every { externalCredentialParams.ageGroup } returns ageGroup
+
+        every { matchParams.faceSDK } returns FaceConfiguration.BioSdk.RANK_ONE
+        every { matchParams.fingerprintSDK } returns FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER
+        coEvery {
+            createMatchParamsUseCase(
+                candidateSubjectId = any(),
+                flowType = any(),
+                probeReferenceId = any(),
+                projectConfiguration = any(),
+                faceSamples = any(),
+                fingerprintSamples = any(),
+                ageGroup = any(),
+            )
+        } returns listOf(matchParams)
+        every { projectConfig.face } returns faceConfig
+        every { projectConfig.fingerprint } returns fingerprintConfig
+        every { faceConfig.getSdkConfiguration(FaceConfiguration.BioSdk.RANK_ONE) } returns faceSdkConfig
+        every { faceSdkConfig.verificationMatchThreshold } returns verificationMatchThreshold
+        every { fingerprintConfig.getSdkConfiguration(FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER) } returns fingerprintSdkConfig
+        every { fingerprintSdkConfig.verificationMatchThreshold } returns verificationMatchThreshold
+        every { matcherSuccess.matchResultItems } returns listOf(matchResultItem)
+        coEvery { faceMatcher(matchParams, project) } returns flowOf(matcherSuccess)
+        coEvery { fingerprintMatcher(matchParams, project) } returns flowOf(matcherSuccess)
+    }
+
+    private fun initMatchParams(isFace: Boolean) {
+        val (faceSamples, fingerprintSamples) = if (isFace) {
+            listOf(faceSample) to emptyList()
+        } else {
+            emptyList<MatchParams.FaceSample>() to listOf(fingerprintSample)
+        }
+        every { matchParams.probeFaceSamples } returns faceSamples
+        every { matchParams.faceSDK } returns FaceConfiguration.BioSdk.RANK_ONE
+        every { matchParams.probeFingerprintSamples } returns fingerprintSamples
+        every { matchParams.fingerprintSDK } returns FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER
+    }
+
+    @Test
+    fun `returns face matches when face samples present`() = runTest {
+        initMatchParams(isFace = true)
+        val result = useCase.invoke(
+            candidates = listOf(subject),
+            credential = credential,
+            externalCredentialParams = externalCredentialParams,
+            project = project,
+            projectConfig = projectConfig,
+        )
+
+        assertThat(result).hasSize(1)
+        assertThat(result[0].credential).isEqualTo(credential)
+        assertThat(result[0].matchResult).isEqualTo(matchResultItem)
+        assertThat(result[0].verificationThreshold).isEqualTo(verificationMatchThreshold)
+        assertThat(result[0].faceBioSdk).isEqualTo(FaceConfiguration.BioSdk.RANK_ONE)
+        assertThat(result[0].fingerprintBioSdk).isNull()
+    }
+
+    @Test
+    fun `returns fingerprint matches when no face samples present`() = runTest {
+        initMatchParams(isFace = false)
+        val result = useCase.invoke(
+            candidates = listOf(subject),
+            credential = credential,
+            externalCredentialParams = externalCredentialParams,
+            project = project,
+            projectConfig = projectConfig,
+        )
+
+        assertThat(result).hasSize(1)
+        assertThat(result[0].credential).isEqualTo(credential)
+        assertThat(result[0].matchResult).isEqualTo(matchResultItem)
+        assertThat(result[0].verificationThreshold).isEqualTo(verificationMatchThreshold)
+        assertThat(result[0].faceBioSdk).isNull()
+        assertThat(result[0].fingerprintBioSdk).isEqualTo(FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER)
+    }
+
+    @Test
+    fun `returns empty list when no candidates provided`() = runTest {
+        val result = useCase.invoke(
+            candidates = emptyList(),
+            credential = credential,
+            externalCredentialParams = externalCredentialParams,
+            project = project,
+            projectConfig = projectConfig,
+        )
+
+        assertThat(result).isEmpty()
+    }
+
+    @Test
+    fun `returns empty list when face SDK is null`() = runTest {
+        initMatchParams(isFace = true)
+        every { matchParams.faceSDK } returns null
+
+        val result = useCase.invoke(
+            candidates = listOf(subject),
+            credential = credential,
+            externalCredentialParams = externalCredentialParams,
+            project = project,
+            projectConfig = projectConfig,
+        )
+
+        assertThat(result).isEmpty()
+    }
+
+    @Test
+    fun `returns empty list when fingerprint SDK is null`() = runTest {
+        initMatchParams(isFace = false)
+        every { matchParams.fingerprintSDK } returns null
+
+        val result = useCase.invoke(
+            candidates = listOf(subject),
+            credential = credential,
+            externalCredentialParams = externalCredentialParams,
+            project = project,
+            projectConfig = projectConfig,
+        )
+
+        assertThat(result).isEmpty()
+    }
+
+    @Test
+    fun `returns empty list when face SDK configuration is null`() = runTest {
+        initMatchParams(isFace = true)
+        every { faceConfig.getSdkConfiguration(FaceConfiguration.BioSdk.RANK_ONE) } returns null
+
+        val result = useCase.invoke(
+            candidates = listOf(subject),
+            credential = credential,
+            externalCredentialParams = externalCredentialParams,
+            project = project,
+            projectConfig = projectConfig,
+        )
+
+        assertThat(result).isEmpty()
+    }
+
+    @Test
+    fun `returns empty list when fingerprint SDK configuration is null`() = runTest {
+        initMatchParams(isFace = false)
+        every { fingerprintConfig.getSdkConfiguration(FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER) } returns null
+
+        val result = useCase.invoke(
+            candidates = listOf(subject),
+            credential = credential,
+            externalCredentialParams = externalCredentialParams,
+            project = project,
+            projectConfig = projectConfig,
+        )
+
+        assertThat(result).isEmpty()
+    }
+
+    @Test
+    fun `returns empty list when face verification match threshold is null`() = runTest {
+        initMatchParams(isFace = true)
+        every { faceSdkConfig.verificationMatchThreshold } returns null
+        val result = useCase(
+            candidates = listOf(subject),
+            credential = credential,
+            externalCredentialParams = externalCredentialParams,
+            project = project,
+            projectConfig = projectConfig,
+        )
+        assertThat(result).isEmpty()
+    }
+
+    @Test
+    fun `returns empty list when fingerprint match threshold is null`() = runTest {
+        initMatchParams(isFace = false)
+        every { fingerprintSdkConfig.verificationMatchThreshold } returns null
+        val result = useCase(
+            candidates = listOf(subject),
+            credential = credential,
+            externalCredentialParams = externalCredentialParams,
+            project = project,
+            projectConfig = projectConfig,
+        )
+        assertThat(result).isEmpty()
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/usecase/AddExternalCredentialToSubjectUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/usecase/AddExternalCredentialToSubjectUseCaseTest.kt
new file mode 100644
index 0000000000..62850f52c5
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/usecase/AddExternalCredentialToSubjectUseCaseTest.kt
@@ -0,0 +1,96 @@
+package com.simprints.feature.externalcredential.usecase
+
+import com.google.common.truth.Truth.*
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.infra.config.store.models.Project
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.infra.enrolment.records.repository.EnrolmentRecordRepository
+import com.simprints.infra.enrolment.records.repository.domain.models.SubjectAction
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import kotlinx.coroutines.test.runTest
+import org.junit.Before
+import org.junit.Test
+
+internal class AddExternalCredentialToSubjectUseCaseTest {
+    @MockK
+    lateinit var enrolmentRecordRepository: EnrolmentRecordRepository
+
+    @MockK
+    lateinit var configManager: ConfigManager
+
+    @MockK
+    lateinit var project: Project
+
+    @MockK
+    lateinit var scannedCredential: ScannedCredential
+
+    private lateinit var useCase: AddExternalCredentialToSubjectUseCase
+
+    private val projectId = "projectId"
+    private val subjectId = "subjectId"
+    private val encryptedCredential = "credential".asTokenizableEncrypted()
+    private val mockCredentialType = ExternalCredentialType.NHISCard
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+
+        coEvery { configManager.getProject(projectId) } returns project
+
+        useCase = AddExternalCredentialToSubjectUseCase(
+            enrolmentRecordRepository = enrolmentRecordRepository,
+            configManager = configManager,
+        )
+        every { scannedCredential.credential } returns encryptedCredential
+        every { scannedCredential.credentialType } returns mockCredentialType
+    }
+
+    @Test
+    fun `invokes enrolment repository with correct update action`() = runTest {
+        val actionsSlot = slot<List<SubjectAction>>()
+        useCase(scannedCredential, subjectId, projectId)
+        coVerify {
+            enrolmentRecordRepository.performActions(
+                capture(actionsSlot),
+                project,
+            )
+        }
+
+        val actions = actionsSlot.captured
+        assertThat(actions).hasSize(1)
+        val updateAction = actions.first() as SubjectAction.Update
+        assertThat(updateAction.subjectId).isEqualTo(subjectId)
+        assertThat(updateAction.externalCredentialsToAdd).hasSize(1)
+        assertThat(updateAction.faceSamplesToAdd).isEmpty()
+        assertThat(updateAction.fingerprintSamplesToAdd).isEmpty()
+        assertThat(updateAction.referenceIdsToRemove).isEmpty()
+    }
+
+    @Test
+    fun `adds correct external credential to subject`() = runTest {
+        val actionsSlot = slot<List<SubjectAction>>()
+
+        useCase(scannedCredential, subjectId, projectId)
+
+        coVerify {
+            enrolmentRecordRepository.performActions(
+                capture(actionsSlot),
+                project,
+            )
+        }
+
+        val updateAction = actionsSlot.captured.first() as SubjectAction.Update
+        val addedCredential = updateAction.externalCredentialsToAdd.first()
+        assertThat(addedCredential.value).isEqualTo(encryptedCredential)
+        assertThat(addedCredential.type).isEqualTo(mockCredentialType)
+    }
+
+    @Test
+    fun `retrieves project using correct project id`() = runTest {
+        useCase(scannedCredential, subjectId, projectId)
+        coVerify { configManager.getProject(projectId) }
+    }
+}
diff --git a/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/usecase/ExternalCredentialEventTrackerUseCaseTest.kt b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/usecase/ExternalCredentialEventTrackerUseCaseTest.kt
new file mode 100644
index 0000000000..e006fdcfcb
--- /dev/null
+++ b/feature/external-credential/src/test/java/com/simprints/feature/externalcredential/usecase/ExternalCredentialEventTrackerUseCaseTest.kt
@@ -0,0 +1,193 @@
+package com.simprints.feature.externalcredential.usecase
+
+import com.google.common.truth.Truth.*
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
+import com.simprints.core.domain.tokenization.asTokenizableRaw
+import com.simprints.core.tools.time.TimeHelper
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.feature.externalcredential.screens.scanocr.usecase.CalculateLevenshteinDistanceUseCase
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.infra.authstore.AuthStore
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureValueEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialConfirmationEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialConfirmationEvent.ExternalCredentialConfirmationResult
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSelectionEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSelectionEvent.SkipReason
+import com.simprints.infra.events.session.SessionEventRepository
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import kotlinx.coroutines.test.runTest
+import org.junit.Before
+import org.junit.Test
+
+class ExternalCredentialEventTrackerUseCaseTest {
+    @MockK
+    private lateinit var timeHelper: TimeHelper
+
+    @MockK
+    private lateinit var authStore: AuthStore
+
+    @MockK
+    private lateinit var configManager: ConfigManager
+
+    @MockK
+    private lateinit var tokenizationProcessor: TokenizationProcessor
+
+    @MockK
+    private lateinit var eventRepository: SessionEventRepository
+
+    @MockK
+    private lateinit var calculateDistance: CalculateLevenshteinDistanceUseCase
+
+    private lateinit var useCase: ExternalCredentialEventTrackerUseCase
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        useCase = ExternalCredentialEventTrackerUseCase(
+            timeHelper = timeHelper,
+            authStore = authStore,
+            configManager = configManager,
+            tokenizationProcessor = tokenizationProcessor,
+            eventRepository = eventRepository,
+            calculateDistance = calculateDistance,
+        )
+
+        every { timeHelper.now() } returns END_TIME
+
+        coEvery { authStore.signedInProjectId } returns ""
+        coEvery { configManager.getProject(any()) } returns mockk()
+        coEvery {
+            tokenizationProcessor.decrypt(any(), TokenKeyType.ExternalCredential, any())
+        } returns RAW_SCANNED_VALUE.asTokenizableRaw()
+
+        coEvery { calculateDistance(any(), any()) } returns DEFAULT_DISTANCE
+    }
+
+    @Test
+    fun `saveCaptureEvents should save external credential capture events`() = runTest {
+        val scannedCredential = makeScannedCredential(ExternalCredentialType.QRCode)
+        useCase.saveCaptureEvents(START_TIME, SUBJECT_ID, scannedCredential, SELECTION_ID)
+
+        val valueEventSlot = slot<ExternalCredentialCaptureValueEvent>()
+        coVerify(exactly = 1) { eventRepository.addOrUpdateEvent(capture(valueEventSlot)) }
+        with(valueEventSlot.captured) {
+            assertThat(payload.credential.id).isEqualTo(SCAN_ID)
+            assertThat(payload.credential.subjectId).isEqualTo(SUBJECT_ID)
+        }
+
+        val captureEventSlot = slot<ExternalCredentialCaptureEvent>()
+        coVerify(exactly = 1) { eventRepository.addOrUpdateEvent(capture(captureEventSlot)) }
+        with(captureEventSlot.captured) {
+            assertThat(payload.id).isEqualTo(SCAN_ID)
+            assertThat(payload.createdAt).isEqualTo(START_TIME)
+            assertThat(payload.endedAt).isEqualTo(END_TIME)
+            assertThat(payload.autoCaptureStartTime).isEqualTo(SCAN_START_TIME)
+            assertThat(payload.autoCaptureEndTime).isEqualTo(SCAN_END_TIME)
+            assertThat(payload.ocrErrorCount).isEqualTo(DEFAULT_DISTANCE)
+            assertThat(payload.capturedTextLength).isEqualTo(RAW_SCANNED_VALUE.length)
+        }
+    }
+
+    @Test
+    fun `saveCaptureEvents should correctly calculate length for NHISCard`() = runTest {
+        val scannedCredential = makeScannedCredential(ExternalCredentialType.NHISCard)
+        useCase.saveCaptureEvents(START_TIME, SUBJECT_ID, scannedCredential, SELECTION_ID)
+
+        val captureEventSlot = slot<ExternalCredentialCaptureEvent>()
+        coVerify(exactly = 1) { eventRepository.addOrUpdateEvent(capture(captureEventSlot)) }
+        assertThat(captureEventSlot.captured.payload.credentialTextLength).isEqualTo(8)
+    }
+
+    @Test
+    fun `saveCaptureEvents should correctly calculate length for GhanaIdCard`() = runTest {
+        val scannedCredential = makeScannedCredential(ExternalCredentialType.GhanaIdCard)
+        useCase.saveCaptureEvents(START_TIME, SUBJECT_ID, scannedCredential, SELECTION_ID)
+
+        val captureEventSlot = slot<ExternalCredentialCaptureEvent>()
+        coVerify(exactly = 1) { eventRepository.addOrUpdateEvent(capture(captureEventSlot)) }
+        assertThat(captureEventSlot.captured.payload.credentialTextLength).isEqualTo(15)
+    }
+
+    @Test
+    fun `saveCaptureEvents should correctly calculate length for QRCode`() = runTest {
+        val scannedCredential = makeScannedCredential(ExternalCredentialType.QRCode)
+        useCase.saveCaptureEvents(START_TIME, SUBJECT_ID, scannedCredential, SELECTION_ID)
+
+        val captureEventSlot = slot<ExternalCredentialCaptureEvent>()
+        coVerify(exactly = 1) { eventRepository.addOrUpdateEvent(capture(captureEventSlot)) }
+        assertThat(captureEventSlot.captured.payload.credentialTextLength).isEqualTo(6)
+    }
+
+    @Test
+    fun `saveSelectionEvent should save correct event`() = runTest {
+        useCase.saveSelectionEvent(START_TIME, END_TIME, ExternalCredentialType.QRCode)
+
+        val captureEventSlot = slot<ExternalCredentialSelectionEvent>()
+        coVerify(exactly = 1) { eventRepository.addOrUpdateEvent(capture(captureEventSlot)) }
+        with(captureEventSlot.captured) {
+            assertThat(payload.createdAt).isEqualTo(START_TIME)
+            assertThat(payload.endedAt).isEqualTo(END_TIME)
+            assertThat(payload.credentialType).isEqualTo(ExternalCredentialType.QRCode)
+            assertThat(payload.skipReason).isNull()
+            assertThat(payload.skipOther).isNull()
+        }
+    }
+
+    @Test
+    fun `saveSkippedEvent should save correct event`() = runTest {
+        useCase.saveSkippedEvent(START_TIME, SkipReason.OTHER, "other")
+
+        val captureEventSlot = slot<ExternalCredentialSelectionEvent>()
+        coVerify(exactly = 1) { eventRepository.addOrUpdateEvent(capture(captureEventSlot)) }
+        with(captureEventSlot.captured) {
+            assertThat(payload.createdAt).isEqualTo(START_TIME)
+            assertThat(payload.endedAt).isEqualTo(END_TIME)
+            assertThat(payload.credentialType).isNull()
+            assertThat(payload.skipReason).isEqualTo(SkipReason.OTHER)
+            assertThat(payload.skipOther).isEqualTo("other")
+        }
+    }
+
+    @Test
+    fun `saveConfirmation should save correct event`() = runTest {
+        useCase.saveConfirmation(START_TIME, ExternalCredentialConfirmationResult.CONTINUE)
+
+        val captureEventSlot = slot<ExternalCredentialConfirmationEvent>()
+        coVerify(exactly = 1) { eventRepository.addOrUpdateEvent(capture(captureEventSlot)) }
+        with(captureEventSlot.captured) {
+            assertThat(payload.createdAt).isEqualTo(START_TIME)
+            assertThat(payload.endedAt).isEqualTo(END_TIME)
+            assertThat(payload.result).isEqualTo(ExternalCredentialConfirmationResult.CONTINUE)
+        }
+    }
+
+    private fun makeScannedCredential(type: ExternalCredentialType) = ScannedCredential(
+        credentialScanId = "test-scan-id",
+        credential = RAW_SCANNED_VALUE.asTokenizableEncrypted(),
+        credentialType = type,
+        documentImagePath = null,
+        zoomedCredentialImagePath = null,
+        credentialBoundingBox = null,
+        scanStartTime = SCAN_START_TIME,
+        scanEndTime = SCAN_END_TIME,
+        scannedValue = RAW_SCANNED_VALUE.asTokenizableRaw(),
+    )
+
+    companion object Companion {
+        private val START_TIME = Timestamp(0L)
+        private val SCAN_START_TIME = Timestamp(3L)
+        private val SCAN_END_TIME = Timestamp(4L)
+        private val END_TIME = Timestamp(6L)
+        private const val SCAN_ID = "test-scan-id"
+        private const val SUBJECT_ID = "test-subject-id"
+        private const val RAW_SCANNED_VALUE = "scanned-value"
+        private const val DEFAULT_DISTANCE = 7
+        private const val SELECTION_ID = "selection_id"
+    }
+}
diff --git a/feature/login/src/main/java/com/simprints/feature/login/screens/qrscanner/QrScannerFragment.kt b/feature/login/src/main/java/com/simprints/feature/login/screens/qrscanner/QrScannerFragment.kt
index e66a14293c..c176dccb1e 100644
--- a/feature/login/src/main/java/com/simprints/feature/login/screens/qrscanner/QrScannerFragment.kt
+++ b/feature/login/src/main/java/com/simprints/feature/login/screens/qrscanner/QrScannerFragment.kt
@@ -10,12 +10,12 @@ import androidx.lifecycle.Lifecycle
 import androidx.lifecycle.lifecycleScope
 import androidx.lifecycle.repeatOnLifecycle
 import androidx.navigation.fragment.findNavController
-import com.google.firebase.analytics.FirebaseAnalytics.Event.LOGIN
 import com.simprints.core.tools.extentions.hasPermission
 import com.simprints.feature.login.R
 import com.simprints.feature.login.databinding.FragmentQrScannerBinding
-import com.simprints.feature.login.tools.camera.CameraHelper
-import com.simprints.feature.login.tools.camera.QrCodeAnalyzer
+import com.simprints.infra.logging.LoggingConstants
+import com.simprints.infra.uibase.camera.qrscan.CameraHelper
+import com.simprints.infra.uibase.camera.qrscan.QrCodeAnalyzer
 import com.simprints.infra.logging.Simber
 import com.simprints.infra.uibase.view.applySystemBarInsets
 import com.simprints.infra.uibase.navigation.finishWithResult
@@ -29,12 +29,18 @@ import javax.inject.Inject
 @AndroidEntryPoint
 internal class QrScannerFragment : Fragment(R.layout.fragment_qr_scanner) {
     private val binding by viewBinding(FragmentQrScannerBinding::bind)
-
+    private val crashReportTag = LoggingConstants.CrashReportTag.LOGIN
     @Inject
-    lateinit var cameraHelper: CameraHelper
-
+    lateinit var cameraHelperFactory: CameraHelper.Factory
     @Inject
-    lateinit var qrCodeAnalyzer: QrCodeAnalyzer
+    lateinit var qrCodeAnalyzerFactory: QrCodeAnalyzer.Factory
+
+    private val cameraHelper: CameraHelper by lazy {
+        cameraHelperFactory.create(crashReportTag)
+    }
+    private val qrCodeAnalyzer by lazy {
+        qrCodeAnalyzerFactory.create(cropConfig = null, crashReportTag = crashReportTag)
+    }
 
     private val launchPermissionRequest = registerForActivityResult(
         ActivityResultContracts.RequestPermission(),
@@ -57,7 +63,7 @@ internal class QrScannerFragment : Fragment(R.layout.fragment_qr_scanner) {
             viewLifecycleOwner.repeatOnLifecycle(Lifecycle.State.RESUMED) {
                 qrCodeAnalyzer.scannedCode
                     .catch { e ->
-                        Simber.e("Camera not available for QR scanning", e, tag = LOGIN)
+                        Simber.e("Camera not available for QR scanning", e, tag = crashReportTag)
                         finishWithError(QrScannerResult.QrScannerError.CameraNotAvailable)
                     }.collectLatest { qrCode ->
                         if (qrCode.isNotEmpty()) {
@@ -75,7 +81,7 @@ internal class QrScannerFragment : Fragment(R.layout.fragment_qr_scanner) {
     }
 
     private fun startCamera() {
-        binding.qrScannerAim.isVisible = true
+        binding.qrScannerArea.isVisible = true
         cameraHelper.startCamera(
             viewLifecycleOwner,
             binding.qrScannerPreview,
diff --git a/feature/login/src/main/java/com/simprints/feature/login/tools/camera/QrCodeAnalyzer.kt b/feature/login/src/main/java/com/simprints/feature/login/tools/camera/QrCodeAnalyzer.kt
deleted file mode 100644
index c1d4c1b798..0000000000
--- a/feature/login/src/main/java/com/simprints/feature/login/tools/camera/QrCodeAnalyzer.kt
+++ /dev/null
@@ -1,43 +0,0 @@
-package com.simprints.feature.login.tools.camera
-
-import androidx.camera.core.ExperimentalGetImage
-import androidx.camera.core.ImageAnalysis
-import androidx.camera.core.ImageProxy
-import com.simprints.core.DispatcherBG
-import com.simprints.infra.logging.LoggingConstants.CrashReportTag.LOGIN
-import com.simprints.infra.logging.Simber
-import kotlinx.coroutines.CoroutineDispatcher
-import kotlinx.coroutines.channels.BufferOverflow
-import kotlinx.coroutines.flow.Flow
-import kotlinx.coroutines.flow.MutableStateFlow
-import kotlinx.coroutines.flow.buffer
-import kotlinx.coroutines.flow.filterNotNull
-import kotlinx.coroutines.runBlocking
-import javax.inject.Inject
-
-internal class QrCodeAnalyzer @Inject constructor(
-    private val qrCodeDetector: QrCodeDetector,
-    @DispatcherBG private val bgDispatcher: CoroutineDispatcher,
-) : ImageAnalysis.Analyzer {
-    private val _scannedCode = MutableStateFlow<String?>(null)
-    val scannedCode: Flow<String> = _scannedCode
-        .filterNotNull()
-        .buffer(1, onBufferOverflow = BufferOverflow.DROP_OLDEST)
-
-    @ExperimentalGetImage
-    override fun analyze(imageProxy: ImageProxy) {
-        imageProxy.use {
-            it.image?.let { mediaImage ->
-                runBlocking(bgDispatcher) {
-                    try {
-                        val rotationDegrees = imageProxy.imageInfo.rotationDegrees
-                        val image = RawImage(mediaImage, rotationDegrees)
-                        qrCodeDetector.detectInImage(image)?.let(_scannedCode::tryEmit)
-                    } catch (t: Throwable) {
-                        Simber.e("QR code detection failed", t, tag = LOGIN)
-                    }
-                }
-            }
-        }
-    }
-}
diff --git a/feature/login/src/main/res/layout/fragment_qr_scanner.xml b/feature/login/src/main/res/layout/fragment_qr_scanner.xml
index 3716676035..3fa0e59bb0 100644
--- a/feature/login/src/main/res/layout/fragment_qr_scanner.xml
+++ b/feature/login/src/main/res/layout/fragment_qr_scanner.xml
@@ -11,7 +11,7 @@
         android:layout_height="match_parent" />
 
     <ImageView
-        android:id="@+id/qrScannerAim"
+        android:id="@+id/qrScannerArea"
         android:layout_width="wrap_content"
         android:layout_height="wrap_content"
         android:src="@drawable/ic_camera_focus"
diff --git a/feature/login/src/test/java/com/simprints/feature/login/tools/camera/QrCodeAnalyzerTest.kt b/feature/login/src/test/java/com/simprints/feature/login/tools/camera/QrCodeAnalyzerTest.kt
deleted file mode 100644
index bac7e470a6..0000000000
--- a/feature/login/src/test/java/com/simprints/feature/login/tools/camera/QrCodeAnalyzerTest.kt
+++ /dev/null
@@ -1,61 +0,0 @@
-package com.simprints.feature.login.tools.camera
-
-import androidx.camera.core.ImageProxy
-import com.google.common.truth.Truth.assertThat
-import io.mockk.MockKAnnotations
-import io.mockk.coEvery
-import io.mockk.coVerify
-import io.mockk.every
-import io.mockk.impl.annotations.MockK
-import io.mockk.mockk
-import io.mockk.verify
-import kotlinx.coroutines.flow.first
-import kotlinx.coroutines.test.UnconfinedTestDispatcher
-import kotlinx.coroutines.test.runTest
-import org.junit.Before
-import org.junit.Test
-
-internal class QrCodeAnalyzerTest {
-    @MockK
-    lateinit var mockQrCodeDetector: QrCodeDetector
-
-    @MockK
-    lateinit var mockImageProxy: ImageProxy
-
-    private lateinit var qrCodeProducer: QrCodeAnalyzer
-
-    @Before
-    fun setUp() {
-        MockKAnnotations.init(this, relaxed = true)
-
-        qrCodeProducer = QrCodeAnalyzer(mockQrCodeDetector, UnconfinedTestDispatcher())
-    }
-
-    @Test
-    fun `should not trigger detector when no images obtained`() {
-        every { mockImageProxy.image } returns null
-        qrCodeProducer.analyze(mockImageProxy)
-
-        coVerify(exactly = 0) { mockQrCodeDetector.detectInImage(any()) }
-    }
-
-    @Test
-    fun `should send RQ code value to flow`() = runTest {
-        every { mockImageProxy.image } returns mockk()
-        coEvery { mockQrCodeDetector.detectInImage(any()) } returns "mock_value"
-
-        qrCodeProducer.analyze(mockImageProxy)
-        val code = qrCodeProducer.scannedCode.first()
-
-        assertThat(code).isEqualTo("mock_value")
-    }
-
-    @Test
-    fun `should close image proxy with unsuccessful scan`() {
-        coEvery { mockQrCodeDetector.detectInImage(any()) } throws Throwable()
-
-        qrCodeProducer.analyze(mockImageProxy)
-
-        verify { mockImageProxy.close() }
-    }
-}
diff --git a/feature/matcher/build.gradle.kts b/feature/matcher/build.gradle.kts
index 64fd4d0d20..630deb5152 100644
--- a/feature/matcher/build.gradle.kts
+++ b/feature/matcher/build.gradle.kts
@@ -13,12 +13,9 @@ dependencies {
 
     implementation(project(":infra:orchestrator-data"))
     implementation(project(":infra:enrolment-records:repository"))
-    implementation(project(":infra:events"))
+    implementation(project(":infra:matching"))
     implementation(project(":infra:config-store"))
     implementation(project(":infra:config-sync"))
 
-    implementation(project(":face:infra:bio-sdk-resolver"))
-
-    implementation(project(":fingerprint:infra:bio-sdk"))
     implementation(project(":infra:auth-store"))
 }
diff --git a/feature/matcher/src/main/java/com/simprints/matcher/MatchContract.kt b/feature/matcher/src/main/java/com/simprints/matcher/MatchContract.kt
index 9500085e9e..79efa31499 100644
--- a/feature/matcher/src/main/java/com/simprints/matcher/MatchContract.kt
+++ b/feature/matcher/src/main/java/com/simprints/matcher/MatchContract.kt
@@ -5,6 +5,7 @@ import com.simprints.infra.config.store.models.FaceConfiguration
 import com.simprints.infra.config.store.models.FingerprintConfiguration
 import com.simprints.infra.enrolment.records.repository.domain.models.BiometricDataSource
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
+import com.simprints.infra.matching.MatchParams
 
 object MatchContract {
     val DESTINATION = R.id.matcherFragment
diff --git a/feature/matcher/src/main/java/com/simprints/matcher/screen/MatchFragment.kt b/feature/matcher/src/main/java/com/simprints/matcher/screen/MatchFragment.kt
index 94d61c6425..641769454c 100644
--- a/feature/matcher/src/main/java/com/simprints/matcher/screen/MatchFragment.kt
+++ b/feature/matcher/src/main/java/com/simprints/matcher/screen/MatchFragment.kt
@@ -19,13 +19,13 @@ import com.simprints.feature.exitform.ExitFormContract
 import com.simprints.feature.exitform.ExitFormResult
 import com.simprints.infra.logging.LoggingConstants.CrashReportTag.ORCHESTRATION
 import com.simprints.infra.logging.Simber
+import com.simprints.infra.matching.MatchParams
 import com.simprints.infra.uibase.navigation.finishWithResult
 import com.simprints.infra.uibase.navigation.handleResult
 import com.simprints.infra.uibase.navigation.navigateSafely
 import com.simprints.infra.uibase.navigation.navigationParams
 import com.simprints.infra.uibase.view.applySystemBarInsets
 import com.simprints.infra.uibase.viewbinding.viewBinding
-import com.simprints.matcher.MatchParams
 import com.simprints.matcher.R
 import com.simprints.matcher.databinding.FragmentMatcherBinding
 import com.simprints.matcher.screen.MatchFragment.Companion.LOADING_PROGRESS
diff --git a/feature/matcher/src/main/java/com/simprints/matcher/screen/MatchViewModel.kt b/feature/matcher/src/main/java/com/simprints/matcher/screen/MatchViewModel.kt
index 9b5995d860..2fc45b1ef9 100644
--- a/feature/matcher/src/main/java/com/simprints/matcher/screen/MatchViewModel.kt
+++ b/feature/matcher/src/main/java/com/simprints/matcher/screen/MatchViewModel.kt
@@ -10,14 +10,14 @@ import com.simprints.core.tools.time.TimeHelper
 import com.simprints.infra.authstore.AuthStore
 import com.simprints.infra.config.store.models.DecisionPolicy
 import com.simprints.infra.config.sync.ConfigManager
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.FingerprintMatchResult
-import com.simprints.matcher.MatchParams
-import com.simprints.matcher.MatchResultItem
-import com.simprints.matcher.usecases.FaceMatcherUseCase
-import com.simprints.matcher.usecases.FingerprintMatcherUseCase
-import com.simprints.matcher.usecases.MatcherUseCase
-import com.simprints.matcher.usecases.SaveMatchEventUseCase
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.FingerprintMatchResult
+import com.simprints.infra.matching.MatchParams
+import com.simprints.infra.matching.MatchResultItem
+import com.simprints.infra.matching.usecase.FaceMatcherUseCase
+import com.simprints.infra.matching.usecase.FingerprintMatcherUseCase
+import com.simprints.infra.matching.usecase.MatcherUseCase
+import com.simprints.infra.matching.usecase.SaveMatchEventUseCase
 import dagger.hilt.android.lifecycle.HiltViewModel
 import kotlinx.coroutines.delay
 import kotlinx.coroutines.launch
@@ -104,9 +104,11 @@ internal class MatchViewModel @Inject constructor(
 
     private suspend fun getDecisionPolicy(params: MatchParams): DecisionPolicy {
         val config = configManager.getProjectConfiguration()
+        val faceSDK = params.faceSDK
+        val fingerprintSDK = params.fingerprintSDK
         val policy = when {
-            params.faceSDK != null -> config.face?.getSdkConfiguration(params.faceSDK)?.decisionPolicy
-            params.fingerprintSDK != null -> config.fingerprint?.getSdkConfiguration(params.fingerprintSDK)?.decisionPolicy
+            faceSDK != null -> config.face?.getSdkConfiguration(faceSDK)?.decisionPolicy
+            fingerprintSDK != null -> config.fingerprint?.getSdkConfiguration(fingerprintSDK)?.decisionPolicy
             else -> null
         }
         return policy ?: fallbackDecisionPolicy()
diff --git a/feature/matcher/src/test/java/com/simprints/matcher/screen/MatchViewModelTest.kt b/feature/matcher/src/test/java/com/simprints/matcher/screen/MatchViewModelTest.kt
index fe26281df1..7e4ffd3f99 100644
--- a/feature/matcher/src/test/java/com/simprints/matcher/screen/MatchViewModelTest.kt
+++ b/feature/matcher/src/test/java/com/simprints/matcher/screen/MatchViewModelTest.kt
@@ -13,14 +13,14 @@ import com.simprints.infra.config.store.models.FaceConfiguration
 import com.simprints.infra.config.store.models.FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER
 import com.simprints.infra.config.sync.ConfigManager
 import com.simprints.infra.enrolment.records.repository.domain.models.BiometricDataSource
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.FingerprintMatchResult
-import com.simprints.matcher.MatchBatchInfo
-import com.simprints.matcher.MatchParams
-import com.simprints.matcher.usecases.FaceMatcherUseCase
-import com.simprints.matcher.usecases.FingerprintMatcherUseCase
-import com.simprints.matcher.usecases.MatcherUseCase
-import com.simprints.matcher.usecases.SaveMatchEventUseCase
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.FingerprintMatchResult
+import com.simprints.infra.matching.MatchBatchInfo
+import com.simprints.infra.matching.MatchParams
+import com.simprints.infra.matching.usecase.FaceMatcherUseCase
+import com.simprints.infra.matching.usecase.FingerprintMatcherUseCase
+import com.simprints.infra.matching.usecase.MatcherUseCase
+import com.simprints.infra.matching.usecase.SaveMatchEventUseCase
 import com.simprints.testtools.common.coroutines.TestCoroutineRule
 import com.simprints.testtools.common.livedata.getOrAwaitValue
 import io.mockk.*
diff --git a/feature/orchestrator/build.gradle.kts b/feature/orchestrator/build.gradle.kts
index a300a9dc22..8515c2065c 100644
--- a/feature/orchestrator/build.gradle.kts
+++ b/feature/orchestrator/build.gradle.kts
@@ -22,6 +22,7 @@ dependencies {
     implementation(project(":feature:matcher"))
     implementation(project(":feature:validate-subject-pool"))
     implementation(project(":feature:select-subject-age-group"))
+    implementation(project(":feature:external-credential"))
 
     implementation(project(":face:capture"))
 
@@ -36,6 +37,7 @@ dependencies {
     implementation(project(":infra:events"))
     implementation(project(":infra:event-sync"))
     implementation(project(":infra:images"))
+    implementation(project(":infra:matching"))
 
     implementation(libs.jackson.core)
     implementation(libs.androidX.ui.preference)
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/OrchestratorFragment.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/OrchestratorFragment.kt
index c65da6682e..287d447892 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/OrchestratorFragment.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/OrchestratorFragment.kt
@@ -19,6 +19,7 @@ import com.simprints.feature.clientapi.extensions.getResultCodeFromExtras
 import com.simprints.feature.consent.ConsentContract
 import com.simprints.feature.enrollast.EnrolLastBiometricContract
 import com.simprints.feature.exitform.ExitFormContract
+import com.simprints.feature.externalcredential.ExternalCredentialContract
 import com.simprints.feature.fetchsubject.FetchSubjectContract
 import com.simprints.feature.login.LoginContract
 import com.simprints.feature.login.LoginResult
@@ -126,6 +127,7 @@ internal class OrchestratorFragment : Fragment(R.layout.fragment_orchestrator) {
         handleResult(FetchSubjectContract.DESTINATION, orchestratorVm::handleResult)
         handleResult(ValidateSubjectPoolContract.DESTINATION, orchestratorVm::handleResult)
         handleResult(SelectSubjectAgeGroupContract.DESTINATION, orchestratorVm::handleResult)
+        handleResult(ExternalCredentialContract.DESTINATION, orchestratorVm::handleResult)
     }
 
     private fun <T : Serializable> handleResult(
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/OrchestratorViewModel.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/OrchestratorViewModel.kt
index c06f979bd5..9bbd9ca7f7 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/OrchestratorViewModel.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/OrchestratorViewModel.kt
@@ -6,6 +6,7 @@ import androidx.lifecycle.ViewModel
 import androidx.lifecycle.viewModelScope
 import com.fasterxml.jackson.core.type.TypeReference
 import com.fasterxml.jackson.databind.module.SimpleModule
+import com.simprints.core.domain.common.FlowType
 import com.simprints.core.domain.response.AppErrorReason
 import com.simprints.core.domain.step.StepResult
 import com.simprints.core.domain.tokenization.TokenizableString
@@ -18,6 +19,8 @@ import com.simprints.face.capture.FaceCaptureParams
 import com.simprints.face.capture.FaceCaptureResult
 import com.simprints.feature.enrollast.EnrolLastBiometricContract
 import com.simprints.feature.enrollast.EnrolLastBiometricParams
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
+import com.simprints.feature.externalcredential.model.ExternalCredentialParams
 import com.simprints.feature.orchestrator.cache.OrchestratorCache
 import com.simprints.feature.orchestrator.exceptions.SubjectAgeNotSupportedException
 import com.simprints.feature.orchestrator.model.OrchestratorResult
@@ -39,13 +42,14 @@ import com.simprints.infra.config.store.models.GeneralConfiguration
 import com.simprints.infra.config.sync.ConfigManager
 import com.simprints.infra.logging.LoggingConstants.CrashReportTag.ORCHESTRATION
 import com.simprints.infra.logging.Simber
+import com.simprints.infra.matching.MatchParams
 import com.simprints.infra.orchestration.data.ActionRequest
 import com.simprints.infra.orchestration.data.responses.AppErrorResponse
 import com.simprints.infra.orchestration.data.responses.AppResponse
-import com.simprints.matcher.MatchParams
 import dagger.hilt.android.lifecycle.HiltViewModel
 import kotlinx.coroutines.launch
 import java.io.Serializable
+import java.util.UUID
 import javax.inject.Inject
 
 @HiltViewModel
@@ -61,6 +65,9 @@ internal class OrchestratorViewModel @Inject constructor(
     private val mapStepsForLastBiometrics: MapStepsForLastBiometricEnrolUseCase,
 ) : ViewModel() {
     var isRequestProcessed = false
+
+    // [MS-1127] MF-ID: during enrolment, the same 'subjectId' needs to be used during the entire workflow
+    private val enrolmentSubjectId = UUID.randomUUID().toString()
     private var modalities = emptySet<GeneralConfiguration.Modality>()
     private var steps = emptyList<Step>()
     private var actionRequest: ActionRequest? = null
@@ -83,7 +90,14 @@ internal class OrchestratorViewModel @Inject constructor(
             // In case of a follow-up action, we should restore completed steps from cache
             // and add new ones to the list. This way all session steps are available throughout
             // the app for reference (i.e. have we already captured face in this session?)
-            steps = cache.steps + stepsBuilder.build(action, projectConfiguration)
+            val cachedSteps = cache.steps
+            val cachedExternalCredentialResponse = getCachedCredentialResponse(cachedSteps)
+            steps = cachedSteps + stepsBuilder.build(
+                action = action,
+                projectConfiguration = projectConfiguration,
+                enrolmentSubjectId = enrolmentSubjectId,
+                cachedScannedCredential = cachedExternalCredentialResponse?.scannedCredential,
+            )
             Simber.i("Steps to execute: ${steps.joinToString { it.id.toString() }}", tag = ORCHESTRATION)
         } catch (_: SubjectAgeNotSupportedException) {
             handleErrorResponse(AppErrorResponse(AppErrorReason.AGE_GROUP_NOT_SUPPORTED))
@@ -93,6 +107,15 @@ internal class OrchestratorViewModel @Inject constructor(
         doNextStep()
     }
 
+    private fun getCachedCredentialResponse(steps: List<Step>): ExternalCredentialSearchResult? {
+        steps.forEach { step ->
+            if (step.id == StepId.EXTERNAL_CREDENTIAL) {
+                return step.result as? ExternalCredentialSearchResult
+            }
+        }
+        return null
+    }
+
     fun handleResult(result: StepResult) = viewModelScope.launch {
         Simber.i("Handling step result: ${result.javaClass.simpleName}", tag = ORCHESTRATION)
         Simber.d(result.toString(), tag = ORCHESTRATION)
@@ -111,17 +134,23 @@ internal class OrchestratorViewModel @Inject constructor(
             Simber.i("Completed step: ${step.id}", tag = ORCHESTRATION)
 
             updateMatcherStepPayload(step, result)
+            updateExternalCredentialStepPayload(step, result)
         }
 
         if (result is SelectSubjectAgeGroupResult) {
             val captureAndMatchSteps = stepsBuilder.buildCaptureAndMatchStepsForAgeGroup(
-                actionRequest!!,
-                projectConfiguration,
-                result.ageGroup,
+                action = actionRequest!!,
+                projectConfiguration = projectConfiguration,
+                ageGroup = result.ageGroup,
+                enrolmentSubjectId = enrolmentSubjectId,
             )
             steps = steps + captureAndMatchSteps
         }
 
+        if (result is ExternalCredentialSearchResult) {
+            removeMatcherStepIfRequired(result)
+        }
+
         doNextStep()
     }
 
@@ -172,6 +201,22 @@ internal class OrchestratorViewModel @Inject constructor(
         }
     }
 
+    /**
+     * Removes Matcher steps during [FlowType.IDENTIFY] flow if External Credential search found any match.
+     */
+    private fun removeMatcherStepIfRequired(result: ExternalCredentialSearchResult) {
+        if (result.flowType == FlowType.IDENTIFY) {
+            val confirmedVerifications = result.goodMatches.size
+            if (confirmedVerifications > 0) {
+                steps = steps.filterNot { it.id in listOf(StepId.FACE_MATCHER, StepId.FINGERPRINT_MATCHER) }
+                Simber.i(
+                    "Matcher steps removed because External Credential search verified [$confirmedVerifications] candidate(s). Flow type = [${result.flowType}]",
+                    tag = ORCHESTRATION,
+                )
+            }
+        }
+    }
+
     /**
      * Update the enrol last biometric params in case there were more steps executed in the current flow.
      */
@@ -181,11 +226,13 @@ internal class OrchestratorViewModel @Inject constructor(
                 val updatedParams = params.copy(
                     steps = mapStepsForLastBiometrics(steps.mapNotNull { it.result }),
                 )
+                val cachedExternalCredentialResponse = getCachedCredentialResponse(cache.steps)
                 step.params = EnrolLastBiometricContract.getParams(
                     projectId = updatedParams.projectId,
                     userId = updatedParams.userId,
                     moduleId = updatedParams.moduleId,
                     steps = updatedParams.steps,
+                    scannedCredential = cachedExternalCredentialResponse?.scannedCredential,
                 )
             }
         }
@@ -195,10 +242,11 @@ internal class OrchestratorViewModel @Inject constructor(
         val projectConfiguration = configManager.getProjectConfiguration()
         val project = configManager.getProject(projectConfiguration.projectId)
         val appResponse = appResponseBuilder(
-            projectConfiguration,
-            actionRequest,
-            steps.mapNotNull { it.result },
-            project,
+            projectConfiguration = projectConfiguration,
+            request = actionRequest,
+            results = steps.mapNotNull { it.result },
+            project = project,
+            enrolmentSubjectId = enrolmentSubjectId,
         )
 
         updateDailyActivity(appResponse)
@@ -267,6 +315,48 @@ internal class OrchestratorViewModel @Inject constructor(
         }
     }
 
+    /**
+     * Passes face or fingerprint samples to the External Credential search step
+     */
+    private fun updateExternalCredentialStepPayload(
+        currentStep: Step,
+        result: StepResult,
+    ) {
+        if (currentStep.id !in listOf(StepId.FACE_CAPTURE, StepId.FINGERPRINT_CAPTURE)) return
+        val step = steps.firstOrNull { it.id == StepId.EXTERNAL_CREDENTIAL } ?: return
+        val params = step.params as? ExternalCredentialParams ?: return
+        val updatedParams = when {
+            currentStep.id == StepId.FACE_CAPTURE && result is FaceCaptureResult -> {
+                val faceSamples = result.results
+                    .mapNotNull { it.sample }
+                    .map { MatchParams.FaceSample(it.faceId, it.template) }
+                params.copy(
+                    probeReferenceId = result.referenceId,
+                    faceSamples = faceSamples,
+                )
+            }
+
+            currentStep.id == StepId.FINGERPRINT_CAPTURE && result is FingerprintCaptureResult -> {
+                val fingerprintSamples = result.results
+                    .mapNotNull { it.sample }
+                    .map {
+                        MatchParams.FingerprintSample(
+                            fingerId = it.fingerIdentifier,
+                            format = it.format,
+                            template = it.template,
+                        )
+                    }
+                params.copy(
+                    probeReferenceId = result.referenceId,
+                    fingerprintSamples = fingerprintSamples,
+                )
+            }
+
+            else -> params
+        }
+        step.params = updatedParams
+    }
+
     fun setActionRequestFromJson(json: String) {
         try {
             actionRequest = JsonHelper.fromJson(
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/steps/MatchStepStubPayload.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/steps/MatchStepStubPayload.kt
index 3f5f42b978..176570381b 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/steps/MatchStepStubPayload.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/steps/MatchStepStubPayload.kt
@@ -6,8 +6,8 @@ import com.simprints.infra.config.store.models.FaceConfiguration
 import com.simprints.infra.config.store.models.FingerprintConfiguration
 import com.simprints.infra.enrolment.records.repository.domain.models.BiometricDataSource
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
+import com.simprints.infra.matching.MatchParams
 import com.simprints.matcher.MatchContract
-import com.simprints.matcher.MatchParams
 
 /**
  * Actual matching step payload is based on capture step results, so until the it is done we are storing
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/steps/Step.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/steps/Step.kt
index f24eccd8ba..8d0199f78e 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/steps/Step.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/steps/Step.kt
@@ -18,6 +18,8 @@ import com.simprints.feature.enrollast.FaceTemplateCaptureResult
 import com.simprints.feature.enrollast.FingerTemplateCaptureResult
 import com.simprints.feature.enrollast.MatchResult
 import com.simprints.feature.exitform.ExitFormResult
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
+import com.simprints.feature.externalcredential.model.ExternalCredentialParams
 import com.simprints.feature.fetchsubject.FetchSubjectParams
 import com.simprints.feature.fetchsubject.FetchSubjectResult
 import com.simprints.feature.login.LoginParams
@@ -34,9 +36,9 @@ import com.simprints.fingerprint.connect.FingerprintConnectParams
 import com.simprints.fingerprint.connect.FingerprintConnectResult
 import com.simprints.infra.enrolment.records.repository.domain.models.BiometricDataSource
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.FingerprintMatchResult
-import com.simprints.matcher.MatchParams
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.FingerprintMatchResult
+import com.simprints.infra.matching.MatchParams
 import java.io.Serializable
 
 @JsonTypeInfo(use = JsonTypeInfo.Id.NAME, property = "resultType")
@@ -71,6 +73,7 @@ import java.io.Serializable
     JsonSubTypes.Type(value = ExitFormResult::class, name = "ExitFormResult"),
     JsonSubTypes.Type(value = ValidateSubjectPoolResult::class, name = "ValidateSubjectPoolResult"),
     JsonSubTypes.Type(value = SelectSubjectAgeGroupResult::class, name = "SelectSubjectAgeGroupResult"),
+    JsonSubTypes.Type(value = ExternalCredentialSearchResult::class, name = "ExternalCredentialSearchResult"),
 )
 abstract class StepResultMixin : StepResult
 
@@ -112,6 +115,8 @@ abstract class StepResultMixin : StepResult
         value = EnrolLastBiometricStepResult.FaceCaptureResult::class,
         name = "EnrolLastBiometricStepResult.FaceCaptureResult",
     ),
+    JsonSubTypes.Type(value = ExternalCredentialParams::class, name = "ExternalCredentialParams"),
+    JsonSubTypes.Type(value = ExternalCredentialSearchResult::class, name = "ExternalCredentialSearchResult"),
     JsonSubTypes.Type(value = MatchResult::class, name = "MatchResult"),
     JsonSubTypes.Type(value = FingerTemplateCaptureResult::class, name = "FingerTemplateCaptureResult"),
     JsonSubTypes.Type(value = FaceTemplateCaptureResult::class, name = "FaceTemplateCaptureResult"),
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/steps/StepId.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/steps/StepId.kt
index 279839e355..8562f02bbc 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/steps/StepId.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/steps/StepId.kt
@@ -16,6 +16,7 @@ internal object StepId {
     const val CONFIRM_IDENTITY = STEP_BASE_CORE + 5
     const val VALIDATE_ID_POOL = STEP_BASE_CORE + 6
     const val SELECT_SUBJECT_AGE = STEP_BASE_CORE + 7
+    const val EXTERNAL_CREDENTIAL = STEP_BASE_CORE + 8
 
     // Face step ids
     private const val STEP_BASE_FINGERPRINT = 300
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/MapRefusalOrErrorResultUseCase.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/MapRefusalOrErrorResultUseCase.kt
index c4ac6f77e7..619aad1d04 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/MapRefusalOrErrorResultUseCase.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/MapRefusalOrErrorResultUseCase.kt
@@ -59,7 +59,7 @@ internal class MapRefusalOrErrorResultUseCase @Inject constructor(
         is ValidateSubjectPoolResult ->
             result
                 .takeUnless { it.isValid }
-                ?.let { AppIdentifyResponse(emptyList(), eventRepository.getCurrentSessionScope().id) }
+                ?.let { AppIdentifyResponse(emptyList(), eventRepository.getCurrentSessionScope().id, isMultiFactorIdEnabled = false) }
 
         is SelectSubjectAgeGroupResult ->
             result
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/MapStepsForLastBiometricEnrolUseCase.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/MapStepsForLastBiometricEnrolUseCase.kt
index 21baca8249..251a2183e2 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/MapStepsForLastBiometricEnrolUseCase.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/MapStepsForLastBiometricEnrolUseCase.kt
@@ -8,8 +8,8 @@ import com.simprints.feature.enrollast.FingerTemplateCaptureResult
 import com.simprints.feature.enrollast.MatchResult
 import com.simprints.fingerprint.capture.FingerprintCaptureResult
 import com.simprints.infra.config.store.models.fromModuleApiToDomain
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.FingerprintMatchResult
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.FingerprintMatchResult
 import java.io.Serializable
 import javax.inject.Inject
 
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/AppResponseBuilderUseCase.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/AppResponseBuilderUseCase.kt
index c00db35481..69f2839a59 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/AppResponseBuilderUseCase.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/AppResponseBuilderUseCase.kt
@@ -21,10 +21,16 @@ internal class AppResponseBuilderUseCase @Inject constructor(
         projectConfiguration: ProjectConfiguration,
         request: ActionRequest?,
         results: List<Serializable>,
-        project: Project
+        project: Project,
+        enrolmentSubjectId: String,
     ): AppResponse = when (request) {
         is ActionRequest.EnrolActionRequest -> if (isNewEnrolment(projectConfiguration, results)) {
-            handleEnrolment(request, results, project)
+            handleEnrolment(
+                request = request,
+                results = results,
+                project = project,
+                enrolmentSubjectId = enrolmentSubjectId
+            )
         } else {
             handleIdentify(projectConfiguration, results)
         }
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateConfirmIdentityResponseUseCase.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateConfirmIdentityResponseUseCase.kt
index 9d93ab2900..de055b99a1 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateConfirmIdentityResponseUseCase.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateConfirmIdentityResponseUseCase.kt
@@ -12,6 +12,6 @@ internal class CreateConfirmIdentityResponseUseCase @Inject constructor() {
     operator fun invoke(results: List<Serializable>): AppResponse = results
         .filterIsInstance(SelectSubjectResult::class.java)
         .lastOrNull()
-        ?.let { AppConfirmationResponse(true) }
+        ?.let { AppConfirmationResponse(true, externalCredential = it.savedCredential) }
         ?: AppErrorResponse(AppErrorReason.UNEXPECTED_ERROR)
 }
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolLastBiometricResponseUseCase.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolLastBiometricResponseUseCase.kt
index 98881759f5..5b1d5602a3 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolLastBiometricResponseUseCase.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolLastBiometricResponseUseCase.kt
@@ -11,7 +11,10 @@ internal class CreateEnrolLastBiometricResponseUseCase @Inject constructor() {
     operator fun invoke(results: List<Serializable>) = results
         .filterIsInstance(EnrolLastBiometricResult::class.java)
         .lastOrNull()
-        ?.newSubjectId
-        ?.let { AppEnrolResponse(it) }
+        ?.let { result ->
+            result.newSubjectId?.let { guid ->
+                AppEnrolResponse(guid, result.externalCredential)
+            }
+        }
         ?: AppErrorResponse(AppErrorReason.ENROLMENT_LAST_BIOMETRICS_FAILED)
 }
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolResponseUseCase.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolResponseUseCase.kt
index f116f93446..e1da2e0a66 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolResponseUseCase.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolResponseUseCase.kt
@@ -2,6 +2,8 @@ package com.simprints.feature.orchestrator.usecases.response
 
 import com.simprints.core.domain.response.AppErrorReason
 import com.simprints.face.capture.FaceCaptureResult
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
+import com.simprints.feature.externalcredential.screens.search.model.toExternalCredential
 import com.simprints.fingerprint.capture.FingerprintCaptureResult
 import com.simprints.infra.config.store.models.Project
 import com.simprints.infra.eventsync.sync.common.SubjectFactory
@@ -22,21 +24,26 @@ internal class CreateEnrolResponseUseCase @Inject constructor(
         request: ActionRequest.EnrolActionRequest,
         results: List<Serializable>,
         project: Project,
+        enrolmentSubjectId: String,
     ): AppResponse {
         val fingerprintCapture = results.filterIsInstance(FingerprintCaptureResult::class.java).lastOrNull()
         val faceCapture = results.filterIsInstance(FaceCaptureResult::class.java).lastOrNull()
+        val credentialResult = results.filterIsInstance(ExternalCredentialSearchResult::class.java).lastOrNull()
+        val externalCredential = credentialResult?.scannedCredential?.toExternalCredential(enrolmentSubjectId)
 
         return try {
             val subject = subjectFactory.buildSubjectFromCaptureResults(
+                subjectId = enrolmentSubjectId,
                 projectId = request.projectId,
                 attendantId = request.userId,
                 moduleId = request.moduleId,
                 fingerprintResponse = fingerprintCapture,
                 faceResponse = faceCapture,
+                externalCredential = externalCredential,
             )
             enrolSubject(subject, project)
 
-            AppEnrolResponse(subject.subjectId)
+            AppEnrolResponse(subject.subjectId, externalCredential)
         } catch (e: Exception) {
             Simber.e("Error creating enrol response", e, tag = ORCHESTRATION)
             AppErrorResponse(AppErrorReason.UNEXPECTED_ERROR)
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateIdentifyResponseUseCase.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateIdentifyResponseUseCase.kt
index 5754c93eaf..8e80443f5b 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateIdentifyResponseUseCase.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateIdentifyResponseUseCase.kt
@@ -1,14 +1,21 @@
 package com.simprints.feature.orchestrator.usecases.response
 
+import com.simprints.core.domain.response.AppMatchConfidence
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
+import com.simprints.infra.config.store.models.DecisionPolicy
 import com.simprints.infra.config.store.models.ProjectConfiguration
 import com.simprints.infra.events.session.SessionEventRepository
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.FingerprintMatchResult
+import com.simprints.infra.matching.MatchResultItem
 import com.simprints.infra.orchestration.data.responses.AppIdentifyResponse
 import com.simprints.infra.orchestration.data.responses.AppMatchResult
 import com.simprints.infra.orchestration.data.responses.AppResponse
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.FingerprintMatchResult
 import java.io.Serializable
 import javax.inject.Inject
+import kotlin.collections.ifEmpty
+import kotlin.collections.map
+import kotlin.collections.take
 
 internal class CreateIdentifyResponseUseCase @Inject constructor(
     private val eventRepository: SessionEventRepository,
@@ -17,21 +24,26 @@ internal class CreateIdentifyResponseUseCase @Inject constructor(
         projectConfiguration: ProjectConfiguration,
         results: List<Serializable>,
     ): AppResponse {
+        val isMultiFactorIdEnabled = projectConfiguration.multifactorId?.allowedExternalCredentials?.isNotEmpty() ?: false
+        val credentialFaceMatchResults = credentialResultsMapper(results, projectConfiguration, isFace = true)
+        val credentialFingerprintMatchResults = credentialResultsMapper(results, projectConfiguration, isFace = false)
+
         val currentSessionId = eventRepository.getCurrentSessionScope().id
 
-        val faceResults = getFaceMatchResults(results, projectConfiguration)
+        val faceResults = credentialFaceMatchResults + getFaceMatchResults(results, projectConfiguration)
         val bestFaceConfidence = faceResults.firstOrNull()?.confidenceScore ?: 0
 
-        val fingerprintResults = getFingerprintResults(results, projectConfiguration)
+        val fingerprintResults = credentialFingerprintMatchResults + getFingerprintResults(results, projectConfiguration)
         val bestFingerprintConfidence = fingerprintResults.firstOrNull()?.confidenceScore ?: 0
 
         return AppIdentifyResponse(
             sessionId = currentSessionId,
+            isMultiFactorIdEnabled = isMultiFactorIdEnabled,
             // Return the results with the highest confidence score
             identifications = if (bestFingerprintConfidence > bestFaceConfidence) {
-                fingerprintResults
+                fingerprintResults.distinctBy(AppMatchResult::guid)
             } else {
-                faceResults
+                faceResults.distinctBy(AppMatchResult::guid)
             },
         )
     }
@@ -44,16 +56,12 @@ internal class CreateIdentifyResponseUseCase @Inject constructor(
             ?.getSdkConfiguration(fingerprintMatchResult.sdk)
             ?.decisionPolicy
             ?.let { fingerprintDecisionPolicy ->
-                val matches = fingerprintMatchResult.results
-                val goodResults = matches
-                    .filter { it.confidence >= fingerprintDecisionPolicy.low }
-                    .sortedByDescending { it.confidence }
-                // Attempt to include only high confidence matches
-                goodResults
-                    .filter { it.confidence >= fingerprintDecisionPolicy.high }
-                    .ifEmpty { goodResults }
-                    .take(projectConfiguration.identification.maxNbOfReturnedCandidates)
-                    .map { AppMatchResult(it.subjectId, it.confidence, fingerprintDecisionPolicy) }
+                fingerprintMatchResult.results.mapToMatchResults(
+                    decisionPolicy = fingerprintDecisionPolicy,
+                    projectConfiguration = projectConfiguration,
+                    isCredentialMatch = false,
+                    verificationMatchThreshold = null,
+                )
             }
     } ?: emptyList()
 
@@ -65,16 +73,78 @@ internal class CreateIdentifyResponseUseCase @Inject constructor(
             ?.getSdkConfiguration(faceMatchResult.sdk)
             ?.decisionPolicy
             ?.let { faceDecisionPolicy ->
-                val matches = faceMatchResult.results
-                val goodResults = matches
-                    .filter { it.confidence >= faceDecisionPolicy.low }
-                    .sortedByDescending { it.confidence }
-                // Attempt to include only high confidence matches
-                goodResults
-                    .filter { it.confidence >= faceDecisionPolicy.high }
-                    .ifEmpty { goodResults }
-                    .take(projectConfiguration.identification.maxNbOfReturnedCandidates)
-                    .map { AppMatchResult(it.subjectId, it.confidence, faceDecisionPolicy) }
+                faceMatchResult.results.mapToMatchResults(
+                    decisionPolicy = faceDecisionPolicy,
+                    projectConfiguration = projectConfiguration,
+                    isCredentialMatch = false,
+                    verificationMatchThreshold = null,
+                )
             }
     } ?: emptyList()
+
+    private fun List<MatchResultItem>.mapToMatchResults(
+        decisionPolicy: DecisionPolicy,
+        verificationMatchThreshold: Float?,
+        projectConfiguration: ProjectConfiguration,
+        isCredentialMatch: Boolean,
+    ): List<AppMatchResult> {
+        val goodResults = this
+            .filter { it.confidence >= decisionPolicy.low }
+            .sortedByDescending { it.confidence }
+        // Attempt to include only high confidence matches
+        return goodResults
+            .filter { it.confidence >= decisionPolicy.high }
+            .ifEmpty { goodResults }
+            .take(projectConfiguration.identification.maxNbOfReturnedCandidates)
+            .map {
+                AppMatchResult(
+                    guid = it.subjectId,
+                    confidenceScore = it.confidence,
+                    decisionPolicy = decisionPolicy,
+                    isCredentialMatch = isCredentialMatch,
+                    verificationMatchThreshold = verificationMatchThreshold,
+                )
+            }
+    }
+
+    /**
+     * Checks if any of the [results] items is an instance of [ExternalCredentialSearchResult]. If such item is found, then returns a list
+     * of candidates whose verification matching score  between the taken biometric probe, and a biometric probe linked to is above
+     * project's verification threshold.
+     *
+     * @return list of [AppMatchResult] containing possible verification matches
+     */
+    private fun credentialResultsMapper(
+        results: List<Serializable>,
+        projectConfiguration: ProjectConfiguration,
+        isFace: Boolean,
+    ) = results
+        .filterIsInstance<ExternalCredentialSearchResult>()
+        .firstOrNull()
+        ?.let { credentialSearchResult ->
+            val credentialMatchItems = credentialSearchResult.matchResults.map { it.matchResult }
+            val faceMatchItems = credentialMatchItems.filterIsInstance<FaceMatchResult.Item>()
+            val fingerMatchItems = credentialMatchItems.filterIsInstance<FingerprintMatchResult.Item>()
+            val (decisionPolicy, verificationMatchThreshold) = if (isFace) {
+                credentialSearchResult.matchResults.find { it.faceBioSdk != null }?.faceBioSdk?.let { sdk ->
+                    val config = projectConfiguration.face?.getSdkConfiguration(sdk)
+                    config?.decisionPolicy to config?.verificationMatchThreshold
+                }
+            } else {
+                credentialSearchResult.matchResults.find { it.fingerprintBioSdk != null }?.fingerprintBioSdk?.let { sdk ->
+                    val config = projectConfiguration.fingerprint?.getSdkConfiguration(sdk)
+                    config?.decisionPolicy to config?.verificationMatchThreshold
+                }
+            } ?: (null to null)
+
+            if (decisionPolicy == null) return@let emptyList()
+            val matches = if (isFace) faceMatchItems else fingerMatchItems
+            return@let matches
+                .mapToMatchResults(
+                    decisionPolicy = decisionPolicy,
+                    projectConfiguration = projectConfiguration,
+                    isCredentialMatch = true,
+                    verificationMatchThreshold = verificationMatchThreshold,
+                ).sortedByDescending(AppMatchResult::confidenceScore)
+        }.orEmpty()
 }
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateVerifyResponseUseCase.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateVerifyResponseUseCase.kt
index 200f79f82d..bb75ce096d 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateVerifyResponseUseCase.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/CreateVerifyResponseUseCase.kt
@@ -4,12 +4,12 @@ import com.simprints.core.domain.response.AppErrorReason
 import com.simprints.infra.config.store.models.ProjectConfiguration
 import com.simprints.infra.logging.LoggingConstants.CrashReportTag.FINGER_MATCHING
 import com.simprints.infra.logging.Simber
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.FingerprintMatchResult
 import com.simprints.infra.orchestration.data.responses.AppErrorResponse
 import com.simprints.infra.orchestration.data.responses.AppMatchResult
 import com.simprints.infra.orchestration.data.responses.AppResponse
 import com.simprints.infra.orchestration.data.responses.AppVerifyResponse
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.FingerprintMatchResult
 import java.io.Serializable
 import javax.inject.Inject
 
@@ -45,6 +45,7 @@ internal class CreateVerifyResponseUseCase @Inject constructor() {
                                 confidenceScore = it.confidence,
                                 decisionPolicy = sdkConfiguration.decisionPolicy,
                                 verificationMatchThreshold = sdkConfiguration.verificationMatchThreshold,
+                                isCredentialMatch = false,
                             )
                         }
                 }
@@ -68,6 +69,7 @@ internal class CreateVerifyResponseUseCase @Inject constructor() {
                                 confidenceScore = it.confidence,
                                 decisionPolicy = faceConfiguration.decisionPolicy,
                                 verificationMatchThreshold = faceConfiguration.verificationMatchThreshold,
+                                isCredentialMatch = false,
                             )
                         }
                 }
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/EnrolSubjectUseCase.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/EnrolSubjectUseCase.kt
index 7f318cf907..9d7a7c6fdc 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/EnrolSubjectUseCase.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/EnrolSubjectUseCase.kt
@@ -7,6 +7,7 @@ import com.simprints.infra.enrolment.records.repository.domain.models.Subject
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectAction
 import com.simprints.infra.events.event.domain.models.BiometricReferenceCreationEvent
 import com.simprints.infra.events.event.domain.models.EnrolmentEventV4
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureValueEvent
 import com.simprints.infra.events.session.SessionEventRepository
 import javax.inject.Inject
 
@@ -19,20 +20,27 @@ internal class EnrolSubjectUseCase @Inject constructor(
         subject: Subject,
         project: Project,
     ) {
-        val biometricReferenceIds = eventRepository
+        val events = eventRepository
             .getEventsInCurrentSession()
+
+        val biometricReferenceIds = events
             .filterIsInstance<BiometricReferenceCreationEvent>()
             .sortedByDescending { it.payload.createdAt }
             .map { it.payload.id }
 
+        val externalCredentialIds = events
+            .filterIsInstance<ExternalCredentialCaptureValueEvent>()
+            .map { it.payload.id }
+
         eventRepository.addOrUpdateEvent(
             EnrolmentEventV4(
-                timeHelper.now(),
-                subject.subjectId,
-                subject.projectId,
-                subject.moduleId,
-                subject.attendantId,
-                biometricReferenceIds,
+                createdAt = timeHelper.now(),
+                subjectId = subject.subjectId,
+                projectId = subject.projectId,
+                moduleId = subject.moduleId,
+                attendantId = subject.attendantId,
+                biometricReferenceIds = biometricReferenceIds,
+                externalCredentialIds = externalCredentialIds,
             ),
         )
         enrolmentRecordRepository.performActions(listOf(SubjectAction.Creation(subject)), project)
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/IsNewEnrolmentUseCase.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/IsNewEnrolmentUseCase.kt
index 9316714d30..a1e6809439 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/IsNewEnrolmentUseCase.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/response/IsNewEnrolmentUseCase.kt
@@ -1,11 +1,11 @@
 package com.simprints.feature.orchestrator.usecases.response
 
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
 import com.simprints.infra.config.store.models.ProjectConfiguration
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.FingerprintMatchResult
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.FingerprintMatchResult
 import java.io.Serializable
 import javax.inject.Inject
-import kotlin.text.compareTo
 
 internal class IsNewEnrolmentUseCase @Inject constructor() {
     /**
@@ -16,6 +16,16 @@ internal class IsNewEnrolmentUseCase @Inject constructor() {
         projectConfiguration: ProjectConfiguration,
         results: List<Serializable>,
     ): Boolean {
+        val hasCredentialMatchResults =
+            results
+                .filterIsInstance<ExternalCredentialSearchResult>()
+                .firstOrNull()
+                ?.matchResults
+                ?.isNotEmpty() ?: false
+        if (hasCredentialMatchResults) {
+            return false
+        }
+
         if (!projectConfiguration.general.duplicateBiometricEnrolmentCheck) {
             // Duplicate check on enrolment is disabled
             return true
diff --git a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/steps/BuildStepsUseCase.kt b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/steps/BuildStepsUseCase.kt
index 42ada62779..c0ae456e02 100644
--- a/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/steps/BuildStepsUseCase.kt
+++ b/feature/orchestrator/src/main/java/com/simprints/feature/orchestrator/usecases/steps/BuildStepsUseCase.kt
@@ -5,6 +5,8 @@ import com.simprints.face.capture.FaceCaptureContract
 import com.simprints.feature.consent.ConsentContract
 import com.simprints.feature.consent.ConsentType
 import com.simprints.feature.enrollast.EnrolLastBiometricContract
+import com.simprints.feature.externalcredential.ExternalCredentialContract
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
 import com.simprints.feature.fetchsubject.FetchSubjectContract
 import com.simprints.feature.orchestrator.R
 import com.simprints.feature.orchestrator.cache.OrchestratorCache
@@ -19,11 +21,11 @@ import com.simprints.feature.setup.SetupContract
 import com.simprints.feature.validatepool.ValidateSubjectPoolContract
 import com.simprints.fingerprint.capture.FingerprintCaptureContract
 import com.simprints.infra.config.store.models.AgeGroup
-import com.simprints.infra.config.store.models.FaceConfiguration
-import com.simprints.infra.config.store.models.FingerprintConfiguration
 import com.simprints.infra.config.store.models.GeneralConfiguration.Modality
 import com.simprints.infra.config.store.models.ProjectConfiguration
 import com.simprints.infra.config.store.models.allowedAgeRanges
+import com.simprints.infra.config.store.models.determineFaceSDKs
+import com.simprints.infra.config.store.models.determineFingerprintSDKs
 import com.simprints.infra.config.store.models.experimental
 import com.simprints.infra.config.store.models.fromDomainToModuleApi
 import com.simprints.infra.config.store.models.isAgeRestricted
@@ -43,12 +45,14 @@ internal class BuildStepsUseCase @Inject constructor(
     suspend fun build(
         action: ActionRequest,
         projectConfiguration: ProjectConfiguration,
+        enrolmentSubjectId: String,
+        cachedScannedCredential: ScannedCredential?,
     ) = when (action) {
         is ActionRequest.EnrolActionRequest -> listOf(
             buildSetupStep(),
             buildAgeSelectionStepIfNeeded(action, projectConfiguration),
             buildConsentStepIfNeeded(ConsentType.ENROL, projectConfiguration),
-            buildCaptureAndMatchStepsForEnrol(action, projectConfiguration),
+            buildCaptureAndMatchStepsForEnrol(action, projectConfiguration, enrolmentSubjectId = enrolmentSubjectId),
         )
 
         is ActionRequest.IdentifyActionRequest -> {
@@ -65,9 +69,10 @@ internal class BuildStepsUseCase @Inject constructor(
                 buildAgeSelectionStepIfNeeded(action, projectConfiguration),
                 buildConsentStepIfNeeded(ConsentType.IDENTIFY, projectConfiguration),
                 buildCaptureAndMatchStepsForIdentify(
-                    action,
-                    projectConfiguration,
+                    action = action,
+                    projectConfiguration = projectConfiguration,
                     subjectQuery = subjectQuery,
+                    enrolmentSubjectId = enrolmentSubjectId,
                 ),
             )
         }
@@ -87,11 +92,11 @@ internal class BuildStepsUseCase @Inject constructor(
         )
 
         is ActionRequest.EnrolLastBiometricActionRequest -> listOf(
-            buildEnrolLastBiometricStep(action, projectConfiguration),
+            buildEnrolLastBiometricStep(action, projectConfiguration, cachedScannedCredential),
         )
 
         is ActionRequest.ConfirmIdentityActionRequest -> listOf(
-            buildConfirmIdentityStep(action),
+            buildConfirmIdentityStep(action, cachedScannedCredential),
         )
     }.flatten()
 
@@ -99,18 +104,21 @@ internal class BuildStepsUseCase @Inject constructor(
         action: ActionRequest,
         projectConfiguration: ProjectConfiguration,
         ageGroup: AgeGroup,
+        enrolmentSubjectId: String,
     ): List<Step> = when (action) {
         is ActionRequest.EnrolActionRequest -> buildCaptureAndMatchStepsForEnrol(
             action,
             projectConfiguration,
             ageGroup,
+            enrolmentSubjectId,
         )
 
         is ActionRequest.IdentifyActionRequest -> buildCaptureAndMatchStepsForIdentify(
-            action,
-            projectConfiguration,
-            ageGroup,
+            action = action,
+            projectConfiguration = projectConfiguration,
+            ageGroup = ageGroup,
             subjectQuery = buildMatcherSubjectQuery(projectConfiguration, action),
+            enrolmentSubjectId = enrolmentSubjectId,
         )
 
         is ActionRequest.VerifyActionRequest -> buildCaptureAndMatchStepsForVerify(
@@ -122,63 +130,110 @@ internal class BuildStepsUseCase @Inject constructor(
         else -> emptyList()
     }
 
-    private suspend fun buildCaptureAndMatchStepsForEnrol(
-        action: ActionRequest.EnrolActionRequest,
+    private fun buildExternalCredentialStepIfNeeded(
+        ageGroup: AgeGroup?,
+        enrolmentSubjectId: String,
         projectConfiguration: ProjectConfiguration,
-        ageGroup: AgeGroup? = null,
+        flowType: FlowType,
     ): List<Step> {
-        val action = fallbackToCommCareDataSourceIfNeeded(action, projectConfiguration)
-        val resolvedAgeGroup = ageGroup ?: ageGroupFromSubjectAge(action, projectConfiguration)
+        val isExternalCredentialEnabled = projectConfiguration.multifactorId?.allowedExternalCredentials?.isNotEmpty() ?: false
+        if (!isExternalCredentialEnabled) return emptyList()
 
-        return listOf(
-            buildCaptureSteps(
-                projectConfiguration,
-                FlowType.ENROL,
-                resolvedAgeGroup,
-            ),
-            if (projectConfiguration.general.duplicateBiometricEnrolmentCheck) {
-                buildMatcherSteps(
-                    projectConfiguration,
-                    FlowType.ENROL,
-                    resolvedAgeGroup,
-                    buildMatcherSubjectQuery(projectConfiguration, action),
-                    BiometricDataSource.fromString(
-                        action.biometricDataSource,
-                        action.actionIdentifier.callerPackageName,
+        return when (flowType) {
+            FlowType.ENROL, FlowType.IDENTIFY -> {
+                listOf(
+                    Step(
+                        id = StepId.EXTERNAL_CREDENTIAL,
+                        navigationActionId = R.id.action_orchestratorFragment_to_externalCredential,
+                        destinationId = ExternalCredentialContract.DESTINATION,
+                        params = ExternalCredentialContract.getParams(
+                            subjectId = enrolmentSubjectId,
+                            flowType = flowType,
+                            ageGroup = ageGroup,
+                        ),
                     ),
                 )
-            } else {
-                emptyList()
-            },
-        ).flatten()
+            }
+
+            FlowType.VERIFY -> emptyList()
+        }
     }
 
-    private suspend fun buildCaptureAndMatchStepsForIdentify(
-        action: ActionRequest.IdentifyActionRequest,
+    private suspend fun buildCaptureAndMatchStepsForEnrol(
+        action: ActionRequest.EnrolActionRequest,
         projectConfiguration: ProjectConfiguration,
         ageGroup: AgeGroup? = null,
-        subjectQuery: SubjectQuery,
+        enrolmentSubjectId: String,
     ): List<Step> {
         val action = fallbackToCommCareDataSourceIfNeeded(action, projectConfiguration)
         val resolvedAgeGroup = ageGroup ?: ageGroupFromSubjectAge(action, projectConfiguration)
-
-        return listOf(
-            buildCaptureSteps(
-                projectConfiguration,
-                FlowType.IDENTIFY,
-                resolvedAgeGroup,
-            ),
+        val enrolFlowType = FlowType.ENROL
+        val captureSteps = buildCaptureSteps(
+            projectConfiguration,
+            enrolFlowType,
+            resolvedAgeGroup,
+        )
+        val externalCredentialStep = when {
+            captureSteps.isEmpty() -> emptyList()
+            else -> buildExternalCredentialStepIfNeeded(
+                ageGroup = ageGroup,
+                enrolmentSubjectId = enrolmentSubjectId,
+                projectConfiguration = projectConfiguration,
+                flowType = enrolFlowType,
+            )
+        }
+        val matcherSteps = if (projectConfiguration.general.duplicateBiometricEnrolmentCheck) {
             buildMatcherSteps(
                 projectConfiguration,
-                FlowType.IDENTIFY,
+                enrolFlowType,
                 resolvedAgeGroup,
-                subjectQuery,
+                buildMatcherSubjectQuery(projectConfiguration, action),
                 BiometricDataSource.fromString(
                     action.biometricDataSource,
                     action.actionIdentifier.callerPackageName,
                 ),
+            )
+        } else {
+            emptyList()
+        }
+        return captureSteps + externalCredentialStep + matcherSteps
+    }
+
+    private suspend fun buildCaptureAndMatchStepsForIdentify(
+        action: ActionRequest.IdentifyActionRequest,
+        projectConfiguration: ProjectConfiguration,
+        ageGroup: AgeGroup? = null,
+        subjectQuery: SubjectQuery,
+        enrolmentSubjectId: String,
+    ): List<Step> {
+        val action = fallbackToCommCareDataSourceIfNeeded(action, projectConfiguration)
+        val resolvedAgeGroup = ageGroup ?: ageGroupFromSubjectAge(action, projectConfiguration)
+        val identifyFlowType = FlowType.IDENTIFY
+        val captureSteps = buildCaptureSteps(
+            projectConfiguration,
+            identifyFlowType,
+            resolvedAgeGroup,
+        )
+        val externalCredentialStep = when {
+            captureSteps.isEmpty() -> emptyList()
+            else -> buildExternalCredentialStepIfNeeded(
+                ageGroup = ageGroup,
+                enrolmentSubjectId = enrolmentSubjectId,
+                projectConfiguration = projectConfiguration,
+                flowType = identifyFlowType,
+            )
+        }
+        val matcherSteps = buildMatcherSteps(
+            projectConfiguration,
+            identifyFlowType,
+            resolvedAgeGroup,
+            subjectQuery,
+            BiometricDataSource.fromString(
+                action.biometricDataSource,
+                action.actionIdentifier.callerPackageName,
             ),
-        ).flatten()
+        )
+        return captureSteps + externalCredentialStep + matcherSteps
     }
 
     private fun buildCaptureAndMatchStepsForVerify(
@@ -347,7 +402,7 @@ internal class BuildStepsUseCase @Inject constructor(
         flowType: FlowType,
     ): List<Step> = when (modality) {
         Modality.FINGERPRINT -> {
-            determineFingerprintSDKs(projectConfiguration, ageGroup).map { bioSDK ->
+            projectConfiguration.determineFingerprintSDKs(ageGroup).map { bioSDK ->
 
                 val sdkConfiguration = projectConfiguration.fingerprint?.getSdkConfiguration(bioSDK)
 
@@ -367,7 +422,7 @@ internal class BuildStepsUseCase @Inject constructor(
         }
 
         Modality.FACE -> {
-            determineFaceSDKs(projectConfiguration, ageGroup).map { bioSDK ->
+            projectConfiguration.determineFaceSDKs(ageGroup).map { bioSDK ->
                 val sdkConfiguration = projectConfiguration.face?.getSdkConfiguration(bioSDK)
 
                 // TODO: samplesToCapture can be read directly from FaceCapture
@@ -410,7 +465,7 @@ internal class BuildStepsUseCase @Inject constructor(
         biometricDataSource: BiometricDataSource,
     ): List<Step> = when (modality) {
         Modality.FINGERPRINT -> {
-            determineFingerprintSDKs(projectConfiguration, ageGroup).map { bioSDK ->
+            projectConfiguration.determineFingerprintSDKs(ageGroup).map { bioSDK ->
                 Step(
                     id = StepId.FINGERPRINT_MATCHER,
                     navigationActionId = R.id.action_orchestratorFragment_to_matcher,
@@ -426,7 +481,7 @@ internal class BuildStepsUseCase @Inject constructor(
         }
 
         Modality.FACE -> {
-            determineFaceSDKs(projectConfiguration, ageGroup).map { bioSDK ->
+            projectConfiguration.determineFaceSDKs(ageGroup).map { bioSDK ->
                 // Face bio SDK is currently ignored until we add a second one
                 Step(
                     id = StepId.FACE_MATCHER,
@@ -446,6 +501,7 @@ internal class BuildStepsUseCase @Inject constructor(
     private fun buildEnrolLastBiometricStep(
         action: ActionRequest.EnrolLastBiometricActionRequest,
         projectConfiguration: ProjectConfiguration,
+        cachedScannedCredential: ScannedCredential?,
     ): List<Step> {
         // Get capture steps needed for enrolment
         val enrolCaptureSteps = buildCaptureSteps(
@@ -471,12 +527,16 @@ internal class BuildStepsUseCase @Inject constructor(
                         userId = action.userId,
                         moduleId = action.moduleId,
                         steps = mapStepsForLastBiometrics(cache.steps.mapNotNull { it.result }),
+                        scannedCredential = cachedScannedCredential,
                     ),
                 )
         )
     }
 
-    private fun buildConfirmIdentityStep(action: ActionRequest.ConfirmIdentityActionRequest) = listOf(
+    private fun buildConfirmIdentityStep(
+        action: ActionRequest.ConfirmIdentityActionRequest,
+        cachedScannedCredential: ScannedCredential?,
+    ) = listOf(
         Step(
             id = StepId.CONFIRM_IDENTITY,
             navigationActionId = R.id.action_orchestratorFragment_to_selectSubject,
@@ -484,70 +544,11 @@ internal class BuildStepsUseCase @Inject constructor(
             params = SelectSubjectContract.getParams(
                 projectId = action.projectId,
                 subjectId = action.selectedGuid,
+                scannedCredential = cachedScannedCredential,
             ),
         ),
     )
 
-    private fun determineFingerprintSDKs(
-        projectConfiguration: ProjectConfiguration,
-        ageGroup: AgeGroup?,
-    ): List<FingerprintConfiguration.BioSdk> {
-        val sdks = mutableListOf<FingerprintConfiguration.BioSdk>()
-
-        if (!projectConfiguration.isAgeRestricted()) {
-            projectConfiguration.fingerprint?.allowedSDKs?.let { sdks.addAll(it) }
-        } else {
-            ageGroup?.let {
-                if (projectConfiguration.fingerprint
-                        ?.secugenSimMatcher
-                        ?.allowedAgeRange
-                        ?.contains(ageGroup) == true
-                ) {
-                    sdks.add(FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER)
-                }
-                if (projectConfiguration.fingerprint
-                        ?.nec
-                        ?.allowedAgeRange
-                        ?.contains(ageGroup) == true
-                ) {
-                    sdks.add(FingerprintConfiguration.BioSdk.NEC)
-                }
-            }
-        }
-
-        return sdks
-    }
-
-    private fun determineFaceSDKs(
-        projectConfiguration: ProjectConfiguration,
-        ageGroup: AgeGroup?,
-    ): List<FaceConfiguration.BioSdk> {
-        val sdks = mutableListOf<FaceConfiguration.BioSdk>()
-
-        if (!projectConfiguration.isAgeRestricted()) {
-            projectConfiguration.face?.allowedSDKs?.let { sdks.addAll(it) }
-        } else {
-            ageGroup?.let {
-                if (projectConfiguration.face
-                        ?.rankOne
-                        ?.allowedAgeRange
-                        ?.contains(ageGroup) == true
-                ) {
-                    sdks.add(FaceConfiguration.BioSdk.RANK_ONE)
-                }
-                if (projectConfiguration.face
-                        ?.simFace
-                        ?.allowedAgeRange
-                        ?.contains(ageGroup) == true
-                ) {
-                    sdks.add(FaceConfiguration.BioSdk.SIM_FACE)
-                }
-            }
-        }
-
-        return sdks
-    }
-
     private fun ageGroupFromSubjectAge(
         action: ActionRequest,
         projectConfiguration: ProjectConfiguration,
diff --git a/feature/orchestrator/src/main/res/navigation/graph_orchestration.xml b/feature/orchestrator/src/main/res/navigation/graph_orchestration.xml
index 56a33ef8da..43cb91cf24 100644
--- a/feature/orchestrator/src/main/res/navigation/graph_orchestration.xml
+++ b/feature/orchestrator/src/main/res/navigation/graph_orchestration.xml
@@ -77,6 +77,10 @@
     <include app:graph="@navigation/graph_validate_subject_pool" />
     <action
         android:id="@+id/action_orchestratorFragment_to_validateSubjectPool"
-        app:destination="@id/graph_validate_subject_pool"
-        />
+        app:destination="@id/graph_validate_subject_pool" />
+
+    <include app:graph="@navigation/graph_external_credential" />
+    <action
+        android:id="@+id/action_orchestratorFragment_to_externalCredential"
+        app:destination="@id/graph_external_credential" />
 </navigation>
diff --git a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/OrchestratorViewModelTest.kt b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/OrchestratorViewModelTest.kt
index 0efa8da3a9..493a4c12d9 100644
--- a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/OrchestratorViewModelTest.kt
+++ b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/OrchestratorViewModelTest.kt
@@ -13,6 +13,9 @@ import com.simprints.face.capture.FaceCaptureResult
 import com.simprints.feature.consent.ConsentResult
 import com.simprints.feature.enrollast.EnrolLastBiometricParams
 import com.simprints.feature.enrollast.EnrolLastBiometricStepResult
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
+import com.simprints.feature.externalcredential.model.ExternalCredentialParams
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
 import com.simprints.feature.orchestrator.cache.OrchestratorCache
 import com.simprints.feature.orchestrator.exceptions.SubjectAgeNotSupportedException
 import com.simprints.feature.orchestrator.steps.MatchStepStubPayload
@@ -37,8 +40,8 @@ import com.simprints.infra.config.store.models.GeneralConfiguration
 import com.simprints.infra.config.sync.ConfigManager
 import com.simprints.infra.enrolment.records.repository.domain.models.BiometricDataSource
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
+import com.simprints.infra.matching.MatchParams
 import com.simprints.infra.orchestration.data.responses.AppErrorResponse
-import com.simprints.matcher.MatchParams
 import com.simprints.testtools.common.coroutines.TestCoroutineRule
 import io.mockk.MockKAnnotations
 import io.mockk.clearMocks
@@ -112,7 +115,7 @@ internal class OrchestratorViewModelTest {
 
     @Test
     fun `Starts executing steps when action when received`() = runTest {
-        coEvery { stepsBuilder.build(any(), any()) } returns listOf(
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
             createMockStep(StepId.SETUP),
         )
 
@@ -125,7 +128,7 @@ internal class OrchestratorViewModelTest {
 
     @Test
     fun `Executes next steps after step result`() = runTest {
-        coEvery { stepsBuilder.build(any(), any()) } returns listOf(
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
             createMockStep(StepId.SETUP),
             createMockStep(StepId.CONSENT),
         )
@@ -142,12 +145,12 @@ internal class OrchestratorViewModelTest {
 
     @Test
     fun `Returns response when all steps executed`() = runTest {
-        coEvery { stepsBuilder.build(any(), any()) } returns listOf(
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
             createMockStep(StepId.SETUP),
             createMockStep(StepId.CONSENT),
         )
         coEvery { mapRefusalOrErrorResult(any(), any()) } returns null
-        coEvery { appResponseBuilder(any(), any(), any(), any()) } returns mockk()
+        coEvery { appResponseBuilder(any(), any(), any(), any(), any()) } returns mockk()
         coJustRun { dailyActivityUseCase(any()) }
         justRun { addCallbackEvent(any()) }
 
@@ -160,7 +163,7 @@ internal class OrchestratorViewModelTest {
 
     @Test
     fun `Returns response when error result received`() = runTest {
-        coEvery { stepsBuilder.build(any(), any()) } returns listOf(
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
             createMockStep(StepId.SETUP),
             createMockStep(StepId.CONSENT),
         )
@@ -174,7 +177,7 @@ internal class OrchestratorViewModelTest {
 
     @Test
     fun `Returns AGE_GROUP_NOT_SUPPORTED response when step builder throws SubjectAgeNotSupportedException`() = runTest {
-        coEvery { stepsBuilder.build(any(), any()) } throws SubjectAgeNotSupportedException()
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } throws SubjectAgeNotSupportedException()
 
         viewModel.handleAction(mockk())
 
@@ -187,7 +190,7 @@ internal class OrchestratorViewModelTest {
 
     @Test
     fun `Appends capture and match steps upon receiving SelectSubjectAgeGroupResult`() = runTest {
-        coEvery { stepsBuilder.build(any(), any()) } returns listOf(
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
             createMockStep(StepId.SELECT_SUBJECT_AGE),
         )
         coEvery { mapRefusalOrErrorResult(any(), any()) } returns null
@@ -202,12 +205,12 @@ internal class OrchestratorViewModelTest {
                 ),
             ),
         )
-        coEvery { stepsBuilder.buildCaptureAndMatchStepsForAgeGroup(any(), any(), any()) } returns captureAndMatchSteps
+        coEvery { stepsBuilder.buildCaptureAndMatchStepsForAgeGroup(any(), any(), any(), any()) } returns captureAndMatchSteps
 
         viewModel.handleAction(mockk())
         viewModel.handleResult(SelectSubjectAgeGroupResult(AgeGroup(0, 1)))
 
-        coVerify { stepsBuilder.buildCaptureAndMatchStepsForAgeGroup(any(), any(), any()) }
+        coVerify { stepsBuilder.buildCaptureAndMatchStepsForAgeGroup(any(), any(), any(), any()) }
         viewModel.currentStep.test().value().peekContent()?.let { step ->
             assertThat(step.id).isEqualTo(StepId.FACE_CAPTURE)
         }
@@ -215,7 +218,7 @@ internal class OrchestratorViewModelTest {
 
     @Test
     fun `Updates face matcher step payload when receiving face capture`() = runTest {
-        coEvery { stepsBuilder.build(any(), any()) } returns listOf(
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
             createMockStep(StepId.FACE_CAPTURE),
             createMockStep(
                 StepId.FACE_MATCHER,
@@ -238,7 +241,7 @@ internal class OrchestratorViewModelTest {
 
     @Test
     fun `Updates fingerprint matcher step payload when receiving fingerprint capture`() = runTest {
-        coEvery { stepsBuilder.build(any(), any()) } returns listOf(
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
             createMockStep(StepId.FINGERPRINT_CAPTURE),
             createMockStep(
                 StepId.FINGERPRINT_MATCHER,
@@ -261,7 +264,7 @@ internal class OrchestratorViewModelTest {
 
     @Test
     fun `Updates the correct fingerprint match step when multiple fingerprint SDKs are used`() = runTest {
-        coEvery { stepsBuilder.build(any(), any()) } returns listOf(
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
             createMockStep(
                 StepId.FINGERPRINT_CAPTURE,
                 FingerprintCaptureContract.getParams(
@@ -350,7 +353,7 @@ internal class OrchestratorViewModelTest {
         val originalSteps = listOf(
             createMockStep(StepId.FINGERPRINT_CAPTURE),
         )
-        coEvery { stepsBuilder.build(any(), any()) } returns originalSteps
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns originalSteps
         val savedSteps = listOf(
             createMockStep(StepId.SETUP),
             createMockStep(StepId.CONSENT),
@@ -409,12 +412,13 @@ internal class OrchestratorViewModelTest {
         val captureStep = createMockStep(StepId.FINGERPRINT_CAPTURE)
         val enrolLastStep = createMockStep(StepId.ENROL_LAST_BIOMETRIC)
         enrolLastStep.params = EnrolLastBiometricParams(
-            "projectId",
-            TokenizableString.Tokenized("userId"),
-            TokenizableString.Tokenized("moduleId"),
-            listOf(mockk<EnrolLastBiometricStepResult>()),
+            projectId = "projectId",
+            userId = TokenizableString.Tokenized("userId"),
+            moduleId = TokenizableString.Tokenized("moduleId"),
+            steps = listOf(mockk<EnrolLastBiometricStepResult>()),
+            scannedCredential = null,
         )
-        coEvery { stepsBuilder.build(any(), any()) } returns listOf(
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
             captureStep,
             enrolLastStep,
         )
@@ -431,6 +435,145 @@ internal class OrchestratorViewModelTest {
         }
     }
 
+    @Test
+    fun `Updates external credential step payload with fingerprint samples when receiving fingerprint capture result`() = runTest {
+        val fingerprintReferenceId = "fingerprintReferenceId"
+        val fingerId1 = IFingerIdentifier.LEFT_INDEX_FINGER
+        val fingerId2 = IFingerIdentifier.RIGHT_THUMB
+        val template1 = ByteArray(10)
+        val template2 = ByteArray(20)
+        val format1 = "format1"
+        val format2 = "format2"
+
+        val fingerprintSample1 = mockk<FingerprintCaptureResult.Sample> {
+            every { fingerIdentifier } returns fingerId1
+            every { template } returns template1
+            every { format } returns format1
+        }
+        val fingerprintSample2 = mockk<FingerprintCaptureResult.Sample> {
+            every { fingerIdentifier } returns fingerId2
+            every { template } returns template2
+            every { format } returns format2
+        }
+
+        val fingerprintItem1 = mockk<FingerprintCaptureResult.Item> {
+            every { sample } returns fingerprintSample1
+        }
+        val fingerprintItem2 = mockk<FingerprintCaptureResult.Item> {
+            every { sample } returns fingerprintSample2
+        }
+
+        val externalCredentialParams = mockk<ExternalCredentialParams>(relaxed = true) {
+            every { copy(probeReferenceId = any(), fingerprintSamples = any()) } returns this
+        }
+
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
+            createMockStep(StepId.FINGERPRINT_CAPTURE),
+            createMockStep(StepId.EXTERNAL_CREDENTIAL, externalCredentialParams),
+        )
+        coEvery { mapRefusalOrErrorResult(any(), any()) } returns null
+
+        viewModel.handleAction(mockk())
+        viewModel.handleResult(
+            FingerprintCaptureResult(
+                fingerprintReferenceId,
+                listOf(fingerprintItem1, fingerprintItem2),
+            ),
+        )
+
+        val expectedFingerprintSamples = listOf(
+            MatchParams.FingerprintSample(fingerId1, format1, template1),
+            MatchParams.FingerprintSample(fingerId2, format2, template2),
+        )
+
+        verify {
+            externalCredentialParams.copy(
+                probeReferenceId = fingerprintReferenceId,
+                fingerprintSamples = expectedFingerprintSamples,
+            )
+        }
+    }
+
+    @Test
+    fun `Removes matcher steps when external credential search has good matches in identify flow`() = runTest {
+        val externalCredentialResult = mockk<ExternalCredentialSearchResult> {
+            every { flowType } returns FlowType.IDENTIFY
+            every { goodMatches } returns listOf(mockk())
+        }
+
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
+            createMockStep(StepId.FACE_CAPTURE),
+            createMockStep(StepId.FINGERPRINT_CAPTURE),
+            createMockStep(StepId.FACE_MATCHER),
+            createMockStep(StepId.FINGERPRINT_MATCHER),
+        )
+        coEvery { mapRefusalOrErrorResult(any(), any()) } returns null
+
+        viewModel.handleAction(mockk())
+        viewModel.handleResult(externalCredentialResult)
+
+        viewModel.currentStep.test().value().peekContent()?.let { step ->
+            assertThat(step.id).isNotEqualTo(StepId.FACE_MATCHER)
+            assertThat(step.id).isNotEqualTo(StepId.FINGERPRINT_MATCHER)
+        }
+    }
+
+    @Test
+    fun `Does not remove matcher steps when flow type is enrol even with good matches`() = runTest {
+        val externalCredentialResult = mockk<ExternalCredentialSearchResult> {
+            every { flowType } returns FlowType.ENROL
+            every { goodMatches } returns listOf(mockk())
+        }
+
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
+            createMockStep(StepId.FACE_CAPTURE),
+            createMockStep(StepId.FACE_MATCHER),
+        )
+        coEvery { mapRefusalOrErrorResult(any(), any()) } returns null
+
+        viewModel.handleAction(mockk())
+        viewModel.handleResult(externalCredentialResult)
+
+        val stepsObserver = viewModel.currentStep.test()
+        val allStepIds = stepsObserver.valueHistory().mapNotNull { it.peekContent()?.id }
+
+        assertThat(allStepIds).contains(StepId.FACE_MATCHER)
+    }
+
+    @Test
+    fun `Passes cached scanned credential to steps builder when external credential step exists in cache`() = runTest {
+        val mockScannedCredential = mockk<ScannedCredential>(relaxed = true)
+        val externalCredentialResult = mockk<ExternalCredentialSearchResult> {
+            every { scannedCredential } returns mockScannedCredential
+        }
+
+        val externalCredentialStep = createMockStep(StepId.EXTERNAL_CREDENTIAL).apply {
+            status = StepStatus.COMPLETED
+            result = externalCredentialResult
+        }
+
+        val cachedSteps = listOf(
+            createMockStep(StepId.SETUP).apply { status = StepStatus.COMPLETED },
+            externalCredentialStep,
+        )
+
+        every { cache.steps } returns cachedSteps
+        coEvery { stepsBuilder.build(any(), any(), any(), any()) } returns listOf(
+            createMockStep(StepId.CONFIRM_IDENTITY),
+        )
+
+        viewModel.handleAction(mockk(relaxed = true))
+
+        coVerify {
+            stepsBuilder.build(
+                action = any(),
+                projectConfiguration = any(),
+                enrolmentSubjectId = any(),
+                cachedScannedCredential = mockScannedCredential,
+            )
+        }
+    }
+
     private fun createMockStep(
         stepId: Int,
         params: StepParams? = null,
diff --git a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/AddCallbackEventUseCaseTest.kt b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/AddCallbackEventUseCaseTest.kt
index 82401fcceb..fae3556619 100644
--- a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/AddCallbackEventUseCaseTest.kt
+++ b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/AddCallbackEventUseCaseTest.kt
@@ -1,6 +1,6 @@
 package com.simprints.feature.orchestrator.usecases
 
-import com.google.common.truth.Truth.assertThat
+import com.google.common.truth.Truth.*
 import com.simprints.core.domain.response.AppErrorReason
 import com.simprints.core.domain.response.AppMatchConfidence
 import com.simprints.core.tools.time.TimeHelper
@@ -19,12 +19,8 @@ import com.simprints.infra.orchestration.data.responses.AppMatchResult
 import com.simprints.infra.orchestration.data.responses.AppRefusalResponse
 import com.simprints.infra.orchestration.data.responses.AppVerifyResponse
 import com.simprints.testtools.common.coroutines.TestCoroutineRule
-import io.mockk.MockKAnnotations
-import io.mockk.Runs
-import io.mockk.coEvery
-import io.mockk.coVerify
+import io.mockk.*
 import io.mockk.impl.annotations.MockK
-import io.mockk.just
 import kotlinx.coroutines.CoroutineScope
 import org.junit.Before
 import org.junit.Rule
@@ -57,7 +53,7 @@ class AddCallbackEventUseCaseTest {
 
     @Test
     fun `adds event for enrol response`() {
-        useCase(AppEnrolResponse("guid"))
+        useCase(AppEnrolResponse("guid", null))
 
         coVerify {
             eventRepository.addOrUpdateEvent(
@@ -74,6 +70,7 @@ class AddCallbackEventUseCaseTest {
             AppIdentifyResponse(
                 listOf(AppMatchResult("guid", 0, AppMatchConfidence.HIGH)),
                 "sessionId",
+                isMultiFactorIdEnabled = false,
             ),
         )
 
@@ -101,7 +98,7 @@ class AddCallbackEventUseCaseTest {
 
     @Test
     fun `adds event for confirmation response`() {
-        useCase(AppConfirmationResponse(true))
+        useCase(AppConfirmationResponse(true, mockk()))
 
         coVerify {
             eventRepository.addOrUpdateEvent(
diff --git a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/MapStepsForLastBiometricEnrolUseCaseTest.kt b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/MapStepsForLastBiometricEnrolUseCaseTest.kt
index 24ce04a8c3..10e95ec261 100644
--- a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/MapStepsForLastBiometricEnrolUseCaseTest.kt
+++ b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/MapStepsForLastBiometricEnrolUseCaseTest.kt
@@ -12,8 +12,8 @@ import com.simprints.infra.config.store.models.FaceConfiguration
 import com.simprints.infra.config.store.models.Finger
 import com.simprints.infra.config.store.models.FingerprintConfiguration
 import com.simprints.infra.events.sampledata.SampleDefaults.GUID1
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.FingerprintMatchResult
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.FingerprintMatchResult
 import org.junit.Before
 import org.junit.Test
 
@@ -29,7 +29,7 @@ internal class MapStepsForLastBiometricEnrolUseCaseTest {
     fun `maps EnrolLastBiometricRequest correctly`() {
         val result = useCase(
             listOf(
-                EnrolLastBiometricResult("subjectId"),
+                EnrolLastBiometricResult("subjectId", null),
             ),
         )
 
diff --git a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/UpdateDailyActivityUseCaseTest.kt b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/UpdateDailyActivityUseCaseTest.kt
index 57bdecdf8a..5d83449464 100644
--- a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/UpdateDailyActivityUseCaseTest.kt
+++ b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/UpdateDailyActivityUseCaseTest.kt
@@ -45,7 +45,7 @@ class UpdateDailyActivityUseCaseTest {
 
     @Test
     fun `Update daily activity on enrol response`() = runTest {
-        useCase(AppEnrolResponse("guid"))
+        useCase(AppEnrolResponse("guid", null))
 
         coVerify { recentUserActivityManager.updateRecentUserActivity(any()) }
     }
@@ -59,7 +59,7 @@ class UpdateDailyActivityUseCaseTest {
 
     @Test
     fun `Update daily activity on identify response`() = runTest {
-        useCase(AppIdentifyResponse(emptyList(), "guid"))
+        useCase(AppIdentifyResponse(emptyList(), "guid", isMultiFactorIdEnabled = false))
 
         coVerify { recentUserActivityManager.updateRecentUserActivity(any()) }
     }
diff --git a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/AppResponseBuilderUseCaseTest.kt b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/AppResponseBuilderUseCaseTest.kt
index 9ad9e2d728..1ff982ba2e 100644
--- a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/AppResponseBuilderUseCaseTest.kt
+++ b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/AppResponseBuilderUseCaseTest.kt
@@ -33,12 +33,13 @@ internal class AppResponseBuilderUseCaseTest {
     lateinit var handleEnrolLastBiometric: CreateEnrolLastBiometricResponseUseCase
 
     private lateinit var useCase: AppResponseBuilderUseCase
+    private lateinit var enrolmentSubjectId: String
 
     @Before
     fun setUp() {
         MockKAnnotations.init(this, relaxUnitFun = true)
 
-        coEvery { handleEnrolment.invoke(any(), any(), any()) } returns mockk()
+        coEvery { handleEnrolment.invoke(any(), any(), any(), any()) } returns mockk()
         coEvery { handleIdentify.invoke(any(), any()) } returns mockk()
         every { handleVerify.invoke(any(), any()) } returns mockk()
         every { handleConfirmIdentity.invoke(any()) } returns mockk()
@@ -52,48 +53,49 @@ internal class AppResponseBuilderUseCaseTest {
             handleConfirmIdentity,
             handleEnrolLastBiometric,
         )
+        enrolmentSubjectId = "enrolmentSubjectId"
     }
 
     @Test
     fun `Handles as enrolment for new enrolment action`() = runTest {
         every { isNewEnrolment(any(), any()) } returns true
-        useCase(mockk(), mockk<ActionRequest.EnrolActionRequest>(), mockk(), mockk())
-        coVerify { handleEnrolment.invoke(any(), any(), any()) }
+        useCase(mockk(), mockk<ActionRequest.EnrolActionRequest>(), mockk(), mockk(), enrolmentSubjectId)
+        coVerify { handleEnrolment.invoke(any(), any(), any(), any()) }
     }
 
     @Test
     fun `Handles as identification for enrolment action with existing item`() = runTest {
         every { isNewEnrolment(any(), any()) } returns false
-        useCase(mockk(), mockk<ActionRequest.EnrolActionRequest>(), mockk(), mockk())
+        useCase(mockk(), mockk<ActionRequest.EnrolActionRequest>(), mockk(), mockk(), enrolmentSubjectId)
         coVerify { handleIdentify.invoke(any(), any()) }
     }
 
     @Test
     fun `Handles as identification for identification action`() = runTest {
-        useCase(mockk(), mockk<ActionRequest.IdentifyActionRequest>(), mockk(), mockk())
+        useCase(mockk(), mockk<ActionRequest.IdentifyActionRequest>(), mockk(), mockk(), enrolmentSubjectId)
         coVerify { handleIdentify.invoke(any(), any()) }
     }
 
     @Test
     fun `Handles as verification for verification action`() = runTest {
-        useCase(mockk(), mockk<ActionRequest.VerifyActionRequest>(), mockk(), mockk())
+        useCase(mockk(), mockk<ActionRequest.VerifyActionRequest>(), mockk(), mockk(), enrolmentSubjectId)
         coVerify { handleVerify.invoke(any(), any()) }
     }
 
     @Test
     fun `Handles as confirmIdentity for confirm action`() = runTest {
-        useCase(mockk(), mockk<ActionRequest.ConfirmIdentityActionRequest>(), mockk(), mockk())
+        useCase(mockk(), mockk<ActionRequest.ConfirmIdentityActionRequest>(), mockk(), mockk(), enrolmentSubjectId)
         coVerify { handleConfirmIdentity.invoke(any()) }
     }
 
     @Test
     fun `Handles as enrol last biometric for enrol last action`() = runTest {
-        useCase(mockk(), mockk<ActionRequest.EnrolLastBiometricActionRequest>(), mockk(), mockk())
+        useCase(mockk(), mockk<ActionRequest.EnrolLastBiometricActionRequest>(), mockk(), mockk(), enrolmentSubjectId)
         coVerify { handleEnrolLastBiometric.invoke(any()) }
     }
 
     @Test
     fun `Handles null request`() = runTest {
-        assertThat(useCase(mockk(), null, mockk(), mockk())).isInstanceOf(AppErrorResponse::class.java)
+        assertThat(useCase(mockk(), null, mockk(), mockk(), enrolmentSubjectId)).isInstanceOf(AppErrorResponse::class.java)
     }
 }
diff --git a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateConfirmIdentityResponseUseCaseTest.kt b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateConfirmIdentityResponseUseCaseTest.kt
index e58d0661b6..1db75a3f40 100644
--- a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateConfirmIdentityResponseUseCaseTest.kt
+++ b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateConfirmIdentityResponseUseCaseTest.kt
@@ -21,7 +21,7 @@ class CreateConfirmIdentityResponseUseCaseTest {
         assertThat(
             useCase(
                 listOf(
-                    SelectSubjectResult(true),
+                    SelectSubjectResult(true, mockk()),
                     mockk(),
                 ),
             ),
diff --git a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolLastBiometricResponseUseCaseTest.kt b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolLastBiometricResponseUseCaseTest.kt
index 2e8d2e2ada..3fef68a60a 100644
--- a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolLastBiometricResponseUseCaseTest.kt
+++ b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolLastBiometricResponseUseCaseTest.kt
@@ -22,7 +22,7 @@ class CreateEnrolLastBiometricResponseUseCaseTest {
             .assertThat(
                 useCase(
                     listOf(
-                        EnrolLastBiometricResult("1234"),
+                        EnrolLastBiometricResult("1234", null),
                         mockk(),
                     ),
                 ),
diff --git a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolResponseUseCaseTest.kt b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolResponseUseCaseTest.kt
index 974528b7e4..df5c2419a2 100644
--- a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolResponseUseCaseTest.kt
+++ b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateEnrolResponseUseCaseTest.kt
@@ -1,11 +1,17 @@
 package com.simprints.feature.orchestrator.usecases.response
 
 import com.google.common.truth.Truth.assertThat
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
 import com.simprints.core.domain.tokenization.asTokenizableRaw
 import com.simprints.face.capture.FaceCaptureResult
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
 import com.simprints.feature.orchestrator.exceptions.MissingCaptureException
 import com.simprints.fingerprint.capture.FingerprintCaptureResult
 import com.simprints.infra.config.store.models.Project
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
 import com.simprints.infra.eventsync.sync.common.SubjectFactory
 import com.simprints.infra.orchestration.data.ActionRequest
 import com.simprints.infra.orchestration.data.responses.AppEnrolResponse
@@ -15,6 +21,7 @@ import io.mockk.coJustRun
 import io.mockk.every
 import io.mockk.impl.annotations.MockK
 import io.mockk.mockk
+import io.mockk.verify
 import kotlinx.coroutines.test.runTest
 import org.junit.Before
 import org.junit.Test
@@ -29,6 +36,10 @@ internal class CreateEnrolResponseUseCaseTest {
     @MockK
     lateinit var project: Project
 
+    private val enrolmentSubjectId = "enrolmentSubjectId"
+    private val projectId = "projectId"
+    private val credentialEncrypted = "credentialEncrypted".asTokenizableEncrypted()
+
     private val action = mockk<ActionRequest.EnrolActionRequest> {
         every { projectId } returns "projectId"
         every { userId } returns "userId".asTokenizableRaw()
@@ -49,18 +60,27 @@ internal class CreateEnrolResponseUseCaseTest {
     @Test
     fun `Converts correct results to response`() = runTest {
         every {
-            subjectFactory.buildSubjectFromCaptureResults(any(), any(), any(), any(), any())
+            subjectFactory.buildSubjectFromCaptureResults(
+                subjectId = any(),
+                projectId = any(),
+                attendantId = any(),
+                moduleId = any(),
+                fingerprintResponse = any(),
+                faceResponse = any(),
+                externalCredential = any(),
+            )
         } returns mockk { every { subjectId } returns "guid" }
 
         assertThat(
             useCase(
-                action,
-                listOf(
+                request = action,
+                results = listOf(
                     FingerprintCaptureResult("", emptyList()),
                     FaceCaptureResult("", emptyList()),
                     mockk(),
                 ),
-                project
+                project = project,
+                enrolmentSubjectId = enrolmentSubjectId,
             ),
         ).isInstanceOf(AppEnrolResponse::class.java)
     }
@@ -68,9 +88,64 @@ internal class CreateEnrolResponseUseCaseTest {
     @Test
     fun `Returns error if no valid response`() = runTest {
         every {
-            subjectFactory.buildSubjectFromCaptureResults(any(), any(), any(), null, null)
+            subjectFactory.buildSubjectFromCaptureResults(
+                subjectId = any(),
+                projectId = any(),
+                attendantId = any(),
+                moduleId = any(),
+                fingerprintResponse = null,
+                faceResponse = null,
+                externalCredential = null,
+            )
         } throws MissingCaptureException()
 
-        assertThat(useCase(action, emptyList(), project)).isInstanceOf(AppErrorResponse::class.java)
+        assertThat(useCase(action, emptyList(), project, enrolmentSubjectId)).isInstanceOf(AppErrorResponse::class.java)
+    }
+
+    @Test
+    fun `correctly processes external credential result`() = runTest {
+        val externalCredentialType = ExternalCredentialType.GhanaIdCard
+        val scannedCredentialMock = mockk<ScannedCredential> {
+            every { credentialScanId } returns "scanId"
+            every { credential } returns credentialEncrypted
+            every { credentialType } returns externalCredentialType
+        }
+        val credentialSearchResult = mockk<ExternalCredentialSearchResult> {
+            every { scannedCredential } returns scannedCredentialMock
+        }
+
+        every {
+            subjectFactory.buildSubjectFromCaptureResults(
+                subjectId = any(),
+                projectId = any(),
+                attendantId = any(),
+                moduleId = any(),
+                fingerprintResponse = any(),
+                faceResponse = any(),
+                externalCredential = any(),
+            )
+        } returns mockk { every { subjectId } returns enrolmentSubjectId }
+
+        useCase(
+            request = action,
+            results = listOf(
+                FingerprintCaptureResult("", emptyList()),
+                credentialSearchResult,
+            ),
+            project = project,
+            enrolmentSubjectId = enrolmentSubjectId,
+        )
+
+        verify {
+            subjectFactory.buildSubjectFromCaptureResults(
+                subjectId = enrolmentSubjectId,
+                projectId = projectId,
+                attendantId = any(),
+                moduleId = any(),
+                fingerprintResponse = any(),
+                faceResponse = null,
+                externalCredential = match { it.value == credentialEncrypted && it.type == externalCredentialType },
+            )
+        }
     }
 }
diff --git a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateIdentifyResponseUseCaseTest.kt b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateIdentifyResponseUseCaseTest.kt
index 5e34c5b0ea..22d51a8680 100644
--- a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateIdentifyResponseUseCaseTest.kt
+++ b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateIdentifyResponseUseCaseTest.kt
@@ -1,13 +1,15 @@
 package com.simprints.feature.orchestrator.usecases.response
 
 import com.google.common.truth.Truth.assertThat
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
+import com.simprints.feature.externalcredential.model.CredentialMatch
 import com.simprints.infra.config.store.models.DecisionPolicy
 import com.simprints.infra.config.store.models.FaceConfiguration
 import com.simprints.infra.config.store.models.FingerprintConfiguration
 import com.simprints.infra.events.session.SessionEventRepository
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.FingerprintMatchResult
 import com.simprints.infra.orchestration.data.responses.AppIdentifyResponse
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.FingerprintMatchResult
 import io.mockk.MockKAnnotations
 import io.mockk.coEvery
 import io.mockk.every
@@ -37,6 +39,7 @@ class CreateIdentifyResponseUseCaseTest {
     fun `Returns no identifications if no decision policy`() = runTest {
         val result = useCase(
             mockk {
+                every { multifactorId?.allowedExternalCredentials } returns null
                 every { face?.getSdkConfiguration((any()))?.decisionPolicy } returns null
                 every { fingerprint?.getSdkConfiguration((any()))?.decisionPolicy } returns null
             },
@@ -50,6 +53,7 @@ class CreateIdentifyResponseUseCaseTest {
     fun `Returns only face identifications over the low confidence`() = runTest {
         val result = useCase(
             mockk {
+                every { multifactorId?.allowedExternalCredentials } returns null
                 every { identification.maxNbOfReturnedCandidates } returns 2
                 every { face?.getSdkConfiguration((any()))?.decisionPolicy } returns DecisionPolicy(20, 50, 100)
                 every { fingerprint?.getSdkConfiguration((any()))?.decisionPolicy } returns null
@@ -65,6 +69,7 @@ class CreateIdentifyResponseUseCaseTest {
     fun `Returns exactly N best face identifications over the low confidence`() = runTest {
         val result = useCase(
             mockk {
+                every { multifactorId?.allowedExternalCredentials } returns null
                 every { identification.maxNbOfReturnedCandidates } returns 2
                 every { face?.getSdkConfiguration((any()))?.decisionPolicy } returns DecisionPolicy(20, 50, 100)
                 every { fingerprint?.getSdkConfiguration((any()))?.decisionPolicy } returns null
@@ -80,6 +85,7 @@ class CreateIdentifyResponseUseCaseTest {
     fun `Returns only high confidence face identifications if there are any`() = runTest {
         val result = useCase(
             mockk {
+                every { multifactorId?.allowedExternalCredentials } returns null
                 every { identification.maxNbOfReturnedCandidates } returns 2
                 every { face?.getSdkConfiguration((any()))?.decisionPolicy } returns DecisionPolicy(20, 50, 100)
                 every { fingerprint?.getSdkConfiguration((any()))?.decisionPolicy } returns null
@@ -95,6 +101,7 @@ class CreateIdentifyResponseUseCaseTest {
     fun `Returns only fingerprint identifications over the low confidence`() = runTest {
         val result = useCase(
             mockk {
+                every { multifactorId?.allowedExternalCredentials } returns null
                 every { identification.maxNbOfReturnedCandidates } returns 2
                 every { face?.getSdkConfiguration((any()))?.decisionPolicy } returns null
                 every { fingerprint?.getSdkConfiguration((any()))?.decisionPolicy } returns DecisionPolicy(
@@ -114,6 +121,7 @@ class CreateIdentifyResponseUseCaseTest {
     fun `Returns exactly N best fingerprint identifications over the low confidence`() = runTest {
         val result = useCase(
             mockk {
+                every { multifactorId?.allowedExternalCredentials } returns null
                 every { identification.maxNbOfReturnedCandidates } returns 2
                 every { face?.getSdkConfiguration((any()))?.decisionPolicy } returns null
                 every { fingerprint?.getSdkConfiguration((any()))?.decisionPolicy } returns DecisionPolicy(
@@ -133,6 +141,7 @@ class CreateIdentifyResponseUseCaseTest {
     fun `Returns only high confidence fingerprint identifications if there are any`() = runTest {
         val result = useCase(
             mockk {
+                every { multifactorId?.allowedExternalCredentials } returns null
                 every { identification.maxNbOfReturnedCandidates } returns 2
                 every { face?.getSdkConfiguration((any()))?.decisionPolicy } returns null
                 every { fingerprint?.getSdkConfiguration((any()))?.decisionPolicy } returns DecisionPolicy(
@@ -152,6 +161,7 @@ class CreateIdentifyResponseUseCaseTest {
     fun `Returns fingerprint matches if both modalities available and fingerprint has higher confidence`() = runTest {
         val result = useCase(
             mockk {
+                every { multifactorId?.allowedExternalCredentials } returns null
                 every { identification.maxNbOfReturnedCandidates } returns 2
                 every { face?.getSdkConfiguration((any()))?.decisionPolicy } returns DecisionPolicy(20, 50, 100)
                 every { fingerprint?.getSdkConfiguration((any()))?.decisionPolicy } returns DecisionPolicy(
@@ -174,6 +184,7 @@ class CreateIdentifyResponseUseCaseTest {
     fun `Returns face matches if both modalities available and face has higher confidence`() = runTest {
         val result = useCase(
             mockk {
+                every { multifactorId?.allowedExternalCredentials } returns null
                 every { identification.maxNbOfReturnedCandidates } returns 2
                 every { face?.getSdkConfiguration((any()))?.decisionPolicy } returns DecisionPolicy(20, 50, 100)
                 every { fingerprint?.getSdkConfiguration((any()))?.decisionPolicy } returns DecisionPolicy(
@@ -192,13 +203,233 @@ class CreateIdentifyResponseUseCaseTest {
         assertThat(result.identifications.map { it.confidenceScore }).isEqualTo(listOf(105))
     }
 
+    @Test
+    fun `Returns only face credential results sorted by confidence descending`() = runTest {
+        val (faceSmallConfidence, smallConfidence) = "faceSmallConfidence" to 50f
+        val (faceBigConfidence, bigConfidence) = "faceBigConfidence" to 99f
+        val faceMatches = listOf<CredentialMatch>(
+            mockk {
+                every { verificationThreshold } returns 0.0f
+                every { matchResult } returns FaceMatchResult.Item(
+                    subjectId = faceSmallConfidence,
+                    confidence = smallConfidence,
+                )
+                every { faceBioSdk } returns FaceConfiguration.BioSdk.RANK_ONE
+                every { fingerprintBioSdk } returns null
+            },
+            mockk {
+                every { matchResult } returns FaceMatchResult.Item(
+                    subjectId = faceBigConfidence,
+                    confidence = bigConfidence,
+                )
+                every { faceBioSdk } returns FaceConfiguration.BioSdk.RANK_ONE
+                every { fingerprintBioSdk } returns null
+            },
+        )
+
+        val fingerprintMatches = listOf<CredentialMatch>(
+            mockk {
+                every { matchResult } returns FingerprintMatchResult.Item(
+                    subjectId = "fingerprintSubjectId",
+                    confidence = 90f,
+                )
+                every { faceBioSdk } returns null
+                every { fingerprintBioSdk } returns FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER
+            },
+        )
+
+        val result = useCase(
+            mockk {
+                every { multifactorId?.allowedExternalCredentials } returns null
+                every { identification.maxNbOfReturnedCandidates } returns 5
+                every { face?.getSdkConfiguration(FaceConfiguration.BioSdk.RANK_ONE)?.decisionPolicy } returns DecisionPolicy(20, 50, 100)
+                every { face?.getSdkConfiguration(FaceConfiguration.BioSdk.RANK_ONE)?.verificationMatchThreshold } returns 0.0f
+                every { fingerprint?.getSdkConfiguration(FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER)?.decisionPolicy } returns
+                    DecisionPolicy(20, 50, 100)
+                every {
+                    fingerprint
+                        ?.getSdkConfiguration(
+                            FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER,
+                        )?.verificationMatchThreshold
+                } returns
+                    0.0f
+            },
+            results = listOf(
+                mockk<ExternalCredentialSearchResult> {
+                    every { matchResults } returns faceMatches + fingerprintMatches
+                },
+            ),
+        )
+
+        assertThat((result as AppIdentifyResponse).identifications).isNotEmpty()
+        assertThat(result.identifications.map { it.guid }).isEqualTo(listOf(faceBigConfidence, faceSmallConfidence))
+        assertThat(result.identifications.map { it.confidenceScore }).isEqualTo(listOf(bigConfidence.toInt(), smallConfidence.toInt()))
+    }
+
+    @Test
+    fun `Returns only fingerprint credential results sorted by confidence descending`() = runTest {
+        val (fingerprintSmallConfidence, smallConfidence) = "fingerprintSmallConfidence" to 50f
+        val (fingerprintBigConfidence, bigConfidence) = "fingerprintBigConfidence" to 99f
+        val fingerprintMatches = listOf<CredentialMatch>(
+            mockk {
+                every { verificationThreshold } returns 0.0f
+                every { matchResult } returns FingerprintMatchResult.Item(
+                    subjectId = fingerprintSmallConfidence,
+                    confidence = smallConfidence,
+                )
+                every { faceBioSdk } returns null
+                every { fingerprintBioSdk } returns FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER
+            },
+            mockk {
+                every { matchResult } returns FingerprintMatchResult.Item(
+                    subjectId = fingerprintBigConfidence,
+                    confidence = bigConfidence,
+                )
+                every { faceBioSdk } returns null
+                every { fingerprintBioSdk } returns FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER
+            },
+        )
+
+        val faceMatches = listOf<CredentialMatch>(
+            mockk {
+                every { matchResult } returns FaceMatchResult.Item(
+                    subjectId = "faceSubjectId",
+                    confidence = 90f,
+                )
+                every { faceBioSdk } returns FaceConfiguration.BioSdk.RANK_ONE
+                every { fingerprintBioSdk } returns null
+            },
+        )
+
+        val result = useCase(
+            mockk {
+                every { multifactorId?.allowedExternalCredentials } returns null
+                every { identification.maxNbOfReturnedCandidates } returns 5
+                every { face?.getSdkConfiguration(FaceConfiguration.BioSdk.RANK_ONE)?.decisionPolicy } returns DecisionPolicy(20, 50, 100)
+                every { face?.getSdkConfiguration(FaceConfiguration.BioSdk.RANK_ONE)?.verificationMatchThreshold } returns 0.0f
+                every { fingerprint?.getSdkConfiguration(FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER)?.decisionPolicy } returns
+                    DecisionPolicy(20, 50, 100)
+                every {
+                    fingerprint
+                        ?.getSdkConfiguration(
+                            FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER,
+                        )?.verificationMatchThreshold
+                } returns
+                    0.0f
+            },
+            results = listOf(
+                mockk<ExternalCredentialSearchResult> {
+                    every { matchResults } returns fingerprintMatches + faceMatches
+                },
+            ),
+        )
+
+        assertThat((result as AppIdentifyResponse).identifications).isNotEmpty()
+        assertThat(result.identifications.map { it.guid }).isEqualTo(listOf(fingerprintBigConfidence, fingerprintSmallConfidence))
+        assertThat(result.identifications.map { it.confidenceScore }).isEqualTo(listOf(bigConfidence.toInt(), smallConfidence.toInt()))
+    }
+
+    @Test
+    fun `Returns only credential face results when same ID exists in both credential and face results`() = runTest {
+        val sharedGuid = "sharedGuid"
+        val credentialConfidence = 95f
+        val faceConfidence = 80f
+
+        val credentialFaceMatches = listOf<CredentialMatch>(
+            mockk {
+                every { matchResult } returns FaceMatchResult.Item(
+                    subjectId = sharedGuid,
+                    confidence = credentialConfidence,
+                )
+                every { faceBioSdk } returns FaceConfiguration.BioSdk.RANK_ONE
+                every { fingerprintBioSdk } returns null
+            },
+        )
+
+        val result = useCase(
+            mockk {
+                every { identification.maxNbOfReturnedCandidates } returns 5
+                every { multifactorId?.allowedExternalCredentials } returns null
+                every { face?.getSdkConfiguration(FaceConfiguration.BioSdk.RANK_ONE)?.decisionPolicy } returns DecisionPolicy(20, 50, 100)
+                every { face?.getSdkConfiguration(FaceConfiguration.BioSdk.RANK_ONE)?.verificationMatchThreshold } returns 0.0f
+                every { fingerprint?.getSdkConfiguration((any()))?.decisionPolicy } returns null
+            },
+            results = listOf(
+                mockk<ExternalCredentialSearchResult> {
+                    every { matchResults } returns credentialFaceMatches
+                },
+                FaceMatchResult(
+                    listOf(
+                        FaceMatchResult.Item(subjectId = sharedGuid, confidence = faceConfidence),
+                    ),
+                    FaceConfiguration.BioSdk.RANK_ONE,
+                ),
+            ),
+        )
+
+        assertThat((result as AppIdentifyResponse).identifications).hasSize(1)
+        assertThat(result.identifications.first().guid).isEqualTo(sharedGuid)
+        assertThat(result.identifications.first().confidenceScore).isEqualTo(credentialConfidence.toInt())
+    }
+
+    @Test
+    fun `Returns only credential fingerprint results when same ID exists in both credential and fingerprint results`() = runTest {
+        val sharedGuid = "sharedGuid"
+        val credentialConfidence = 95f
+        val fingerprintConfidence = 80f
+
+        val credentialFingerprintMatches = listOf<CredentialMatch>(
+            mockk {
+                every { verificationThreshold } returns 0.0f
+                every { matchResult } returns FingerprintMatchResult.Item(
+                    subjectId = sharedGuid,
+                    confidence = credentialConfidence,
+                )
+                every { faceBioSdk } returns null
+                every { fingerprintBioSdk } returns FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER
+            },
+        )
+
+        val result = useCase(
+            mockk {
+                every { multifactorId?.allowedExternalCredentials } returns null
+                every { identification.maxNbOfReturnedCandidates } returns 5
+                every { face?.getSdkConfiguration((any()))?.decisionPolicy } returns null
+                every { fingerprint?.getSdkConfiguration(FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER)?.decisionPolicy } returns
+                    DecisionPolicy(20, 50, 100)
+                every {
+                    fingerprint
+                        ?.getSdkConfiguration(
+                            FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER,
+                        )?.verificationMatchThreshold
+                } returns
+                    0.0f
+            },
+            results = listOf(
+                mockk<ExternalCredentialSearchResult> {
+                    every { matchResults } returns credentialFingerprintMatches
+                },
+                FingerprintMatchResult(
+                    listOf(
+                        FingerprintMatchResult.Item(subjectId = sharedGuid, confidence = fingerprintConfidence),
+                    ),
+                    FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER,
+                ),
+            ),
+        )
+
+        assertThat((result as AppIdentifyResponse).identifications).hasSize(1)
+        assertThat(result.identifications.first().guid).isEqualTo(sharedGuid)
+        assertThat(result.identifications.first().confidenceScore).isEqualTo(credentialConfidence.toInt())
+    }
+
     private fun createFaceMatchResult(vararg confidences: Float): Serializable = FaceMatchResult(
-        confidences.map { FaceMatchResult.Item(subjectId = "1", confidence = it) },
+        confidences.mapIndexed { i, confidence -> FaceMatchResult.Item(subjectId = "$i", confidence = confidence) },
         FaceConfiguration.BioSdk.RANK_ONE,
     )
 
     private fun createFingerprintMatchResult(vararg confidences: Float): Serializable = FingerprintMatchResult(
-        confidences.map { FingerprintMatchResult.Item(subjectId = "1", confidence = it) },
+        confidences.mapIndexed { i, confidence -> FingerprintMatchResult.Item(subjectId = "$i", confidence = confidence) },
         FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER,
     )
 }
diff --git a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateVerifyResponseUseCaseTest.kt b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateVerifyResponseUseCaseTest.kt
index ecfa5bf937..b83cb332f7 100644
--- a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateVerifyResponseUseCaseTest.kt
+++ b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/CreateVerifyResponseUseCaseTest.kt
@@ -4,8 +4,8 @@ import com.google.common.truth.Truth.*
 import com.simprints.infra.config.store.models.DecisionPolicy
 import com.simprints.infra.orchestration.data.responses.AppErrorResponse
 import com.simprints.infra.orchestration.data.responses.AppVerifyResponse
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.FingerprintMatchResult
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.FingerprintMatchResult
 import io.mockk.*
 import org.junit.Before
 import org.junit.Test
diff --git a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/IsNewEnrolmentUseCaseTest.kt b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/IsNewEnrolmentUseCaseTest.kt
index 49eed8295b..721293030c 100644
--- a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/IsNewEnrolmentUseCaseTest.kt
+++ b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/response/IsNewEnrolmentUseCaseTest.kt
@@ -1,15 +1,15 @@
 package com.simprints.feature.orchestrator.usecases.response
 
-import com.google.common.truth.Truth.assertThat
+import com.google.common.truth.Truth.*
+import com.simprints.feature.externalcredential.ExternalCredentialSearchResult
+import com.simprints.feature.externalcredential.model.CredentialMatch
 import com.simprints.infra.config.store.models.DecisionPolicy
 import com.simprints.infra.config.store.models.FaceConfiguration
 import com.simprints.infra.config.store.models.ProjectConfiguration
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.FingerprintMatchResult
-import io.mockk.MockKAnnotations
-import io.mockk.every
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.FingerprintMatchResult
+import io.mockk.*
 import io.mockk.impl.annotations.MockK
-import io.mockk.mockk
 import org.junit.Before
 import org.junit.Test
 
@@ -145,6 +145,33 @@ internal class IsNewEnrolmentUseCaseTest {
         ).isFalse()
     }
 
+    @Test
+    fun `Results are not new enrolment if external credential match results exist`() {
+        every { projectConfiguration.general.duplicateBiometricEnrolmentCheck } returns true
+
+        val credentialMatches = listOf<CredentialMatch>(
+            mockk {
+                every { matchResult } returns mockk {
+                    every { subjectId } returns "subjectId"
+                    every { confidence } returns 50f
+                }
+                every { faceBioSdk } returns FaceConfiguration.BioSdk.RANK_ONE
+                every { fingerprintBioSdk } returns null
+            },
+        )
+
+        assertThat(
+            useCase(
+                projectConfiguration,
+                listOf(
+                    mockk<ExternalCredentialSearchResult> {
+                        every { matchResults } returns credentialMatches
+                    },
+                ),
+            ),
+        ).isFalse()
+    }
+
     companion object {
         private const val MEDIUM_CONFIDENCE_SCORE = 30
         private const val LOWER_THAN_MEDIUM_SCORE = MEDIUM_CONFIDENCE_SCORE - 1f
diff --git a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/steps/BuildStepsUseCaseTest.kt b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/steps/BuildStepsUseCaseTest.kt
index 1a8ef92b86..348e7c7c64 100644
--- a/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/steps/BuildStepsUseCaseTest.kt
+++ b/feature/orchestrator/src/test/java/com/simprints/feature/orchestrator/usecases/steps/BuildStepsUseCaseTest.kt
@@ -1,10 +1,14 @@
 package com.simprints.feature.orchestrator.usecases.steps
 
+import com.google.common.truth.Truth.assertThat
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
 import com.simprints.feature.orchestrator.cache.OrchestratorCache
 import com.simprints.feature.orchestrator.exceptions.SubjectAgeNotSupportedException
 import com.simprints.feature.orchestrator.steps.Step
 import com.simprints.feature.orchestrator.steps.StepId
 import com.simprints.feature.orchestrator.usecases.MapStepsForLastBiometricEnrolUseCase
+import com.simprints.feature.selectsubject.SelectSubjectParams
 import com.simprints.infra.config.store.models.AgeGroup
 import com.simprints.infra.config.store.models.FaceConfiguration
 import com.simprints.infra.config.store.models.Finger
@@ -46,12 +50,17 @@ class BuildStepsUseCaseTest {
     @RelaxedMockK
     private lateinit var nec: FingerprintConfiguration.FingerprintSdkConfiguration
 
+    @RelaxedMockK
+    private lateinit var cachedScannedCredential: ScannedCredential
+
     private lateinit var useCase: BuildStepsUseCase
+    private lateinit var enrolmentSubjectId: String
 
     @Before
     fun setup() {
         MockKAnnotations.init(this)
         useCase = BuildStepsUseCase(buildMatcherSubjectQuery, cache, mapStepsForLastBiometrics, fallbackToCommCareDataSourceIfNeeded)
+        enrolmentSubjectId = "enrolmentSubjectId"
 
         // Setup fallback use case to return the input actions unchanged by default
         coEvery { fallbackToCommCareDataSourceIfNeeded(any<ActionRequest.EnrolActionRequest>(), any()) } answers { firstArg() }
@@ -111,7 +120,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.EnrolActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns null
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -131,7 +140,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.EnrolActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns null
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -150,7 +159,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.EnrolActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns null
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -174,7 +183,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.EnrolActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns null
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -194,7 +203,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.IdentifyActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns null
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -217,7 +226,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.IdentifyActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns null
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -236,7 +245,7 @@ class BuildStepsUseCaseTest {
         every { action.getSubjectAgeIfAvailable() } returns null
         every { projectConfiguration.experimental().idPoolValidationEnabled } returns true
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -259,7 +268,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.VerifyActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns null
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -283,7 +292,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.VerifyActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns null
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -302,7 +311,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.ConfirmIdentityActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns null
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -321,7 +330,7 @@ class BuildStepsUseCaseTest {
             Step(StepId.FACE_CAPTURE, mockk(relaxed = true), mockk(relaxed = true), mockk(relaxed = true)),
         )
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -340,7 +349,7 @@ class BuildStepsUseCaseTest {
             Step(StepId.FACE_CAPTURE, mockk(relaxed = true), mockk(relaxed = true), mockk(relaxed = true)),
         )
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -361,7 +370,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.EnrolActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns null
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -382,7 +391,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.IdentifyActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns null
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -403,7 +412,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.VerifyActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns null
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -425,7 +434,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.EnrolActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns 25 // Subject age within the supported range
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -449,7 +458,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.EnrolActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns 25 // Subject age within the supported range
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -475,7 +484,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.IdentifyActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns 25 // Subject age within the supported range
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -502,7 +511,7 @@ class BuildStepsUseCaseTest {
             every { getSubjectAgeIfAvailable() } returns 25
             every { biometricDataSource } returns "COMMCARE"
         }
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -528,7 +537,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.VerifyActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns 25 // Subject age within the supported range
 
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -555,7 +564,7 @@ class BuildStepsUseCaseTest {
         val action = mockk<ActionRequest.VerifyActionRequest>(relaxed = true)
         every { action.getSubjectAgeIfAvailable() } returns 25 // Subject age within the supported range
         every { action.biometricDataSource } returns "COMMCARE"
-        val steps = useCase.build(action, projectConfiguration)
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
 
         assertStepOrder(
             steps,
@@ -583,7 +592,7 @@ class BuildStepsUseCaseTest {
         every { action.getSubjectAgeIfAvailable() } returns 20 // Subject age not supported by any SDK
 
         assertThrows(SubjectAgeNotSupportedException::class.java) {
-            runBlocking { useCase.build(action, projectConfiguration) }
+            runBlocking { useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential) }
         }
     }
 
@@ -599,7 +608,7 @@ class BuildStepsUseCaseTest {
         every { action.getSubjectAgeIfAvailable() } returns 20 // Subject age not supported by any SDK
 
         assertThrows(SubjectAgeNotSupportedException::class.java) {
-            runBlocking { useCase.build(action, projectConfiguration) }
+            runBlocking { useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential) }
         }
     }
 
@@ -615,7 +624,7 @@ class BuildStepsUseCaseTest {
         every { action.getSubjectAgeIfAvailable() } returns 20 // Subject age not supported by any SDK
 
         assertThrows(SubjectAgeNotSupportedException::class.java) {
-            runBlocking { useCase.build(action, projectConfiguration) }
+            runBlocking { useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential) }
         }
     }
 
@@ -629,7 +638,7 @@ class BuildStepsUseCaseTest {
 
         val action = mockk<ActionRequest.EnrolActionRequest>(relaxed = true)
 
-        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, ageGroup)
+        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, ageGroup, enrolmentSubjectId)
 
         assertStepOrder(
             steps,
@@ -650,7 +659,7 @@ class BuildStepsUseCaseTest {
 
         val action = mockk<ActionRequest.EnrolActionRequest>(relaxed = true)
 
-        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, ageGroup)
+        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, ageGroup, enrolmentSubjectId)
 
         assertStepOrder(
             steps,
@@ -673,7 +682,7 @@ class BuildStepsUseCaseTest {
 
         val action = mockk<ActionRequest.IdentifyActionRequest>(relaxed = true)
 
-        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, ageGroup)
+        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, ageGroup, enrolmentSubjectId)
 
         assertStepOrder(
             steps,
@@ -696,7 +705,7 @@ class BuildStepsUseCaseTest {
 
         val action = mockk<ActionRequest.VerifyActionRequest>(relaxed = true)
 
-        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, ageGroup)
+        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, ageGroup, enrolmentSubjectId)
 
         assertStepOrder(
             steps,
@@ -720,7 +729,7 @@ class BuildStepsUseCaseTest {
 
         val action = mockk<ActionRequest.VerifyActionRequest>(relaxed = true)
 
-        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, ageGroup)
+        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, ageGroup, enrolmentSubjectId)
 
         assertStepOrder(
             steps,
@@ -741,7 +750,7 @@ class BuildStepsUseCaseTest {
 
         val action = mockk<ActionRequest.ConfirmIdentityActionRequest>(relaxed = true)
 
-        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, AgeGroup(18, 60))
+        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, AgeGroup(18, 60), enrolmentSubjectId)
 
         assertEquals(0, steps.size)
     }
@@ -752,8 +761,130 @@ class BuildStepsUseCaseTest {
 
         val action = mockk<ActionRequest.EnrolLastBiometricActionRequest>(relaxed = true)
 
-        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, AgeGroup(18, 60))
+        val steps = useCase.buildCaptureAndMatchStepsForAgeGroup(action, projectConfiguration, AgeGroup(18, 60), enrolmentSubjectId)
 
         assertEquals(0, steps.size)
     }
+
+    @Test
+    fun `build external credential not enabled - no external credential step`() = runTest {
+        val projectConfiguration = mockCommonProjectConfiguration()
+        every { projectConfiguration.multifactorId?.allowedExternalCredentials } returns emptyList()
+
+        val action = mockk<ActionRequest.EnrolActionRequest>(relaxed = true)
+        every { action.getSubjectAgeIfAvailable() } returns null
+
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
+
+        // Should not contain EXTERNAL_CREDENTIAL step
+        assertStepOrder(
+            steps,
+            StepId.SETUP,
+            StepId.CONSENT,
+            StepId.FINGERPRINT_CAPTURE,
+            StepId.FINGERPRINT_CAPTURE,
+            StepId.FACE_CAPTURE,
+        )
+    }
+
+    @Test
+    fun `build enrol action - external credential enabled - returns external credential step`() = runTest {
+        val projectConfiguration = mockCommonProjectConfiguration()
+        every { projectConfiguration.multifactorId?.allowedExternalCredentials } returns ExternalCredentialType.entries
+
+        val action = mockk<ActionRequest.EnrolActionRequest>(relaxed = true)
+        every { action.getSubjectAgeIfAvailable() } returns null
+
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
+
+        assertStepOrder(
+            steps,
+            StepId.SETUP,
+            StepId.CONSENT,
+            StepId.FINGERPRINT_CAPTURE,
+            StepId.FINGERPRINT_CAPTURE,
+            StepId.FACE_CAPTURE,
+            StepId.EXTERNAL_CREDENTIAL,
+        )
+    }
+
+    @Test
+    fun `build identify action - external credential enabled - returns external credential step`() = runTest {
+        val projectConfiguration = mockCommonProjectConfiguration()
+        every { projectConfiguration.multifactorId?.allowedExternalCredentials } returns ExternalCredentialType.entries
+
+        val action = mockk<ActionRequest.IdentifyActionRequest>(relaxed = true)
+        every { action.getSubjectAgeIfAvailable() } returns null
+
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
+
+        assertStepOrder(
+            steps,
+            StepId.SETUP,
+            StepId.CONSENT,
+            StepId.FINGERPRINT_CAPTURE,
+            StepId.FINGERPRINT_CAPTURE,
+            StepId.FACE_CAPTURE,
+            StepId.EXTERNAL_CREDENTIAL,
+            StepId.FINGERPRINT_MATCHER,
+            StepId.FINGERPRINT_MATCHER,
+            StepId.FACE_MATCHER,
+        )
+    }
+
+    @Test
+    fun `build verify action - external credential enabled - no external credential step`() = runTest {
+        val projectConfiguration = mockCommonProjectConfiguration()
+        every { projectConfiguration.multifactorId?.allowedExternalCredentials } returns ExternalCredentialType.entries
+
+        val action = mockk<ActionRequest.VerifyActionRequest>(relaxed = true)
+        every { action.getSubjectAgeIfAvailable() } returns null
+
+        val steps = useCase.build(action, projectConfiguration, enrolmentSubjectId, cachedScannedCredential)
+
+        // Should not contain EXTERNAL_CREDENTIAL step for VERIFY flow
+        assertStepOrder(
+            steps,
+            StepId.SETUP,
+            StepId.FETCH_GUID,
+            StepId.CONSENT,
+            StepId.FINGERPRINT_CAPTURE,
+            StepId.FINGERPRINT_CAPTURE,
+            StepId.FACE_CAPTURE,
+            StepId.FINGERPRINT_MATCHER,
+            StepId.FINGERPRINT_MATCHER,
+            StepId.FACE_MATCHER,
+        )
+    }
+
+    @Test
+    fun `build confirm identity action - cachedScannedCredential is passed correctly`() = runTest {
+        val testProjectId = "projectId"
+        val guid = "guid"
+        val projectConfiguration = mockCommonProjectConfiguration()
+        val cachedScannedCredential = mockk<ScannedCredential>(relaxed = true)
+
+        val action = mockk<ActionRequest.ConfirmIdentityActionRequest>(relaxed = true) {
+            every { projectId } returns testProjectId
+            every { selectedGuid } returns guid
+            every { getSubjectAgeIfAvailable() } returns null
+        }
+
+        val steps = useCase.build(
+            action = action,
+            projectConfiguration = projectConfiguration,
+            enrolmentSubjectId = enrolmentSubjectId,
+            cachedScannedCredential = cachedScannedCredential,
+        )
+
+        assertStepOrder(steps, StepId.CONFIRM_IDENTITY)
+
+        val confirmIdentityStep = steps.first()
+        val params = confirmIdentityStep.params as? SelectSubjectParams
+
+        assertThat(params).isNotNull()
+        assertThat(params?.projectId).isEqualTo(testProjectId)
+        assertThat(params?.subjectId).isEqualTo(guid)
+        assertThat(params?.scannedCredential).isEqualTo(cachedScannedCredential)
+    }
 }
diff --git a/feature/select-subject/build.gradle.kts b/feature/select-subject/build.gradle.kts
index 948238d649..b7b9aaaeec 100644
--- a/feature/select-subject/build.gradle.kts
+++ b/feature/select-subject/build.gradle.kts
@@ -10,4 +10,8 @@ android {
 dependencies {
     implementation(project(":infra:events"))
     implementation(project(":infra:auth-store"))
+    implementation(project(":infra:enrolment-records:repository"))
+    implementation(project(":infra:config-sync"))
+    implementation(project(":infra:config-store"))
+    implementation(project(":feature:external-credential"))
 }
diff --git a/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/SelectSubjectContract.kt b/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/SelectSubjectContract.kt
index 920e368487..d56ce2d789 100644
--- a/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/SelectSubjectContract.kt
+++ b/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/SelectSubjectContract.kt
@@ -1,10 +1,13 @@
 package com.simprints.feature.selectsubject
 
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+
 object SelectSubjectContract {
     val DESTINATION = R.id.selectSubjectFragment
 
     fun getParams(
         projectId: String,
         subjectId: String,
-    ) = SelectSubjectParams(projectId, subjectId)
+        scannedCredential: ScannedCredential?
+    ) = SelectSubjectParams(projectId, subjectId, scannedCredential)
 }
diff --git a/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/SelectSubjectParams.kt b/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/SelectSubjectParams.kt
index ecb6e06887..538a185b7e 100644
--- a/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/SelectSubjectParams.kt
+++ b/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/SelectSubjectParams.kt
@@ -2,9 +2,11 @@ package com.simprints.feature.selectsubject
 
 import androidx.annotation.Keep
 import com.simprints.core.domain.step.StepParams
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
 
 @Keep
 data class SelectSubjectParams(
     val projectId: String,
     val subjectId: String,
+    val scannedCredential: ScannedCredential?,
 ) : StepParams
diff --git a/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/SelectSubjectResult.kt b/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/SelectSubjectResult.kt
index 2cf2df730e..19da82f83c 100644
--- a/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/SelectSubjectResult.kt
+++ b/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/SelectSubjectResult.kt
@@ -1,9 +1,11 @@
 package com.simprints.feature.selectsubject
 
 import androidx.annotation.Keep
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import com.simprints.core.domain.step.StepResult
 
 @Keep
 data class SelectSubjectResult(
-    val success: Boolean,
+    val isSubjectIdSaved: Boolean,
+    val savedCredential: ExternalCredential?,
 ) : StepResult
diff --git a/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/model/SelectSubjectState.kt b/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/model/SelectSubjectState.kt
new file mode 100644
index 0000000000..d2c3f93dc0
--- /dev/null
+++ b/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/model/SelectSubjectState.kt
@@ -0,0 +1,23 @@
+package com.simprints.feature.selectsubject.model
+
+import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+
+@Keep
+@ExcludedFromGeneratedTestCoverageReports("Data struct")
+internal sealed class SelectSubjectState {
+    data object SavingSubjectId : SelectSubjectState()
+
+    data object SavingExternalCredential : SelectSubjectState()
+
+    data class CredentialDialogDisplayed(
+        val scannedCredential: ScannedCredential,
+        val displayedCredential: TokenizableString.Raw,
+    ) : SelectSubjectState()
+
+    companion object {
+        val EMPTY = SelectSubjectState.SavingSubjectId
+    }
+}
diff --git a/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/screen/SelectSubjectFragment.kt b/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/screen/SelectSubjectFragment.kt
index c4cf6ecd24..c4a7e694dd 100644
--- a/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/screen/SelectSubjectFragment.kt
+++ b/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/screen/SelectSubjectFragment.kt
@@ -1,24 +1,55 @@
 package com.simprints.feature.selectsubject.screen
 
+import android.animation.Animator
+import android.animation.AnimatorListenerAdapter
+import android.animation.ObjectAnimator
 import android.os.Bundle
 import android.view.View
+import android.view.animation.DecelerateInterpolator
+import androidx.core.view.isVisible
 import androidx.fragment.app.Fragment
 import androidx.fragment.app.viewModels
+import androidx.lifecycle.ViewModel
+import androidx.lifecycle.ViewModelProvider
 import androidx.navigation.fragment.findNavController
+import com.google.android.material.bottomsheet.BottomSheetDialog
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.feature.externalcredential.view.ScannedCredentialDialog
 import com.simprints.feature.selectsubject.R
 import com.simprints.feature.selectsubject.SelectSubjectParams
 import com.simprints.feature.selectsubject.SelectSubjectResult
+import com.simprints.feature.selectsubject.databinding.FragmentSelectSubjectBinding
+import com.simprints.feature.selectsubject.model.SelectSubjectState
 import com.simprints.infra.logging.LoggingConstants.CrashReportTag.ORCHESTRATION
 import com.simprints.infra.logging.Simber
 import com.simprints.infra.uibase.navigation.finishWithResult
 import com.simprints.infra.uibase.navigation.navigationParams
 import com.simprints.infra.uibase.view.applySystemBarInsets
+import com.simprints.infra.uibase.viewbinding.viewBinding
 import dagger.hilt.android.AndroidEntryPoint
+import javax.inject.Inject
 
 @AndroidEntryPoint
 internal class SelectSubjectFragment : Fragment(R.layout.fragment_select_subject) {
-    private val viewModel: SelectSubjectViewModel by viewModels()
     private val params: SelectSubjectParams by navigationParams()
+    private val binding by viewBinding(FragmentSelectSubjectBinding::bind)
+    private val viewModel by viewModels<SelectSubjectViewModel> {
+        object : ViewModelProvider.Factory {
+            override fun <T : ViewModel> create(modelClass: Class<T>): T {
+                @Suppress("UNCHECKED_CAST")
+                return viewModelFactory.create(params) as T
+            }
+        }
+    }
+
+    private var isAnimatingCompletion: Boolean = false
+    private var pendingFinishAction: (() -> Unit)? = null
+    private var progressAnimator: ObjectAnimator? = null
+
+    @Inject
+    lateinit var viewModelFactory: SelectSubjectViewModel.Factory
+    private var dialog: BottomSheetDialog? = null
 
     override fun onViewCreated(
         view: View,
@@ -28,13 +59,84 @@ internal class SelectSubjectFragment : Fragment(R.layout.fragment_select_subject
         applySystemBarInsets(view)
         Simber.i("SelectSubjectFragment started", tag = ORCHESTRATION)
 
+        initObservers()
+    }
+
+    override fun onDestroyView() {
+        clearAnimations()
+        dismissDialog()
+        super.onDestroyView()
+    }
+
+    private fun clearAnimations() {
+        pendingFinishAction = null
+        isAnimatingCompletion = false
+        progressAnimator?.cancel()
+    }
+
+    private fun dismissDialog() {
+        dialog?.dismiss()
+        dialog = null
+    }
+
+    private fun initObservers() {
+        viewModel.stateLiveData.observe(viewLifecycleOwner) { state ->
+            when (state) {
+                is SelectSubjectState.CredentialDialogDisplayed -> {
+                    displayCredentialDialog(state.scannedCredential, state.displayedCredential)
+                }
+
+                SelectSubjectState.SavingExternalCredential -> renderSavingCredential()
+                SelectSubjectState.SavingSubjectId -> renderSavingSubjectId()
+            }
+        }
         viewModel.finish.observe(viewLifecycleOwner) {
             it.getContentIfNotHandled()?.let(::finishWithResult)
         }
-        viewModel.saveGuidSelection(params.projectId, params.subjectId)
     }
 
-    private fun finishWithResult(success: Boolean) {
-        findNavController().finishWithResult(this, SelectSubjectResult(success))
+    private fun renderSavingCredential() = with(binding) {
+        saveCredentialProgressContainer.isVisible = true
+        confirmationSentContainer.isVisible = false
+        startCredentialSaveAnimation()
+    }
+
+    private fun renderSavingSubjectId() = with(binding) {
+        saveCredentialProgressContainer.isVisible = false
+        confirmationSentContainer.isVisible = true
+    }
+
+    private fun displayCredentialDialog(scannedCredential: ScannedCredential, displayedCredential: TokenizableString.Raw) {
+        dialog = ScannedCredentialDialog(
+            context = requireActivity(),
+            credential = scannedCredential,
+            displayedCredential = displayedCredential,
+            onConfirm = { viewModel.saveCredential(scannedCredential) },
+            onSkip = (viewModel::finishWithoutSavingCredential)
+        ).also(ScannedCredentialDialog::show)
+    }
+
+    private fun startCredentialSaveAnimation() = with(binding) {
+        progressAnimator = ObjectAnimator.ofInt(progressBar, "progress", 0, 100).apply {
+            this.duration = PROGRESS_BAR_DURATION_MS
+            interpolator = DecelerateInterpolator()
+            addListener(object : AnimatorListenerAdapter() {
+                override fun onAnimationEnd(animation: Animator) {
+                    isAnimatingCompletion = false
+                    // Execute any pending action after the animation. Currently used is for next fragment navigation
+                    pendingFinishAction?.invoke()
+                    pendingFinishAction = null
+                }
+            })
+        }
+        progressAnimator?.start()
+    }
+
+    private fun finishWithResult(result: SelectSubjectResult) {
+        findNavController().finishWithResult(this, result)
+    }
+
+    companion object {
+        private const val PROGRESS_BAR_DURATION_MS = 1500L
     }
 }
diff --git a/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/screen/SelectSubjectViewModel.kt b/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/screen/SelectSubjectViewModel.kt
index 14f4b02a4d..46b70e2f7f 100644
--- a/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/screen/SelectSubjectViewModel.kt
+++ b/feature/select-subject/src/main/java/com/simprints/feature/selectsubject/screen/SelectSubjectViewModel.kt
@@ -3,53 +3,175 @@ package com.simprints.feature.selectsubject.screen
 import androidx.lifecycle.LiveData
 import androidx.lifecycle.MutableLiveData
 import androidx.lifecycle.ViewModel
+import androidx.lifecycle.viewModelScope
 import com.simprints.core.SessionCoroutineScope
+import com.simprints.core.domain.tokenization.TokenizableString
 import com.simprints.core.livedata.LiveDataEventWithContent
 import com.simprints.core.livedata.send
 import com.simprints.core.tools.time.TimeHelper
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.feature.externalcredential.screens.search.model.toExternalCredential
+import com.simprints.feature.externalcredential.usecase.AddExternalCredentialToSubjectUseCase
+import com.simprints.feature.selectsubject.SelectSubjectParams
+import com.simprints.feature.selectsubject.SelectSubjectResult
+import com.simprints.feature.selectsubject.model.SelectSubjectState
 import com.simprints.infra.authstore.AuthStore
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.infra.enrolment.records.repository.EnrolmentRecordRepository
+import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
+import com.simprints.infra.events.event.domain.models.EnrolmentUpdateEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureValueEvent
 import com.simprints.infra.events.event.domain.models.GuidSelectionEvent
 import com.simprints.infra.events.session.SessionEventRepository
 import com.simprints.infra.logging.LoggingConstants.CrashReportTag.SESSION
 import com.simprints.infra.logging.Simber
-import dagger.hilt.android.lifecycle.HiltViewModel
+import dagger.assisted.Assisted
+import dagger.assisted.AssistedFactory
+import dagger.assisted.AssistedInject
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.launch
-import javax.inject.Inject
 
-@HiltViewModel
-internal class SelectSubjectViewModel @Inject constructor(
+internal class SelectSubjectViewModel @AssistedInject constructor(
+    @Assisted private val params: SelectSubjectParams,
     private val timeHelper: TimeHelper,
     private val authStore: AuthStore,
     private val eventRepository: SessionEventRepository,
+    private val configManager: ConfigManager,
+    private val addExternalCredentialToSubjectUseCase: AddExternalCredentialToSubjectUseCase,
+    private val enrolmentRecordRepository: EnrolmentRecordRepository,
+    private val tokenizationProcessor: TokenizationProcessor,
     @SessionCoroutineScope private val sessionCoroutineScope: CoroutineScope,
 ) : ViewModel() {
-    val finish: LiveData<LiveDataEventWithContent<Boolean>>
+    @AssistedFactory
+    interface Factory {
+        fun create(selectSubjectParams: SelectSubjectParams): SelectSubjectViewModel
+    }
+
+    private var state: SelectSubjectState = SelectSubjectState.EMPTY
+        set(value) {
+            field = value
+            _stateLiveData.postValue(value)
+        }
+    private val _stateLiveData = MutableLiveData<SelectSubjectState>()
+    val stateLiveData: LiveData<SelectSubjectState> = _stateLiveData
+    val finish: LiveData<LiveDataEventWithContent<SelectSubjectResult>>
         get() = _finish
-    private var _finish = MutableLiveData<LiveDataEventWithContent<Boolean>>()
+    private var _finish = MutableLiveData<LiveDataEventWithContent<SelectSubjectResult>>()
+
+    private fun updateState(state: (SelectSubjectState) -> SelectSubjectState) {
+        this.state = state(this.state)
+    }
+
+    init {
+        viewModelScope.launch {
+            val isSaved = saveGuidSelection(projectId = params.projectId, subjectId = params.subjectId)
+            if (!isSaved) {
+                _finish.send(SelectSubjectResult(isSubjectIdSaved = false, savedCredential = null))
+                return@launch
+            }
 
-    fun saveGuidSelection(
+            val dialogDisplayedState = getDisplayDialogStateIfRequired(params.scannedCredential, params.subjectId)
+            if (dialogDisplayedState != null) {
+                updateState { dialogDisplayedState }
+            } else {
+                val credential = params.scannedCredential?.toExternalCredential(params.subjectId)
+                _finish.send(SelectSubjectResult(isSubjectIdSaved = true, savedCredential = credential))
+            }
+        }
+    }
+
+    private suspend fun saveGuidSelection(
         projectId: String,
         subjectId: String,
-    ) {
-        if (authStore.isProjectIdSignedIn(projectId)) {
-            saveSelectionEvent(subjectId)
-        } else {
-            _finish.send(false)
+    ): Boolean {
+        updateState { SelectSubjectState.SavingSubjectId }
+        if (!authStore.isProjectIdSignedIn(projectId)) return false
+        return saveSelectionEvent(subjectId)
+    }
+
+    private suspend fun getDisplayDialogStateIfRequired(
+        scannedCredential: ScannedCredential?,
+        subjectId: String,
+    ): SelectSubjectState.CredentialDialogDisplayed? {
+        if (scannedCredential == null) return null
+        val credential = scannedCredential.credential
+        val project = configManager.getProject(authStore.signedInProjectId)
+        val isCredentialAlreadyLinkedToSubject = enrolmentRecordRepository
+            .load(
+                SubjectQuery(
+                    projectId = project.id,
+                    subjectId = subjectId,
+                    externalCredential = credential,
+                ),
+            ).isNotEmpty()
+
+        if (isCredentialAlreadyLinkedToSubject) return null
+
+        val decrypted = tokenizationProcessor.decrypt(
+            encrypted = credential,
+            tokenKeyType = TokenKeyType.ExternalCredential,
+            project = project,
+        ) as TokenizableString.Raw
+        return SelectSubjectState.CredentialDialogDisplayed(scannedCredential = scannedCredential, displayedCredential = decrypted)
+    }
+
+    fun saveCredential(scannedCredential: ScannedCredential) {
+        updateState { SelectSubjectState.SavingExternalCredential }
+        viewModelScope.launch {
+            val addedCredential = try {
+                addExternalCredentialToSubjectUseCase(scannedCredential, subjectId = params.subjectId, projectId = params.projectId)
+                saveCredentialSelectionEvent(params.subjectId)
+                scannedCredential
+            } catch (e: Exception) {
+                Simber.e("Failed to attach scanned credential", e, tag = SESSION)
+                null
+            }
+            _finish.send(
+                SelectSubjectResult(
+                    isSubjectIdSaved = true,
+                    savedCredential = addedCredential?.toExternalCredential(params.subjectId),
+                ),
+            )
+        }
+    }
+
+    fun finishWithoutSavingCredential() {
+        _finish.send(SelectSubjectResult(isSubjectIdSaved = true, savedCredential = null))
+    }
+
+    private suspend fun saveCredentialSelectionEvent(subjectId: String) = with(sessionCoroutineScope) {
+        try {
+            val externalCredentialIdsToAdd = eventRepository
+                .getEventsInCurrentSession()
+                .filterIsInstance<ExternalCredentialCaptureValueEvent>()
+                .map { it.payload.id }
+
+            Simber.d("Adding credentials $externalCredentialIdsToAdd to subject $subjectId", tag = SESSION)
+            eventRepository.addOrUpdateEvent(
+                EnrolmentUpdateEvent(
+                    timeHelper.now(),
+                    subjectId = subjectId,
+                    externalCredentialIdsToAdd = externalCredentialIdsToAdd,
+                ),
+            )
+        } catch (t: Throwable) {
+            Simber.e("Failed to save Enrolment Update Event", t, tag = SESSION)
         }
     }
 
-    private fun saveSelectionEvent(subjectId: String) = sessionCoroutineScope.launch {
+    private suspend fun saveSelectionEvent(subjectId: String): Boolean = with(sessionCoroutineScope) {
         try {
             val event = GuidSelectionEvent(timeHelper.now(), subjectId)
             eventRepository.addOrUpdateEvent(event)
 
             Simber.i("Added Guid Selection Event", tag = SESSION)
-            _finish.send(true)
+            return true
         } catch (t: Throwable) {
             // It doesn't matter if it was an error, we always return a result
             Simber.e("Failed to save Guid Selection Event", t, tag = SESSION)
-            _finish.send(false)
+            return false
         }
     }
 }
diff --git a/feature/select-subject/src/main/res/layout/fragment_select_subject.xml b/feature/select-subject/src/main/res/layout/fragment_select_subject.xml
index 6f302072f9..c15d3c0cb1 100644
--- a/feature/select-subject/src/main/res/layout/fragment_select_subject.xml
+++ b/feature/select-subject/src/main/res/layout/fragment_select_subject.xml
@@ -6,44 +6,78 @@
     android:layout_height="match_parent"
     android:background="@color/simprints_blue">
 
-    <TextView
-        android:id="@+id/confirmationSent"
-        style="@style/Text.Headline5.White"
-        android:layout_width="wrap_content"
-        android:layout_height="wrap_content"
-        android:drawablePadding="8dp"
-        android:text="@string/select_subject_confirmation_sent"
-        app:drawableStartCompat="@drawable/ic_checked_green_large"
-        app:layout_constraintBottom_toTopOf="@+id/redirectingBack"
+    <ImageView
+        android:id="@+id/loginImageViewLogo"
+        android:layout_width="100dp"
+        android:layout_height="100dp"
+        android:importantForAccessibility="no"
+        android:src="@drawable/simprints_logo"
+        app:layout_constraintBottom_toBottomOf="parent"
         app:layout_constraintEnd_toEndOf="parent"
-        app:layout_constraintHorizontal_bias="0.5"
         app:layout_constraintStart_toStartOf="parent"
-        app:layout_constraintTop_toTopOf="parent"
-        app:layout_constraintVertical_chainStyle="packed"
-        tools:visibility="visible" />
-
-    <TextView
-        android:id="@+id/redirectingBack"
-        style="@style/Text.Subtitle1.White"
-        android:layout_width="wrap_content"
+        app:layout_constraintTop_toTopOf="parent" />
+
+    <LinearLayout
+        android:id="@+id/confirmationSentContainer"
+        android:layout_width="0dp"
         android:layout_height="wrap_content"
+        android:gravity="center"
+        android:orientation="vertical"
         android:layout_margin="16dp"
-        android:text="@string/select_subject_redirecting_back"
-        app:layout_constraintBottom_toTopOf="@+id/loginImageViewLogo"
+        android:visibility="gone"
         app:layout_constraintEnd_toEndOf="parent"
-        app:layout_constraintHorizontal_bias="0.5"
         app:layout_constraintStart_toStartOf="parent"
-        app:layout_constraintTop_toBottomOf="@+id/confirmationSent"
-        tools:visibility="visible" />
+        app:layout_constraintTop_toBottomOf="@+id/loginImageViewLogo"
+        tools:visibility="visible">
 
-    <ImageView
-        android:id="@+id/loginImageViewLogo"
-        android:layout_width="100dp"
-        android:layout_height="100dp"
-        android:src="@drawable/simprints_logo"
-        app:layout_constraintBottom_toBottomOf="parent"
+        <TextView
+            style="@style/Text.Headline5.White"
+            android:layout_width="wrap_content"
+            android:layout_height="wrap_content"
+            android:drawablePadding="8dp"
+            android:text="@string/select_subject_confirmation_sent"
+            app:drawableStartCompat="@drawable/ic_checked_green_large"
+            app:layout_constraintBottom_toTopOf="@+id/redirectingBack"
+            tools:visibility="visible" />
+
+        <TextView
+            android:id="@+id/redirectingBack"
+            style="@style/Text.Subtitle1.White"
+            android:layout_width="wrap_content"
+            android:layout_height="wrap_content"
+            android:text="@string/select_subject_redirecting_back"
+            tools:visibility="visible" />
+    </LinearLayout>
+
+    <LinearLayout
+        android:id="@+id/saveCredentialProgressContainer"
+        android:layout_width="0dp"
+        android:layout_height="wrap_content"
+        android:orientation="vertical"
+        android:padding="@dimen/padding_default"
+        android:visibility="gone"
         app:layout_constraintEnd_toEndOf="parent"
-        app:layout_constraintHorizontal_bias="0.5"
         app:layout_constraintStart_toStartOf="parent"
-        app:layout_constraintTop_toBottomOf="@+id/redirectingBack" />
+        app:layout_constraintTop_toBottomOf="@+id/loginImageViewLogo"
+        tools:layout_constraintTop_toBottomOf="@+id/confirmationSentContainer"
+        tools:visibility="visible">
+
+        <com.google.android.material.progressindicator.LinearProgressIndicator
+            android:id="@+id/progressBar"
+            style="@style/Widget.Simprints.LinearProgressIndicator.White.Large"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:layout_gravity="center"
+            tools:progress="43" />
+
+        <TextView
+            android:id="@+id/credentialSaveProgressText"
+            style="@style/Text.Headline5.White"
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:gravity="center"
+            tools:text="Adding document to the record" />
+
+    </LinearLayout>
+
 </androidx.constraintlayout.widget.ConstraintLayout>
diff --git a/feature/select-subject/src/test/java/com/simprints/feature/selectsubject/screen/SelectSubjectViewModelTest.kt b/feature/select-subject/src/test/java/com/simprints/feature/selectsubject/screen/SelectSubjectViewModelTest.kt
index 9105eb51ff..d18a4d25cf 100644
--- a/feature/select-subject/src/test/java/com/simprints/feature/selectsubject/screen/SelectSubjectViewModelTest.kt
+++ b/feature/select-subject/src/test/java/com/simprints/feature/selectsubject/screen/SelectSubjectViewModelTest.kt
@@ -1,17 +1,27 @@
 package com.simprints.feature.selectsubject.screen
 
 import androidx.arch.core.executor.testing.InstantTaskExecutorRule
-import com.google.common.truth.Truth.assertThat
+import com.google.common.truth.Truth.*
 import com.jraska.livedata.test
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
 import com.simprints.core.tools.time.TimeHelper
 import com.simprints.core.tools.time.Timestamp
+import com.simprints.feature.externalcredential.screens.search.model.ScannedCredential
+import com.simprints.feature.externalcredential.usecase.AddExternalCredentialToSubjectUseCase
+import com.simprints.feature.selectsubject.SelectSubjectParams
+import com.simprints.feature.selectsubject.model.SelectSubjectState
 import com.simprints.infra.authstore.AuthStore
+import com.simprints.infra.config.store.models.Project
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.tokenization.TokenizationProcessor
+import com.simprints.infra.config.sync.ConfigManager
+import com.simprints.infra.enrolment.records.repository.EnrolmentRecordRepository
+import com.simprints.infra.enrolment.records.repository.domain.models.Subject
 import com.simprints.infra.events.session.SessionEventRepository
 import com.simprints.testtools.common.coroutines.TestCoroutineRule
-import io.mockk.MockKAnnotations
-import io.mockk.coEvery
-import io.mockk.coVerify
-import io.mockk.every
+import io.mockk.*
 import io.mockk.impl.annotations.MockK
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.test.runTest
@@ -21,10 +31,10 @@ import org.junit.Test
 
 internal class SelectSubjectViewModelTest {
     @get:Rule
-    val testCoroutineRule = TestCoroutineRule()
+    val rule = InstantTaskExecutorRule()
 
     @get:Rule
-    val rule = InstantTaskExecutorRule()
+    val testCoroutineRule = TestCoroutineRule()
 
     @MockK
     lateinit var timeHelper: TimeHelper
@@ -35,6 +45,21 @@ internal class SelectSubjectViewModelTest {
     @MockK
     lateinit var eventRepository: SessionEventRepository
 
+    @MockK
+    lateinit var configManager: ConfigManager
+
+    @MockK
+    lateinit var addExternalCredentialToSubjectUseCase: AddExternalCredentialToSubjectUseCase
+
+    @MockK
+    lateinit var enrolmentRecordRepository: EnrolmentRecordRepository
+
+    @MockK
+    lateinit var tokenizationProcessor: TokenizationProcessor
+
+    @MockK
+    lateinit var selectSubjectParams: SelectSubjectParams
+
     private lateinit var viewModel: SelectSubjectViewModel
 
     @Before
@@ -42,55 +67,222 @@ internal class SelectSubjectViewModelTest {
         MockKAnnotations.init(this, relaxed = true)
 
         every { timeHelper.now() } returns TIMESTAMP
+        every { selectSubjectParams.projectId } returns PROJECT_ID
+        every { selectSubjectParams.subjectId } returns SUBJECT_ID
 
         viewModel = SelectSubjectViewModel(
-            timeHelper,
-            authStore,
-            eventRepository,
-            CoroutineScope(testCoroutineRule.testCoroutineDispatcher),
+            params = selectSubjectParams,
+            timeHelper = timeHelper,
+            authStore = authStore,
+            eventRepository = eventRepository,
+            configManager = configManager,
+            addExternalCredentialToSubjectUseCase = addExternalCredentialToSubjectUseCase,
+            enrolmentRecordRepository = enrolmentRecordRepository,
+            tokenizationProcessor = tokenizationProcessor,
+            sessionCoroutineScope = CoroutineScope(testCoroutineRule.testCoroutineDispatcher),
         )
     }
 
+    private fun createViewModel() = SelectSubjectViewModel(
+        params = selectSubjectParams,
+        timeHelper = timeHelper,
+        authStore = authStore,
+        eventRepository = eventRepository,
+        configManager = configManager,
+        addExternalCredentialToSubjectUseCase = addExternalCredentialToSubjectUseCase,
+        enrolmentRecordRepository = enrolmentRecordRepository,
+        tokenizationProcessor = tokenizationProcessor,
+        sessionCoroutineScope = CoroutineScope(testCoroutineRule.testCoroutineDispatcher),
+    )
+
     @Test
     fun `saves selection if signed in`() = runTest {
-        every { authStore.isProjectIdSignedIn(any()) } returns true
+        every { selectSubjectParams.scannedCredential } returns null
+        coEvery { authStore.isProjectIdSignedIn(PROJECT_ID) } returns true
+        val viewModel = createViewModel()
+
+        coVerify { eventRepository.addOrUpdateEvent(any()) }
+        val result = viewModel.finish
+            .test()
+            .value()
+            .getContentIfNotHandled()
+        assertThat(result?.isSubjectIdSaved).isTrue()
+        assertThat(result?.savedCredential).isNull()
+    }
+
+    @Test
+    fun `does not save selection if not signed in`() = runTest {
+        coEvery { authStore.isProjectIdSignedIn(PROJECT_ID) } returns false
+
+        val viewModel = createViewModel()
 
-        viewModel.saveGuidSelection(PROJECT_ID, SUBJECT_ID)
+        coVerify(exactly = 0) { eventRepository.addOrUpdateEvent(any()) }
         val result = viewModel.finish
             .test()
             .value()
             .getContentIfNotHandled()
+        assertThat(result?.isSubjectIdSaved).isFalse()
+        assertThat(result?.savedCredential).isNull()
+    }
+
+    @Test
+    fun `correctly handles exception with saving`() = runTest {
+        every { selectSubjectParams.scannedCredential } returns null
+        coEvery { authStore.isProjectIdSignedIn(PROJECT_ID) } returns true
+        coEvery { eventRepository.addOrUpdateEvent(any()) } throws RuntimeException("RuntimeException")
+
+        val viewModel = createViewModel()
 
-        assertThat(result).isTrue()
         coVerify { eventRepository.addOrUpdateEvent(any()) }
+        val result = viewModel.finish
+            .test()
+            .value()
+            .getContentIfNotHandled()
+        assertThat(result?.isSubjectIdSaved).isFalse()
+        assertThat(result?.savedCredential).isNull()
     }
 
     @Test
-    fun `does not save selection if not signed in`() = runTest {
-        every { authStore.isProjectIdSignedIn(any()) } returns false
+    fun `displays credential dialog when credential is scanned and not already linked`() = runTest {
+        val scannedCredential = mockk<ScannedCredential>(relaxed = true)
+        val displayedCredential = mockk<TokenizableString.Raw>(relaxed = true)
+        setupCredentialState(scannedCredential, displayedCredential, repositoryResponse = emptyList())
+
+        val viewModel = createViewModel()
+
+        val state = viewModel.stateLiveData.test().value()
+        assertThat(state).isInstanceOf(SelectSubjectState.CredentialDialogDisplayed::class.java)
+        val dialogState = state as SelectSubjectState.CredentialDialogDisplayed
+        assertThat(dialogState.scannedCredential).isEqualTo(scannedCredential)
+        assertThat(dialogState.displayedCredential).isEqualTo(displayedCredential)
+    }
+
+    @Test
+    fun `does not display credential dialog when credential is already linked`() = runTest {
+        val tokenizedValue = "tokenizedValue".asTokenizableEncrypted()
+        val type = ExternalCredentialType.NHISCard
+        val scannedCredential = mockk<ScannedCredential> {
+            every { credentialScanId } returns "credentialId"
+            every { credential } returns tokenizedValue
+            every { credentialType } returns type
+        }
+        val displayedCredential = mockk<TokenizableString.Raw>(relaxed = true)
+        val repositoryResponse = listOf<Subject>(mockk())
+        setupCredentialState(scannedCredential, displayedCredential, repositoryResponse = repositoryResponse)
+
+        val viewModel = createViewModel()
 
-        viewModel.saveGuidSelection(PROJECT_ID, SUBJECT_ID)
         val result = viewModel.finish
             .test()
             .value()
             .getContentIfNotHandled()
+        assertThat(result?.isSubjectIdSaved).isTrue()
+        assertThat(result?.savedCredential?.value).isEqualTo(tokenizedValue)
+        assertThat(result?.savedCredential?.type).isEqualTo(type)
+    }
 
-        assertThat(result).isFalse()
-        coVerify(exactly = 0) { eventRepository.addOrUpdateEvent(any()) }
+    @Test
+    fun `finishes without credential when no credential is scanned`() = runTest {
+        coEvery { authStore.isProjectIdSignedIn(PROJECT_ID) } returns true
+        every { selectSubjectParams.scannedCredential } returns null
+
+        val viewModel = createViewModel()
+
+        val result = viewModel.finish
+            .test()
+            .value()
+            .getContentIfNotHandled()
+        assertThat(result?.isSubjectIdSaved).isTrue()
+        assertThat(result?.savedCredential).isNull()
+    }
+
+    private fun setupCredentialState(
+        scannedCredential: ScannedCredential,
+        displayedCredential: TokenizableString.Raw,
+        repositoryResponse: List<Subject>,
+    ) {
+        val project = mockk<Project>(relaxed = true)
+
+        every { selectSubjectParams.scannedCredential } returns scannedCredential
+        coEvery { authStore.isProjectIdSignedIn(PROJECT_ID) } returns true
+        coEvery { authStore.signedInProjectId } returns PROJECT_ID
+        coEvery { configManager.getProject(PROJECT_ID) } returns project
+        every { project.id } returns PROJECT_ID
+        coEvery { enrolmentRecordRepository.load(any()) } returns repositoryResponse
+        coEvery {
+            tokenizationProcessor.decrypt(
+                encrypted = any(),
+                tokenKeyType = TokenKeyType.ExternalCredential,
+                project = project,
+            )
+        } returns displayedCredential
     }
 
     @Test
-    fun `correctly handles exception with saving`() = runTest {
-        every { authStore.isProjectIdSignedIn(any()) } returns true
-        coEvery { eventRepository.addOrUpdateEvent(any()) } throws Exception()
+    fun `saveCredential successfully saves credential`() = runTest {
+        val tokenizedValue = "tokenizedValue".asTokenizableEncrypted()
+        val type = ExternalCredentialType.NHISCard
+        val scannedCredential = mockk<ScannedCredential> {
+            every { credentialScanId } returns "credentialId"
+            every { credential } returns tokenizedValue
+            every { credentialType } returns type
+        }
+        coEvery {
+            addExternalCredentialToSubjectUseCase(
+                scannedCredential,
+                subjectId = SUBJECT_ID,
+                projectId = PROJECT_ID,
+            )
+        } returns Unit
+
+        viewModel.saveCredential(scannedCredential)
+
+        val state = viewModel.stateLiveData.test().value()
+        assertThat(state).isEqualTo(SelectSubjectState.SavingExternalCredential)
+
+        val result = viewModel.finish
+            .test()
+            .value()
+            .getContentIfNotHandled()
+        assertThat(result?.isSubjectIdSaved).isTrue()
+        assertThat(result?.savedCredential?.value).isEqualTo(tokenizedValue)
+        assertThat(result?.savedCredential?.type).isEqualTo(type)
+    }
+
+    @Test
+    fun `saveCredential handles exception when saving fails`() = runTest {
+        val scannedCredential = mockk<ScannedCredential>(relaxed = true)
+        coEvery {
+            addExternalCredentialToSubjectUseCase(
+                scannedCredential,
+                subjectId = SUBJECT_ID,
+                projectId = PROJECT_ID,
+            )
+        } throws RuntimeException("RuntimeException")
+
+        viewModel.saveCredential(scannedCredential)
+
+        val state = viewModel.stateLiveData.test().value()
+        assertThat(state).isEqualTo(SelectSubjectState.SavingExternalCredential)
 
-        viewModel.saveGuidSelection(PROJECT_ID, SUBJECT_ID)
         val result = viewModel.finish
             .test()
             .value()
             .getContentIfNotHandled()
+        assertThat(result?.isSubjectIdSaved).isTrue()
+        assertThat(result?.savedCredential).isNull()
+    }
+
+    @Test
+    fun `finishWithoutSavingCredential finishes with no credential`() = runTest {
+        viewModel.finishWithoutSavingCredential()
 
-        assertThat(result).isFalse()
+        val result = viewModel.finish
+            .test()
+            .value()
+            .getContentIfNotHandled()
+        assertThat(result?.isSubjectIdSaved).isTrue()
+        assertThat(result?.savedCredential).isNull()
     }
 
     companion object {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 40cbdc68b3..31b1ba886b 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -36,6 +36,8 @@ gsm_plugin_version = "4.4.3"
 play_publisher_version = "3.12.1"
 play_barcode_version = "18.3.1"
 
+ml_entity_extraction_version = "16.0.1"
+
 firebase_auth_version = "24.0.1"
 firebase_storage_version = "22.0.0"
 firebase_crashlytics_version = "20.0.1"
@@ -145,6 +147,9 @@ playServices-integrity = { module = "com.google.android.play:integrity", version
 playServices-barcode = { module = "com.google.android.gms:play-services-mlkit-barcode-scanning", version.ref = "play_barcode_version" }
 desugar_jdk_libs = { module = "com.android.tools:desugar_jdk_libs", version.ref = "desugar_jdk_libsVersion" }
 
+#OCR
+mlkit-text-recognition = { module = "com.google.mlkit:text-recognition", version.ref = "ml_entity_extraction_version" }
+
 #Firebase
 firebase-auth = { module = "com.google.firebase:firebase-auth", version.ref = "firebase_auth_version" }
 firebase-storage = { module = "com.google.firebase:firebase-storage", version.ref = "firebase_storage_version" }
diff --git a/infra/auth-logic/src/test/java/com/simprints/infra/authlogic/authenticator/ProjectAuthenticatorTest.kt b/infra/auth-logic/src/test/java/com/simprints/infra/authlogic/authenticator/ProjectAuthenticatorTest.kt
index 968f04c4dc..e38b099a26 100644
--- a/infra/auth-logic/src/test/java/com/simprints/infra/authlogic/authenticator/ProjectAuthenticatorTest.kt
+++ b/infra/auth-logic/src/test/java/com/simprints/infra/authlogic/authenticator/ProjectAuthenticatorTest.kt
@@ -164,9 +164,9 @@ class ProjectAuthenticatorTest {
         } returns Token("", "", "", "")
 
         coEvery { configManager.getProjectConfiguration() } returns ProjectConfiguration(
-            "id",
-            PROJECT_ID,
-            "",
+            id = "id",
+            projectId = PROJECT_ID,
+            updatedAt = "",
             general = GeneralConfiguration(
                 modalities = mockk(),
                 matchingModalities = mockk(),
@@ -176,12 +176,13 @@ class ProjectAuthenticatorTest {
                 duplicateBiometricEnrolmentCheck = false,
                 settingsPassword = mockk(),
             ),
-            mockk(),
-            mockk(),
-            mockk(),
-            mockk(),
-            mockk(),
-            mockk(),
+            face = mockk(),
+            fingerprint = mockk(),
+            consent = mockk(),
+            identification = mockk(),
+            synchronization = mockk(),
+            multifactorId = mockk(),
+            custom = mockk(),
         )
         coEvery { configManager.getPrivacyNotice(any(), any()) } returns emptyFlow()
 
diff --git a/infra/auth-logic/src/test/java/com/simprints/infra/authlogic/authenticator/SignerManagerTest.kt b/infra/auth-logic/src/test/java/com/simprints/infra/authlogic/authenticator/SignerManagerTest.kt
index 5ba9343990..af8a2c6dc8 100644
--- a/infra/auth-logic/src/test/java/com/simprints/infra/authlogic/authenticator/SignerManagerTest.kt
+++ b/infra/auth-logic/src/test/java/com/simprints/infra/authlogic/authenticator/SignerManagerTest.kt
@@ -227,16 +227,17 @@ internal class SignerManagerTest {
                         tokenizationKeys = emptyMap(),
                     ),
                     ProjectConfiguration(
-                        "id",
-                        DEFAULT_PROJECT_ID,
-                        "",
-                        mockk(),
-                        mockk(),
-                        mockk(),
-                        mockk(),
-                        mockk(),
-                        mockk(),
-                        null,
+                        id = "id",
+                        projectId = DEFAULT_PROJECT_ID,
+                        updatedAt = "",
+                        general = mockk(),
+                        face = mockk(),
+                        fingerprint = mockk(),
+                        consent = mockk(),
+                        identification = mockk(),
+                        synchronization = mockk(),
+                        multifactorId = mockk(),
+                        custom = mockk(),
                     ),
                 ),
             )
diff --git a/infra/config-store/src/main/java/com/simprints/infra/config/store/local/ConfigLocalDataSourceImpl.kt b/infra/config-store/src/main/java/com/simprints/infra/config/store/local/ConfigLocalDataSourceImpl.kt
index 7addea8850..c8ebca0873 100644
--- a/infra/config-store/src/main/java/com/simprints/infra/config/store/local/ConfigLocalDataSourceImpl.kt
+++ b/infra/config-store/src/main/java/com/simprints/infra/config/store/local/ConfigLocalDataSourceImpl.kt
@@ -248,6 +248,7 @@ internal class ConfigLocalDataSourceImpl @Inject constructor(
                     ),
                 ),
                 custom = null,
+                multifactorId = null
             ).toProto()
         val defaultDeviceConfiguration: ProtoDeviceConfiguration = DeviceConfiguration(
             language = "",
diff --git a/infra/config-store/src/main/java/com/simprints/infra/config/store/local/migrations/models/OldProjectConfig.kt b/infra/config-store/src/main/java/com/simprints/infra/config/store/local/migrations/models/OldProjectConfig.kt
index 47497bc8ac..f167ff0c7e 100644
--- a/infra/config-store/src/main/java/com/simprints/infra/config/store/local/migrations/models/OldProjectConfig.kt
+++ b/infra/config-store/src/main/java/com/simprints/infra/config/store/local/migrations/models/OldProjectConfig.kt
@@ -75,6 +75,7 @@ internal data class OldProjectConfig(
         consent = consentConfiguration(),
         identification = identificationConfiguration(),
         synchronization = synchronizationConfiguration(),
+        multifactorId = null,
         custom = null,
     )
 
diff --git a/infra/config-store/src/main/java/com/simprints/infra/config/store/local/models/ExternalCredentialType.kt b/infra/config-store/src/main/java/com/simprints/infra/config/store/local/models/ExternalCredentialType.kt
new file mode 100644
index 0000000000..c2f20a6014
--- /dev/null
+++ b/infra/config-store/src/main/java/com/simprints/infra/config/store/local/models/ExternalCredentialType.kt
@@ -0,0 +1,18 @@
+package com.simprints.infra.config.store.local.models
+
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.infra.config.store.exceptions.InvalidProtobufEnumException
+
+internal fun ExternalCredentialType.toProto(): ProtoExternalCredentialType = when(this){
+    ExternalCredentialType.NHISCard -> ProtoExternalCredentialType.NHIS_CARD
+    ExternalCredentialType.GhanaIdCard -> ProtoExternalCredentialType.GHANA_ID_CARD
+    ExternalCredentialType.QRCode -> ProtoExternalCredentialType.QR_CODE
+}
+
+internal fun ProtoExternalCredentialType.toDomain(): ExternalCredentialType = when(this){
+    ProtoExternalCredentialType.UNRECOGNIZED,
+    ProtoExternalCredentialType.EXTERNAL_CREDENTIAL_TYPE_UNSPECIFIED -> throw InvalidProtobufEnumException("invalid External credential $name")
+    ProtoExternalCredentialType.NHIS_CARD -> ExternalCredentialType.NHISCard
+    ProtoExternalCredentialType.GHANA_ID_CARD -> ExternalCredentialType.GhanaIdCard
+    ProtoExternalCredentialType.QR_CODE -> ExternalCredentialType.QRCode
+}
diff --git a/infra/config-store/src/main/java/com/simprints/infra/config/store/local/models/MutliFactorIdConfiguration.kt b/infra/config-store/src/main/java/com/simprints/infra/config/store/local/models/MutliFactorIdConfiguration.kt
new file mode 100644
index 0000000000..100fa4afe0
--- /dev/null
+++ b/infra/config-store/src/main/java/com/simprints/infra/config/store/local/models/MutliFactorIdConfiguration.kt
@@ -0,0 +1,12 @@
+package com.simprints.infra.config.store.local.models
+
+import com.simprints.infra.config.store.models.MultiFactorIdConfiguration
+
+internal fun MultiFactorIdConfiguration.toProto(): ProtoMultiFactorIdConfiguration = ProtoMultiFactorIdConfiguration
+    .newBuilder()
+    .addAllAllowedExternalCredentials(allowedExternalCredentials.map { it.toProto() })
+    .build()
+
+internal fun ProtoMultiFactorIdConfiguration.toDomain(): MultiFactorIdConfiguration = MultiFactorIdConfiguration(
+    allowedExternalCredentials = allowedExternalCredentialsList.map { it.toDomain() }
+)
diff --git a/infra/config-store/src/main/java/com/simprints/infra/config/store/local/models/ProjectConfiguration.kt b/infra/config-store/src/main/java/com/simprints/infra/config/store/local/models/ProjectConfiguration.kt
index 9579957ae7..93acadfa1a 100644
--- a/infra/config-store/src/main/java/com/simprints/infra/config/store/local/models/ProjectConfiguration.kt
+++ b/infra/config-store/src/main/java/com/simprints/infra/config/store/local/models/ProjectConfiguration.kt
@@ -15,6 +15,7 @@ internal fun ProjectConfiguration.toProto(): ProtoProjectConfiguration = ProtoPr
     .also {
         if (face != null) it.face = face.toProto()
         if (fingerprint != null) it.fingerprint = fingerprint.toProto()
+        if (multifactorId != null) it.multiFactorId = multifactorId.toProto()
     }.also {
         if (custom != null) {
             try {
@@ -28,16 +29,17 @@ internal fun ProjectConfiguration.toProto(): ProtoProjectConfiguration = ProtoPr
     }.build()
 
 internal fun ProtoProjectConfiguration.toDomain(): ProjectConfiguration = ProjectConfiguration(
-    id,
-    projectId,
-    updatedAt,
-    general.toDomain(),
-    hasFace().let { if (it) face.toDomain() else null },
-    hasFingerprint().let { if (it) fingerprint.toDomain() else null },
-    consent.toDomain(),
-    identification.toDomain(),
-    synchronization.toDomain(),
-    customJson?.takeIf { it.isNotBlank() }?.let {
+    id = id,
+    projectId = projectId,
+    updatedAt = updatedAt,
+    general = general.toDomain(),
+    face = hasFace().let { if (it) face.toDomain() else null },
+    fingerprint = hasFingerprint().let { if (it) fingerprint.toDomain() else null },
+    consent = consent.toDomain(),
+    identification = identification.toDomain(),
+    synchronization = synchronization.toDomain(),
+    multifactorId = multiFactorId?.toDomain(),
+    custom = customJson?.takeIf { it.isNotBlank() }?.let {
         try {
             JsonHelper.fromJson(it)
         } catch (_: Exception) {
diff --git a/infra/config-store/src/main/java/com/simprints/infra/config/store/models/MultiFactorIdConfiguration.kt b/infra/config-store/src/main/java/com/simprints/infra/config/store/models/MultiFactorIdConfiguration.kt
new file mode 100644
index 0000000000..f315afa5f9
--- /dev/null
+++ b/infra/config-store/src/main/java/com/simprints/infra/config/store/models/MultiFactorIdConfiguration.kt
@@ -0,0 +1,7 @@
+package com.simprints.infra.config.store.models
+
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+
+data class MultiFactorIdConfiguration(
+    val allowedExternalCredentials: List<ExternalCredentialType>
+)
diff --git a/infra/config-store/src/main/java/com/simprints/infra/config/store/models/Project.kt b/infra/config-store/src/main/java/com/simprints/infra/config/store/models/Project.kt
index f9a97c7a52..acb5c4c235 100644
--- a/infra/config-store/src/main/java/com/simprints/infra/config/store/models/Project.kt
+++ b/infra/config-store/src/main/java/com/simprints/infra/config/store/models/Project.kt
@@ -14,5 +14,6 @@ data class Project(
 enum class TokenKeyType {
     AttendantId,
     ModuleId,
+    ExternalCredential,
     Unknown,
 }
diff --git a/infra/config-store/src/main/java/com/simprints/infra/config/store/models/ProjectConfiguration.kt b/infra/config-store/src/main/java/com/simprints/infra/config/store/models/ProjectConfiguration.kt
index 7f5517e404..2a76ab1e7e 100644
--- a/infra/config-store/src/main/java/com/simprints/infra/config/store/models/ProjectConfiguration.kt
+++ b/infra/config-store/src/main/java/com/simprints/infra/config/store/models/ProjectConfiguration.kt
@@ -10,6 +10,7 @@ data class ProjectConfiguration(
     val consent: ConsentConfiguration,
     val identification: IdentificationConfiguration,
     val synchronization: SynchronizationConfiguration,
+    val multifactorId: MultiFactorIdConfiguration?,
     val custom: Map<String, Any>?,
 )
 
@@ -104,3 +105,37 @@ fun ProjectConfiguration.isProjectWithPeriodicallyUpSync(): Boolean =
     synchronization.up.simprints.frequency == Frequency.ONLY_PERIODICALLY_UP_SYNC
 
 fun ProjectConfiguration.isModuleSelectionAvailable(): Boolean = isProjectWithModuleSync() && !isProjectWithPeriodicallyUpSync()
+
+fun ProjectConfiguration.determineFaceSDKs(ageGroup: AgeGroup?): List<FaceConfiguration.BioSdk> {
+    if (!isAgeRestricted()) {
+        return face?.allowedSDKs.orEmpty()
+    }
+
+    return buildList {
+        ageGroup?.let { age ->
+            if (face?.rankOne?.allowedAgeRange?.contains(age) == true) {
+                add(FaceConfiguration.BioSdk.RANK_ONE)
+            }
+            if (face?.simFace?.allowedAgeRange?.contains(age) == true) {
+                add(FaceConfiguration.BioSdk.SIM_FACE)
+            }
+        }
+    }
+}
+
+fun ProjectConfiguration.determineFingerprintSDKs(ageGroup: AgeGroup?): List<FingerprintConfiguration.BioSdk> {
+    if (!isAgeRestricted()) {
+        return fingerprint?.allowedSDKs.orEmpty()
+    }
+
+    return buildList {
+        ageGroup?.let { age ->
+            if (fingerprint?.secugenSimMatcher?.allowedAgeRange?.contains(age) == true) {
+                add(FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER)
+            }
+            if (fingerprint?.nec?.allowedAgeRange?.contains(age) == true) {
+                add(FingerprintConfiguration.BioSdk.NEC)
+            }
+        }
+    }
+}
diff --git a/infra/config-store/src/main/java/com/simprints/infra/config/store/remote/models/ApiMultiFactorIdConfiguration.kt b/infra/config-store/src/main/java/com/simprints/infra/config/store/remote/models/ApiMultiFactorIdConfiguration.kt
new file mode 100644
index 0000000000..89212b9d5e
--- /dev/null
+++ b/infra/config-store/src/main/java/com/simprints/infra/config/store/remote/models/ApiMultiFactorIdConfiguration.kt
@@ -0,0 +1,37 @@
+package com.simprints.infra.config.store.remote.models
+
+import androidx.annotation.Keep
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.infra.config.store.models.MultiFactorIdConfiguration
+import com.simprints.infra.config.store.remote.models.ApiExternalCredentialType.GHANA_CARD
+import com.simprints.infra.config.store.remote.models.ApiExternalCredentialType.NHIS_CARD
+import com.simprints.infra.config.store.remote.models.ApiExternalCredentialType.QR_CODE
+
+@Keep
+internal data class ApiMultiFactorIdConfiguration(
+    val allowedExternalCredentials: List<ApiExternalCredentialType>,
+) {
+    fun toDomain(): MultiFactorIdConfiguration = MultiFactorIdConfiguration(
+        allowedExternalCredentials = allowedExternalCredentials.map { it.toDomain() },
+    )
+}
+
+@Keep
+enum class ApiExternalCredentialType {
+    NHIS_CARD,
+    GHANA_CARD,
+    QR_CODE,
+    ;
+
+    fun toDomain(): ExternalCredentialType = when (this) {
+        NHIS_CARD -> ExternalCredentialType.NHISCard
+        GHANA_CARD -> ExternalCredentialType.GhanaIdCard
+        QR_CODE -> ExternalCredentialType.QRCode
+    }
+}
+
+fun ExternalCredentialType.fromDomainToApi(): ApiExternalCredentialType = when (this) {
+    ExternalCredentialType.NHISCard -> NHIS_CARD
+    ExternalCredentialType.GhanaIdCard -> GHANA_CARD
+    ExternalCredentialType.QRCode -> QR_CODE
+}
diff --git a/infra/config-store/src/main/java/com/simprints/infra/config/store/remote/models/ApiProjectConfiguration.kt b/infra/config-store/src/main/java/com/simprints/infra/config/store/remote/models/ApiProjectConfiguration.kt
index e4b589bcd7..696d4444fb 100644
--- a/infra/config-store/src/main/java/com/simprints/infra/config/store/remote/models/ApiProjectConfiguration.kt
+++ b/infra/config-store/src/main/java/com/simprints/infra/config/store/remote/models/ApiProjectConfiguration.kt
@@ -14,18 +14,20 @@ internal data class ApiProjectConfiguration(
     val consent: ApiConsentConfiguration,
     val identification: ApiIdentificationConfiguration,
     val synchronization: ApiSynchronizationConfiguration,
+    val multiFactorId: ApiMultiFactorIdConfiguration?,
     val custom: Map<String, Any>?,
 ) {
     fun toDomain(): ProjectConfiguration = ProjectConfiguration(
-        id,
-        projectId,
-        updatedAt,
-        general.toDomain(),
-        face?.toDomain(),
-        fingerprint?.toDomain(),
-        consent.toDomain(),
-        identification.toDomain(),
-        synchronization.toDomain(),
-        custom,
+        id = id,
+        projectId = projectId,
+        updatedAt = updatedAt,
+        general = general.toDomain(),
+        face = face?.toDomain(),
+        fingerprint = fingerprint?.toDomain(),
+        consent = consent.toDomain(),
+        identification = identification.toDomain(),
+        synchronization = synchronization.toDomain(),
+        multifactorId = multiFactorId?.toDomain(),
+        custom = custom,
     )
 }
diff --git a/infra/config-store/src/main/proto/project_config.proto b/infra/config-store/src/main/proto/project_config.proto
index 2d532603a0..9020b487e2 100644
--- a/infra/config-store/src/main/proto/project_config.proto
+++ b/infra/config-store/src/main/proto/project_config.proto
@@ -14,6 +14,18 @@ message ProtoProjectConfiguration {
     string updated_at = 8;
     optional string customJson = 9;
     string id = 10;
+    optional ProtoMultiFactorIdConfiguration multiFactorId = 11;
+}
+
+enum ProtoExternalCredentialType {
+    EXTERNAL_CREDENTIAL_TYPE_UNSPECIFIED = 0;
+    NHIS_CARD = 1;
+    GHANA_ID_CARD = 2;
+    QR_CODE = 3;
+}
+
+message ProtoMultiFactorIdConfiguration {
+    repeated ProtoExternalCredentialType allowed_external_credentials = 1;
 }
 
 message ProtoGeneralConfiguration {
diff --git a/infra/config-store/src/test/java/com/simprints/infra/config/store/local/ConfigLocalDataSourceImplTest.kt b/infra/config-store/src/test/java/com/simprints/infra/config/store/local/ConfigLocalDataSourceImplTest.kt
index 401a06587e..d833c83d35 100644
--- a/infra/config-store/src/test/java/com/simprints/infra/config/store/local/ConfigLocalDataSourceImplTest.kt
+++ b/infra/config-store/src/test/java/com/simprints/infra/config/store/local/ConfigLocalDataSourceImplTest.kt
@@ -18,6 +18,7 @@ import com.simprints.infra.config.store.testtools.consentConfiguration
 import com.simprints.infra.config.store.testtools.faceConfiguration
 import com.simprints.infra.config.store.testtools.generalConfiguration
 import com.simprints.infra.config.store.testtools.identificationConfiguration
+import com.simprints.infra.config.store.testtools.multiFactorIdConfiguration
 import com.simprints.infra.config.store.testtools.project
 import com.simprints.infra.config.store.testtools.projectConfiguration
 import com.simprints.infra.config.store.testtools.synchronizationConfiguration
@@ -179,16 +180,17 @@ class ConfigLocalDataSourceImplTest {
     fun `should save the project configuration and update the device configuration correctly with an empty list of fingersToCollect if fingerprint config is missing`() =
         runTest {
             val projectConfigurationToSave = ProjectConfiguration(
-                "id",
-                "projectId",
-                "updatedAt",
-                generalConfiguration,
-                faceConfiguration,
-                null,
-                consentConfiguration,
-                identificationConfiguration,
-                synchronizationConfiguration,
-                null,
+                id = "id",
+                projectId = "projectId",
+                updatedAt = "updatedAt",
+                general = generalConfiguration,
+                face = faceConfiguration,
+                fingerprint = null,
+                consent = consentConfiguration,
+                identification = identificationConfiguration,
+                synchronization = synchronizationConfiguration,
+                multifactorId = multiFactorIdConfiguration,
+                custom = null,
             )
 
             configLocalDataSourceImpl.saveProjectConfiguration(projectConfigurationToSave)
diff --git a/infra/config-store/src/test/java/com/simprints/infra/config/store/models/ExternalCredentialTypeTest.kt b/infra/config-store/src/test/java/com/simprints/infra/config/store/models/ExternalCredentialTypeTest.kt
new file mode 100644
index 0000000000..45d8d0e2d4
--- /dev/null
+++ b/infra/config-store/src/test/java/com/simprints/infra/config/store/models/ExternalCredentialTypeTest.kt
@@ -0,0 +1,43 @@
+package com.simprints.infra.config.store.models
+
+import com.google.common.truth.Truth.assertThat
+import org.junit.Test
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.infra.config.store.exceptions.InvalidProtobufEnumException
+import com.simprints.infra.config.store.local.models.ProtoExternalCredentialType
+import com.simprints.infra.config.store.local.models.toDomain
+import com.simprints.infra.config.store.local.models.toProto
+import com.simprints.testtools.common.syntax.assertThrows
+
+class ExternalCredentialTypeMapperTest {
+
+    @Test
+    fun `should map correctly the model to proto`() {
+        val pairs = listOf(
+            ExternalCredentialType.NHISCard to ProtoExternalCredentialType.NHIS_CARD,
+            ExternalCredentialType.GhanaIdCard to ProtoExternalCredentialType.GHANA_ID_CARD,
+            ExternalCredentialType.QRCode to ProtoExternalCredentialType.QR_CODE
+        )
+
+        pairs.forEach { (domain, proto) ->
+            assertThat(proto).isEqualTo(domain.toProto())
+        }
+    }
+
+    @Test
+    fun `should map correctly the model from proto`() {
+        val pairs = listOf(
+            ProtoExternalCredentialType.NHIS_CARD to ExternalCredentialType.NHISCard,
+            ProtoExternalCredentialType.GHANA_ID_CARD to ExternalCredentialType.GhanaIdCard,
+            ProtoExternalCredentialType.QR_CODE to ExternalCredentialType.QRCode
+        )
+
+        pairs.forEach { (proto, domain) ->
+            assertThat(domain).isEqualTo(proto.toDomain())
+        }
+
+        assertThrows<InvalidProtobufEnumException> {
+            ProtoExternalCredentialType.UNRECOGNIZED.toDomain()
+        }
+    }
+}
diff --git a/infra/config-store/src/test/java/com/simprints/infra/config/store/models/ProjectConfigurationTest.kt b/infra/config-store/src/test/java/com/simprints/infra/config/store/models/ProjectConfigurationTest.kt
index da6576d886..2a3a26ca5c 100644
--- a/infra/config-store/src/test/java/com/simprints/infra/config/store/models/ProjectConfigurationTest.kt
+++ b/infra/config-store/src/test/java/com/simprints/infra/config/store/models/ProjectConfigurationTest.kt
@@ -687,4 +687,110 @@ class ProjectConfigurationTest {
         )
         assertThat(config.isModuleSelectionAvailable()).isFalse()
     }
+
+    @Test
+    fun `determineFaceSDKs returns all allowed SDKs when not age restricted`() {
+        val config = createAgeUnrestrictedFaceConfig()
+        val result = config.determineFaceSDKs(AgeGroup(25, 30))
+        assertThat(result).containsExactly(FaceConfiguration.BioSdk.RANK_ONE, FaceConfiguration.BioSdk.SIM_FACE)
+    }
+
+    @Test
+    fun `determineFaceSDKs returns empty list when age group is null and age restricted`() {
+        val config = createAgeRestrictedFaceConfig(rankOneRange = AgeGroup(10, 20), simFaceRange = AgeGroup(20, 30))
+        val result = config.determineFaceSDKs(null)
+        assertThat(result).isEmpty()
+    }
+
+    @Test
+    fun `determineFaceSDKs returns only RankOne when age group matches RankOne range`() {
+        val config = createAgeRestrictedFaceConfig(rankOneRange = AgeGroup(10, 20), simFaceRange = AgeGroup(20, 30))
+        val result = config.determineFaceSDKs(AgeGroup(10, 20))
+        assertThat(result).containsExactly(FaceConfiguration.BioSdk.RANK_ONE)
+    }
+
+    @Test
+    fun `determineFaceSDKs returns only SimFace when age group matches SimFace range`() {
+        val config = createAgeRestrictedFaceConfig(rankOneRange = AgeGroup(10, 20), simFaceRange = AgeGroup(20, 30))
+        val result = config.determineFaceSDKs(AgeGroup(20, 30))
+        assertThat(result).containsExactly(FaceConfiguration.BioSdk.SIM_FACE)
+    }
+
+    @Test
+    fun `determineFaceSDKs returns both SDKs when age group matches both ranges`() {
+        val config = createAgeRestrictedFaceConfig(rankOneRange = AgeGroup(10, 30), simFaceRange = AgeGroup(15, 25))
+        val result = config.determineFaceSDKs(AgeGroup(15, 25))
+        assertThat(result).containsExactly(FaceConfiguration.BioSdk.RANK_ONE, FaceConfiguration.BioSdk.SIM_FACE)
+    }
+
+    @Test
+    fun `determineFaceSDKs returns empty list when age group matches no ranges`() {
+        val config = createAgeRestrictedFaceConfig(rankOneRange = AgeGroup(10, 20), simFaceRange = AgeGroup(20, 30))
+        val result = config.determineFaceSDKs(AgeGroup(30, 40))
+        assertThat(result).isEmpty()
+    }
+
+    @Test
+    fun `determineFingerprintSDKs returns all allowed SDKs when not age restricted`() {
+        val config = createAgeUnrestrictedFingerprintConfig()
+        val result = config.determineFingerprintSDKs(AgeGroup(25, 30))
+        assertThat(result).containsExactly(FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER, FingerprintConfiguration.BioSdk.NEC)
+    }
+
+    @Test
+    fun `determineFingerprintSDKs returns empty list when age group is null and age restricted`() {
+        val config = createAgeRestrictedFingerprintConfig(secugenRange = AgeGroup(10, 20), necRange = AgeGroup(20, 30))
+        val result = config.determineFingerprintSDKs(null)
+        assertThat(result).isEmpty()
+    }
+
+    @Test
+    fun `determineFingerprintSDKs returns only SecugenSimMatcher when age group matches SecugenSimMatcher range`() {
+        val config = createAgeRestrictedFingerprintConfig(secugenRange = AgeGroup(10, 20), necRange = AgeGroup(20, 30))
+        val result = config.determineFingerprintSDKs(AgeGroup(10, 20))
+        assertThat(result).containsExactly(FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER)
+    }
+
+    @Test
+    fun `determineFingerprintSDKs returns empty list when age group matches no ranges`() {
+        val config = createAgeRestrictedFingerprintConfig(secugenRange = AgeGroup(10, 20), necRange = AgeGroup(20, 30))
+        val result = config.determineFingerprintSDKs(AgeGroup(30, 40))
+        assertThat(result).isEmpty()
+    }
+
+    private fun createAgeUnrestrictedFaceConfig() = projectConfiguration.copy(
+        face = faceConfiguration.copy(
+            allowedSDKs = listOf(FaceConfiguration.BioSdk.RANK_ONE, FaceConfiguration.BioSdk.SIM_FACE),
+            rankOne = faceSdkConfiguration.copy(allowedAgeRange = AgeGroup(0, null)),
+            simFace = faceSdkConfiguration.copy(allowedAgeRange = AgeGroup(0, null)),
+        ),
+    )
+
+    private fun createAgeRestrictedFaceConfig(
+        rankOneRange: AgeGroup,
+        simFaceRange: AgeGroup,
+    ) = projectConfiguration.copy(
+        face = faceConfiguration.copy(
+            rankOne = faceSdkConfiguration.copy(allowedAgeRange = rankOneRange),
+            simFace = faceSdkConfiguration.copy(allowedAgeRange = simFaceRange),
+        ),
+    )
+
+    private fun createAgeUnrestrictedFingerprintConfig() = projectConfiguration.copy(
+        fingerprint = fingerprintConfiguration.copy(
+            allowedSDKs = listOf(FingerprintConfiguration.BioSdk.SECUGEN_SIM_MATCHER, FingerprintConfiguration.BioSdk.NEC),
+            secugenSimMatcher = fingerprintConfiguration.secugenSimMatcher?.copy(allowedAgeRange = AgeGroup(0, null)),
+            nec = fingerprintConfiguration.nec?.copy(allowedAgeRange = AgeGroup(0, null)),
+        ),
+    )
+
+    private fun createAgeRestrictedFingerprintConfig(
+        secugenRange: AgeGroup,
+        necRange: AgeGroup,
+    ) = projectConfiguration.copy(
+        fingerprint = fingerprintConfiguration.copy(
+            secugenSimMatcher = fingerprintConfiguration.secugenSimMatcher?.copy(allowedAgeRange = secugenRange),
+            nec = fingerprintConfiguration.nec?.copy(allowedAgeRange = necRange),
+        ),
+    )
 }
diff --git a/infra/config-store/src/test/java/com/simprints/infra/config/store/remote/models/ApiProjectConfigurationTest.kt b/infra/config-store/src/test/java/com/simprints/infra/config/store/remote/models/ApiProjectConfigurationTest.kt
index f5b2a3e4e2..1e48265958 100644
--- a/infra/config-store/src/test/java/com/simprints/infra/config/store/remote/models/ApiProjectConfigurationTest.kt
+++ b/infra/config-store/src/test/java/com/simprints/infra/config/store/remote/models/ApiProjectConfigurationTest.kt
@@ -5,12 +5,14 @@ import com.simprints.infra.config.store.models.ProjectConfiguration
 import com.simprints.infra.config.store.testtools.apiConsentConfiguration
 import com.simprints.infra.config.store.testtools.apiGeneralConfiguration
 import com.simprints.infra.config.store.testtools.apiIdentificationConfiguration
+import com.simprints.infra.config.store.testtools.apiMultiFactorIdConfiguration
 import com.simprints.infra.config.store.testtools.apiProjectConfiguration
 import com.simprints.infra.config.store.testtools.apiSynchronizationConfiguration
 import com.simprints.infra.config.store.testtools.consentConfiguration
 import com.simprints.infra.config.store.testtools.customKeyMap
 import com.simprints.infra.config.store.testtools.generalConfiguration
 import com.simprints.infra.config.store.testtools.identificationConfiguration
+import com.simprints.infra.config.store.testtools.multiFactorIdConfiguration
 import com.simprints.infra.config.store.testtools.projectConfiguration
 import com.simprints.infra.config.store.testtools.synchronizationConfiguration
 import org.junit.Test
@@ -24,28 +26,30 @@ class ApiProjectConfigurationTest {
     @Test
     fun `should map correctly the model when both fingerprint and face are missing`() {
         val apiProjectConfiguration = ApiProjectConfiguration(
-            "id",
-            "projectId",
-            "updatedAt",
-            apiGeneralConfiguration,
-            null,
-            null,
-            apiConsentConfiguration,
-            apiIdentificationConfiguration,
-            apiSynchronizationConfiguration,
-            customKeyMap,
+            id = "id",
+            projectId = "projectId",
+            updatedAt = "updatedAt",
+            general = apiGeneralConfiguration,
+            face = null,
+            fingerprint = null,
+            consent = apiConsentConfiguration,
+            identification = apiIdentificationConfiguration,
+            synchronization = apiSynchronizationConfiguration,
+            multiFactorId = apiMultiFactorIdConfiguration,
+            custom = customKeyMap,
         )
         val projectConfiguration = ProjectConfiguration(
-            "id",
-            "projectId",
-            "updatedAt",
-            generalConfiguration,
-            null,
-            null,
-            consentConfiguration,
-            identificationConfiguration,
-            synchronizationConfiguration,
-            customKeyMap,
+            id = "id",
+            projectId = "projectId",
+            updatedAt = "updatedAt",
+            general = generalConfiguration,
+            face = null,
+            fingerprint = null,
+            consent = consentConfiguration,
+            identification = identificationConfiguration,
+            synchronization = synchronizationConfiguration,
+            multifactorId = multiFactorIdConfiguration,
+            custom = customKeyMap,
         )
 
         assertThat(apiProjectConfiguration.toDomain()).isEqualTo(projectConfiguration)
diff --git a/infra/config-store/src/test/java/com/simprints/infra/config/store/testtools/Models.kt b/infra/config-store/src/test/java/com/simprints/infra/config/store/testtools/Models.kt
index 7817c2930f..5c9634289f 100644
--- a/infra/config-store/src/test/java/com/simprints/infra/config/store/testtools/Models.kt
+++ b/infra/config-store/src/test/java/com/simprints/infra/config/store/testtools/Models.kt
@@ -1,17 +1,20 @@
 package com.simprints.infra.config.store.testtools
 
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.tokenization.asTokenizableEncrypted
 import com.simprints.infra.config.store.local.models.ProtoAllowedAgeRange
 import com.simprints.infra.config.store.local.models.ProtoConsentConfiguration
 import com.simprints.infra.config.store.local.models.ProtoDecisionPolicy
 import com.simprints.infra.config.store.local.models.ProtoDeviceConfiguration
 import com.simprints.infra.config.store.local.models.ProtoDownSynchronizationConfiguration
+import com.simprints.infra.config.store.local.models.ProtoExternalCredentialType
 import com.simprints.infra.config.store.local.models.ProtoFaceConfiguration
 import com.simprints.infra.config.store.local.models.ProtoFinger
 import com.simprints.infra.config.store.local.models.ProtoFingerprintConfiguration
 import com.simprints.infra.config.store.local.models.ProtoFingerprintConfiguration.ProtoMaxCaptureAttempts
 import com.simprints.infra.config.store.local.models.ProtoGeneralConfiguration
 import com.simprints.infra.config.store.local.models.ProtoIdentificationConfiguration
+import com.simprints.infra.config.store.local.models.ProtoMultiFactorIdConfiguration
 import com.simprints.infra.config.store.local.models.ProtoProject
 import com.simprints.infra.config.store.local.models.ProtoProjectConfiguration
 import com.simprints.infra.config.store.local.models.ProtoSampleSynchronizationConfiguration
@@ -35,6 +38,7 @@ import com.simprints.infra.config.store.models.Frequency
 import com.simprints.infra.config.store.models.GeneralConfiguration
 import com.simprints.infra.config.store.models.IdentificationConfiguration
 import com.simprints.infra.config.store.models.MaxCaptureAttempts
+import com.simprints.infra.config.store.models.MultiFactorIdConfiguration
 import com.simprints.infra.config.store.models.Project
 import com.simprints.infra.config.store.models.ProjectConfiguration
 import com.simprints.infra.config.store.models.ProjectState
@@ -49,12 +53,14 @@ import com.simprints.infra.config.store.remote.models.ApiAllowedAgeRange
 import com.simprints.infra.config.store.remote.models.ApiConsentConfiguration
 import com.simprints.infra.config.store.remote.models.ApiDecisionPolicy
 import com.simprints.infra.config.store.remote.models.ApiDeviceState
+import com.simprints.infra.config.store.remote.models.ApiExternalCredentialType
 import com.simprints.infra.config.store.remote.models.ApiFaceConfiguration
 import com.simprints.infra.config.store.remote.models.ApiFaceConfiguration.ApiFaceSdkConfiguration
 import com.simprints.infra.config.store.remote.models.ApiFingerprintConfiguration
 import com.simprints.infra.config.store.remote.models.ApiGeneralConfiguration
 import com.simprints.infra.config.store.remote.models.ApiIdentificationConfiguration
 import com.simprints.infra.config.store.remote.models.ApiMaxCaptureAttempts
+import com.simprints.infra.config.store.remote.models.ApiMultiFactorIdConfiguration
 import com.simprints.infra.config.store.remote.models.ApiProject
 import com.simprints.infra.config.store.remote.models.ApiProjectConfiguration
 import com.simprints.infra.config.store.remote.models.ApiProjectState
@@ -409,6 +415,16 @@ internal val synchronizationConfiguration = SynchronizationConfiguration(
     ),
 )
 
+internal val allowedExternalCredential = ExternalCredentialType.NHISCard
+
+internal val multiFactorIdConfiguration = MultiFactorIdConfiguration(
+    allowedExternalCredentials = listOf(allowedExternalCredential)
+)
+
+internal val protoMultiFactorIdConfiguration = ProtoMultiFactorIdConfiguration
+    .newBuilder()
+    .addAllowedExternalCredentials(ProtoExternalCredentialType.NHIS_CARD)
+
 internal val protoSynchronizationConfiguration = ProtoSynchronizationConfiguration
     .newBuilder()
     .setUp(
@@ -455,6 +471,12 @@ internal val protoSynchronizationConfiguration = ProtoSynchronizationConfigurati
             .build(),
     ).build()
 
+internal val apiAllowedExternalCredential = ApiExternalCredentialType.NHIS_CARD
+
+internal val apiMultiFactorIdConfiguration = ApiMultiFactorIdConfiguration(
+    allowedExternalCredentials = listOf(apiAllowedExternalCredential)
+)
+
 internal val customKeyMap: Map<String, Any>? = mapOf(
     "key1" to 7,
     "key2" to 4.2,
@@ -464,29 +486,31 @@ internal val customKeyMap: Map<String, Any>? = mapOf(
 internal const val PROTO_CUSTOM_KEY_MAP_JSON = "{\"key1\":7,\"key2\":4.2,\"key3\":false,\"key4\":\"test\"}"
 
 internal val apiProjectConfiguration = ApiProjectConfiguration(
-    "id",
-    "projectId",
-    "updatedAt",
-    apiGeneralConfiguration,
-    apiFaceConfiguration,
-    apiFingerprintConfiguration,
-    apiConsentConfiguration,
-    apiIdentificationConfiguration,
-    apiSynchronizationConfiguration,
-    customKeyMap,
+    id = "id",
+    projectId = "projectId",
+    updatedAt = "updatedAt",
+    general = apiGeneralConfiguration,
+    face = apiFaceConfiguration,
+    fingerprint = apiFingerprintConfiguration,
+    consent = apiConsentConfiguration,
+    identification = apiIdentificationConfiguration,
+    synchronization = apiSynchronizationConfiguration,
+    multiFactorId = apiMultiFactorIdConfiguration,
+    custom = customKeyMap,
 )
 
 internal val projectConfiguration = ProjectConfiguration(
-    "id",
-    "projectId",
-    "updatedAt",
-    generalConfiguration,
-    faceConfiguration,
-    fingerprintConfiguration,
-    consentConfiguration,
-    identificationConfiguration,
-    synchronizationConfiguration,
-    customKeyMap,
+    id = "id",
+    projectId = "projectId",
+    updatedAt = "updatedAt",
+    general = generalConfiguration,
+    face = faceConfiguration,
+    fingerprint = fingerprintConfiguration,
+    consent = consentConfiguration,
+    identification = identificationConfiguration,
+    synchronization = synchronizationConfiguration,
+    multifactorId = multiFactorIdConfiguration,
+    custom = customKeyMap
 )
 
 internal val protoProjectConfiguration = ProtoProjectConfiguration
@@ -500,6 +524,7 @@ internal val protoProjectConfiguration = ProtoProjectConfiguration
     .setConsent(protoConsentConfiguration)
     .setIdentification(protoIdentificationConfiguration)
     .setSynchronization(protoSynchronizationConfiguration)
+    .setMultiFactorId(protoMultiFactorIdConfiguration)
     .setCustomJson(PROTO_CUSTOM_KEY_MAP_JSON)
     .build()
 
diff --git a/infra/core/src/main/java/com/simprints/core/domain/externalcredential/ExternalCredential.kt b/infra/core/src/main/java/com/simprints/core/domain/externalcredential/ExternalCredential.kt
new file mode 100644
index 0000000000..aceb534d21
--- /dev/null
+++ b/infra/core/src/main/java/com/simprints/core/domain/externalcredential/ExternalCredential.kt
@@ -0,0 +1,15 @@
+package com.simprints.core.domain.externalcredential
+
+import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.tokenization.TokenizableString
+import java.io.Serializable
+
+@Keep
+@ExcludedFromGeneratedTestCoverageReports("Data class with generated code")
+data class ExternalCredential(
+    val id: String,
+    val value: TokenizableString.Tokenized,
+    val subjectId: String,
+    val type: ExternalCredentialType,
+) : Serializable
diff --git a/infra/core/src/main/java/com/simprints/core/domain/externalcredential/ExternalCredentialType.kt b/infra/core/src/main/java/com/simprints/core/domain/externalcredential/ExternalCredentialType.kt
new file mode 100644
index 0000000000..1f6d4d5b6b
--- /dev/null
+++ b/infra/core/src/main/java/com/simprints/core/domain/externalcredential/ExternalCredentialType.kt
@@ -0,0 +1,10 @@
+package com.simprints.core.domain.externalcredential
+
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+
+@ExcludedFromGeneratedTestCoverageReports("enum")
+enum class ExternalCredentialType {
+    NHISCard,
+    GhanaIdCard,
+    QRCode,
+}
diff --git a/infra/core/src/main/java/com/simprints/core/tools/extentions/Activity.ext.kt b/infra/core/src/main/java/com/simprints/core/tools/extentions/Activity.ext.kt
index ee540d4c59..f0ec9eca95 100644
--- a/infra/core/src/main/java/com/simprints/core/tools/extentions/Activity.ext.kt
+++ b/infra/core/src/main/java/com/simprints/core/tools/extentions/Activity.ext.kt
@@ -39,3 +39,8 @@ fun Activity.permissionFromResult(
         }
     }
 }
+
+@ExcludedFromGeneratedTestCoverageReports("UI code")
+fun Activity.getCurrentPermissionStatus(
+    permission: String,
+): PermissionStatus = permissionFromResult(permission = permission, grantResult = hasPermission(permission))
diff --git a/infra/core/src/main/java/com/simprints/core/tools/time/Timestamp.kt b/infra/core/src/main/java/com/simprints/core/tools/time/Timestamp.kt
index 687a0bfe68..8b10b97f48 100644
--- a/infra/core/src/main/java/com/simprints/core/tools/time/Timestamp.kt
+++ b/infra/core/src/main/java/com/simprints/core/tools/time/Timestamp.kt
@@ -1,12 +1,14 @@
 package com.simprints.core.tools.time
 
 import androidx.annotation.Keep
+import java.io.Serializable
 
 @Keep
 data class Timestamp(
     val ms: Long,
     val isTrustworthy: Boolean = false,
     val msSinceBoot: Long? = null,
-) : Comparable<Timestamp> {
+) : Comparable<Timestamp>,
+    Serializable {
     override fun compareTo(other: Timestamp): Int = ms.compareTo(other.ms)
 }
diff --git a/infra/credential-store/README.md b/infra/credential-store/README.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/infra/credential-store/build.gradle.kts b/infra/credential-store/build.gradle.kts
new file mode 100644
index 0000000000..b359c382cb
--- /dev/null
+++ b/infra/credential-store/build.gradle.kts
@@ -0,0 +1,11 @@
+plugins {
+    id("simprints.feature")
+}
+
+android {
+    namespace = "com.simprints.infra.credential.store"
+}
+
+dependencies {
+    implementation(project(":infra:core"))
+}
diff --git a/infra/credential-store/src/main/AndroidManifest.xml b/infra/credential-store/src/main/AndroidManifest.xml
new file mode 100644
index 0000000000..e100076157
--- /dev/null
+++ b/infra/credential-store/src/main/AndroidManifest.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest>
+
+</manifest>
diff --git a/infra/credential-store/src/main/java/com/simprints/infra/credential/store/CredentialImageRepository.kt b/infra/credential-store/src/main/java/com/simprints/infra/credential/store/CredentialImageRepository.kt
new file mode 100644
index 0000000000..b0b0246bfe
--- /dev/null
+++ b/infra/credential-store/src/main/java/com/simprints/infra/credential/store/CredentialImageRepository.kt
@@ -0,0 +1,70 @@
+package com.simprints.infra.credential.store
+
+import android.content.Context
+import android.graphics.Bitmap
+import com.simprints.core.DispatcherIO
+import com.simprints.infra.credential.store.model.CredentialScanImageType
+import com.simprints.infra.logging.LoggingConstants.CrashReportTag.MULTI_FACTOR_ID
+import com.simprints.infra.logging.Simber
+import dagger.hilt.android.qualifiers.ApplicationContext
+import kotlinx.coroutines.CoroutineDispatcher
+import kotlinx.coroutines.withContext
+import java.io.File
+import javax.inject.Inject
+
+class CredentialImageRepository @Inject constructor(
+    @ApplicationContext private val context: Context,
+    @DispatcherIO private val ioDispatcher: CoroutineDispatcher,
+) {
+    /**
+     * Saves a bitmap to the application's cache directory as a JPEG file.
+     * @param bitmap the bitmap to save
+     * @param credential associated external credential data
+     * @param imageType type of an image: [CredentialScanImageType.FullDocument] if image contains entire document or
+     * [CredentialScanImageType.ZoomedInCredential] if image contains zoomed-in part of the external credential
+     *
+     * @return absolute path to the saved file
+     */
+    suspend fun saveCredentialScan(
+        bitmap: Bitmap,
+        imageType: CredentialScanImageType,
+    ): String = withContext(ioDispatcher) {
+        val file = imageType.toFile()
+        file.outputStream().use { outputStream ->
+            bitmap.compress(Bitmap.CompressFormat.JPEG, 100, outputStream)
+        }
+        return@withContext file.absolutePath
+    }
+
+    /**
+     * Deletes cached scan file
+     */
+    suspend fun deleteByPath(path: String) = with(ioDispatcher) {
+        try {
+            val file = File(path)
+            if (file.exists()) {
+                if (file.delete()) {
+                    Simber.d("Deleted credential scan: ${file.absolutePath}", tag = MULTI_FACTOR_ID)
+                } else {
+                    Simber.d("Failed to delete credential scan: ${file.absolutePath}", tag = MULTI_FACTOR_ID)
+                }
+            }
+        } catch (e: Exception) {
+            Simber.e("Unable to delete cached scan file [$path]", e, tag = MULTI_FACTOR_ID)
+            throw (e)
+        }
+    }
+
+    /**
+     * Deletes all cached scans associated with the give external credential
+     */
+    suspend fun deleteAllCredentialScans() = CredentialScanImageType.entries.forEach { imageType ->
+        deleteByPath(imageType.toFile().absolutePath)
+    }
+
+    private fun CredentialScanImageType.toFile(): File = File(context.cacheDir, toFileName())
+
+    private fun CredentialScanImageType.toFileName(): String = "credential_${this.toString().normalize()}_${System.currentTimeMillis()}.jpg"
+
+    private fun String.normalize() = trim().replace(" ", "")
+}
diff --git a/infra/credential-store/src/main/java/com/simprints/infra/credential/store/model/CredentialScanImageType.kt b/infra/credential-store/src/main/java/com/simprints/infra/credential/store/model/CredentialScanImageType.kt
new file mode 100644
index 0000000000..1a34be5c87
--- /dev/null
+++ b/infra/credential-store/src/main/java/com/simprints/infra/credential/store/model/CredentialScanImageType.kt
@@ -0,0 +1,6 @@
+package com.simprints.infra.credential.store.model
+
+enum class CredentialScanImageType {
+    FullDocument,
+    ZoomedInCredential,
+}
diff --git a/infra/credential-store/src/test/java/com/simprints/infra/credential/store/CredentialImageRepositoryTest.kt b/infra/credential-store/src/test/java/com/simprints/infra/credential/store/CredentialImageRepositoryTest.kt
new file mode 100644
index 0000000000..cdd228d04a
--- /dev/null
+++ b/infra/credential-store/src/test/java/com/simprints/infra/credential/store/CredentialImageRepositoryTest.kt
@@ -0,0 +1,88 @@
+package com.simprints.infra.credential.store
+
+import android.content.Context
+import android.graphics.Bitmap
+import com.google.common.truth.Truth.assertThat
+import com.simprints.infra.credential.store.model.CredentialScanImageType
+import io.mockk.MockKAnnotations
+import io.mockk.every
+import io.mockk.impl.annotations.MockK
+import io.mockk.verify
+import kotlinx.coroutines.test.StandardTestDispatcher
+import kotlinx.coroutines.test.runTest
+import org.junit.After
+import org.junit.Before
+import org.junit.Test
+import java.io.File
+import java.io.FileOutputStream
+
+internal class CredentialImageRepositoryTest {
+    @MockK
+    lateinit var context: Context
+
+    @MockK
+    lateinit var bitmap: Bitmap
+
+    private lateinit var cacheDir: File
+    private lateinit var repository: CredentialImageRepository
+    private val testDispatcher = StandardTestDispatcher()
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+
+        cacheDir = File("cache")
+        every { context.cacheDir } returns cacheDir
+
+        repository = CredentialImageRepository(
+            context = context,
+            ioDispatcher = testDispatcher,
+        )
+    }
+
+    @After
+    fun tearDown() {
+        cacheDir.deleteRecursively()
+    }
+
+    @Test
+    fun `saveCredentialScan saves bitmap for all types`() = runTest(testDispatcher) {
+        CredentialScanImageType.entries.forEach { imageType ->
+            every { bitmap.compress(Bitmap.CompressFormat.JPEG, 100, any<FileOutputStream>()) } returns true
+            cacheDir.mkdirs()
+
+            val filePath = repository.saveCredentialScan(bitmap, imageType)
+
+            assertThat(filePath).startsWith(cacheDir.absolutePath)
+            assertThat(filePath).contains("credential_$imageType")
+            assertThat(filePath).endsWith(".jpg")
+            assertThat(File(filePath).exists()).isTrue()
+            verify { bitmap.compress(Bitmap.CompressFormat.JPEG, 100, any<FileOutputStream>()) }
+        }
+    }
+
+    @Test
+    fun `deleteByPath successfully deletes existing file`() = runTest {
+        cacheDir.mkdirs()
+        val testFile = File(cacheDir, "test_credential.jpg")
+        testFile.createNewFile()
+        assertThat(testFile.exists()).isTrue()
+        repository.deleteByPath(testFile.absolutePath)
+        assertThat(testFile.exists()).isFalse()
+    }
+
+    @Test
+    fun `deleteByPath handles non-existing file without exceptions`() = runTest {
+        val nonExistentPath = File(cacheDir, "non_existent.jpg").absolutePath
+        repository.deleteByPath(nonExistentPath)
+    }
+
+    @Test
+    fun `deleteAllCredentialScans deletes all credential scans`() = runTest {
+        cacheDir.mkdirs()
+        listOf("randomFile1", "randomFile2", "randomFile3").forEach { fileName ->
+            File(cacheDir, fileName).createNewFile()
+        }
+        repository.deleteAllCredentialScans()
+    }
+}
diff --git a/infra/enrolment-records/realm-store/src/main/java/com/simprints/infra/enrolment/records/realm/store/config/RealmConfig.kt b/infra/enrolment-records/realm-store/src/main/java/com/simprints/infra/enrolment/records/realm/store/config/RealmConfig.kt
index 5a967181e1..ff6e0b7881 100644
--- a/infra/enrolment-records/realm-store/src/main/java/com/simprints/infra/enrolment/records/realm/store/config/RealmConfig.kt
+++ b/infra/enrolment-records/realm-store/src/main/java/com/simprints/infra/enrolment/records/realm/store/config/RealmConfig.kt
@@ -4,6 +4,7 @@ import androidx.annotation.Keep
 import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
 import com.simprints.infra.enrolment.records.realm.store.BuildConfig
 import com.simprints.infra.enrolment.records.realm.store.migration.RealmMigrations
+import com.simprints.infra.enrolment.records.realm.store.models.DbExternalCredential
 import com.simprints.infra.enrolment.records.realm.store.models.DbFaceSample
 import com.simprints.infra.enrolment.records.realm.store.models.DbFingerprintSample
 import com.simprints.infra.enrolment.records.realm.store.models.DbProject
@@ -26,6 +27,7 @@ class RealmConfig @Inject constructor() {
                 DbFaceSample::class,
                 DbSubject::class,
                 DbProject::class,
+                DbExternalCredential::class,
             ),
         ).name("$databaseName.realm")
         .schemaVersion(REALM_SCHEMA_VERSION)
@@ -36,6 +38,6 @@ class RealmConfig @Inject constructor() {
         .build()
 
     companion object {
-        private const val REALM_SCHEMA_VERSION: Long = 17
+        private const val REALM_SCHEMA_VERSION: Long = 18
     }
 }
diff --git a/infra/enrolment-records/realm-store/src/main/java/com/simprints/infra/enrolment/records/realm/store/models/DbExternalCredential.kt b/infra/enrolment-records/realm-store/src/main/java/com/simprints/infra/enrolment/records/realm/store/models/DbExternalCredential.kt
new file mode 100644
index 0000000000..8728e08141
--- /dev/null
+++ b/infra/enrolment-records/realm-store/src/main/java/com/simprints/infra/enrolment/records/realm/store/models/DbExternalCredential.kt
@@ -0,0 +1,16 @@
+package com.simprints.infra.enrolment.records.realm.store.models
+
+import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import io.realm.kotlin.types.RealmObject
+import io.realm.kotlin.types.annotations.PrimaryKey
+
+@Keep
+@ExcludedFromGeneratedTestCoverageReports("Data model definition for Realm table")
+class DbExternalCredential : RealmObject {
+    @PrimaryKey
+    var id: String = ""
+    var value: String = ""
+    var subjectId: String = ""
+    var type: String = ""
+}
diff --git a/infra/enrolment-records/realm-store/src/main/java/com/simprints/infra/enrolment/records/realm/store/models/DbSubject.kt b/infra/enrolment-records/realm-store/src/main/java/com/simprints/infra/enrolment/records/realm/store/models/DbSubject.kt
index 612e8bb8a7..4824b59a16 100644
--- a/infra/enrolment-records/realm-store/src/main/java/com/simprints/infra/enrolment/records/realm/store/models/DbSubject.kt
+++ b/infra/enrolment-records/realm-store/src/main/java/com/simprints/infra/enrolment/records/realm/store/models/DbSubject.kt
@@ -22,6 +22,7 @@ class DbSubject : RealmObject {
 
     var fingerprintSamples: RealmList<DbFingerprintSample> = realmListOf()
     var faceSamples: RealmList<DbFaceSample> = realmListOf()
+    var externalCredentials: RealmList<DbExternalCredential> = realmListOf()
 
     var isAttendantIdTokenized: Boolean = false
     var isModuleIdTokenized: Boolean = false
diff --git a/infra/enrolment-records/repository/build.gradle.kts b/infra/enrolment-records/repository/build.gradle.kts
index fd6d45e7e6..7053d31a34 100644
--- a/infra/enrolment-records/repository/build.gradle.kts
+++ b/infra/enrolment-records/repository/build.gradle.kts
@@ -21,4 +21,5 @@ dependencies {
     implementation(libs.libsimprints)
     implementation(libs.retrofit.core)
     implementation(libs.jackson.core)
+    implementation(libs.testing.androidX.room)
 }
diff --git a/infra/enrolment-records/repository/src/androidTest/kotlin/com/simprints/infra/enrolment/records/repository/local/RealmEnrolmentRecordLocalDataSourceIntegrationTest.kt b/infra/enrolment-records/repository/src/androidTest/kotlin/com/simprints/infra/enrolment/records/repository/local/RealmEnrolmentRecordLocalDataSourceIntegrationTest.kt
index a25a98436b..00ac46d6ae 100644
--- a/infra/enrolment-records/repository/src/androidTest/kotlin/com/simprints/infra/enrolment/records/repository/local/RealmEnrolmentRecordLocalDataSourceIntegrationTest.kt
+++ b/infra/enrolment-records/repository/src/androidTest/kotlin/com/simprints/infra/enrolment/records/repository/local/RealmEnrolmentRecordLocalDataSourceIntegrationTest.kt
@@ -2,9 +2,12 @@ package com.simprints.infra.enrolment.records.repository.local
 
 import androidx.test.core.app.*
 import com.google.common.truth.Truth.*
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.face.FaceSample
 import com.simprints.core.domain.fingerprint.FingerprintSample
 import com.simprints.core.domain.fingerprint.IFingerIdentifier
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
 import com.simprints.core.domain.tokenization.asTokenizableRaw
 import com.simprints.core.tools.time.TimeHelper
 import com.simprints.core.tools.time.Timestamp
@@ -260,6 +263,14 @@ class RealmEnrolmentRecordLocalDataSourceIntegrationTest {
                 ),
             ),
             referenceIdsToRemove = listOf("ref1"),
+            externalCredentialsToAdd = listOf(
+                ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard
+                )
+            )
         )
         val project = mockk<Project>()
         // When
@@ -278,6 +289,12 @@ class RealmEnrolmentRecordLocalDataSourceIntegrationTest {
         assertThat(savedSubject?.faceSamples?.first()?.referenceId).isEqualTo("ref2")
         assertThat(savedSubject?.fingerprintSamples).hasSize(1)
         assertThat(savedSubject?.fingerprintSamples?.first()?.referenceId).isEqualTo("ref3")
+        savedSubject?.externalCredentials?.first()?.let {
+            assertThat(it.id).isEqualTo("id")
+            assertThat(it.value).isEqualTo("value")
+            assertThat(it.subjectId).isEqualTo("subjectId")
+            assertThat(it.type).isEqualTo(ExternalCredentialType.NHISCard.toString())
+        }
     }
 
     @Test
diff --git a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/domain/models/Subject.kt b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/domain/models/Subject.kt
index 23d307709b..3cc6060579 100644
--- a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/domain/models/Subject.kt
+++ b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/domain/models/Subject.kt
@@ -1,6 +1,7 @@
 package com.simprints.infra.enrolment.records.repository.domain.models
 
 import android.os.Parcelable
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import com.simprints.core.domain.face.FaceSample
 import com.simprints.core.domain.fingerprint.FingerprintSample
 import com.simprints.core.domain.tokenization.TokenizableString
@@ -17,4 +18,5 @@ data class Subject(
     val updatedAt: Date? = null,
     var fingerprintSamples: List<FingerprintSample> = emptyList(),
     var faceSamples: List<FaceSample> = emptyList(),
+    var externalCredentials: List<ExternalCredential> = emptyList(),
 ) : Parcelable
diff --git a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/domain/models/SubjectAction.kt b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/domain/models/SubjectAction.kt
index 421a6f11c6..7953eac800 100644
--- a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/domain/models/SubjectAction.kt
+++ b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/domain/models/SubjectAction.kt
@@ -1,6 +1,7 @@
 package com.simprints.infra.enrolment.records.repository.domain.models
 
 import androidx.annotation.Keep
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import com.simprints.core.domain.face.FaceSample
 import com.simprints.core.domain.fingerprint.FingerprintSample
 
@@ -14,6 +15,7 @@ sealed class SubjectAction {
         val subjectId: String,
         val faceSamplesToAdd: List<FaceSample>,
         val fingerprintSamplesToAdd: List<FingerprintSample>,
+        val externalCredentialsToAdd: List<ExternalCredential>,
         val referenceIdsToRemove: List<String>,
     ) : SubjectAction()
 
diff --git a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/domain/models/SubjectQuery.kt b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/domain/models/SubjectQuery.kt
index 73f3af0d43..3d982dd3db 100644
--- a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/domain/models/SubjectQuery.kt
+++ b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/domain/models/SubjectQuery.kt
@@ -17,4 +17,5 @@ data class SubjectQuery(
     val sort: Boolean = false,
     val afterSubjectId: String? = null,
     val metadata: String? = null,
+    val externalCredential: TokenizableString.Tokenized? = null,
 ) : StepParams
diff --git a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/RealmEnrolmentRecordLocalDataSource.kt b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/RealmEnrolmentRecordLocalDataSource.kt
index d4e7a9eeae..37427298d0 100644
--- a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/RealmEnrolmentRecordLocalDataSource.kt
+++ b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/RealmEnrolmentRecordLocalDataSource.kt
@@ -53,6 +53,7 @@ internal class RealmEnrolmentRecordLocalDataSource @Inject constructor(
         const val FINGERPRINT_SAMPLES_FIELD = "fingerprintSamples"
         const val FACE_SAMPLES_FIELD = "faceSamples"
         const val FORMAT_FIELD = "format"
+        const val EXTERNAL_CREDENTIAL_FIELD = "externalCredentials"
 
         // Although batches are processed sequentially, we use a small channel capacity to prevent blocking and reduce the risk of out-of-memory errors.
         const val CHANNEL_CAPACITY = 4
@@ -218,6 +219,12 @@ internal class RealmEnrolmentRecordLocalDataSource @Inject constructor(
                                 .filterNot { it.id in faceSampleIds }
                                 .takeIf { it.isNotEmpty() }
                                 ?.forEach { realm.delete(it) }
+
+                            val externalCredentialIds = newSubject.externalCredentials.map { it.id }.toSet()
+                            dbSubject.externalCredentials
+                                .filterNot { it.id in externalCredentialIds }
+                                .takeIf { it.isNotEmpty() }
+                                ?.forEach { realm.delete(it) }
                         }
 
                         realm.copyToRealm(newSubject, updatePolicy = UpdatePolicy.ALL)
@@ -229,6 +236,10 @@ internal class RealmEnrolmentRecordLocalDataSource @Inject constructor(
                             val referencesToDelete = action.referenceIdsToRemove.toSet() // to make lookup O(1)
                             val faceSamplesMap = dbSubject.faceSamples.groupBy { it.referenceId in referencesToDelete }
                             val fingerprintSamplesMap = dbSubject.fingerprintSamples.groupBy { it.referenceId in referencesToDelete }
+                            val allExternalCredentials =
+                                (dbSubject.externalCredentials + action.externalCredentialsToAdd.map { it.toRealmDb() })
+                                    .distinctBy { it.id }
+                                    .toSet()
 
                             // Append new samples to the list of samples that remain after removing
                             dbSubject.faceSamples = (
@@ -237,6 +248,7 @@ internal class RealmEnrolmentRecordLocalDataSource @Inject constructor(
                             dbSubject.fingerprintSamples = (
                                 fingerprintSamplesMap[false].orEmpty() + action.fingerprintSamplesToAdd.map { it.toRealmDb() }
                             ).toRealmList()
+                            dbSubject.externalCredentials = allExternalCredentials.toRealmList()
 
                             faceSamplesMap[true]?.forEach { realm.delete(it) }
                             fingerprintSamplesMap[true]?.forEach { realm.delete(it) }
@@ -326,6 +338,12 @@ internal class RealmEnrolmentRecordLocalDataSource @Inject constructor(
                 false,
             )
         }
+        if (query.externalCredential != null) {
+            realmQuery = realmQuery.query(
+                "ANY $EXTERNAL_CREDENTIAL_FIELD.value == $0",
+                query.externalCredential.value,
+            )
+        }
         if (query.sort) {
             realmQuery = realmQuery.sort(SUBJECT_ID_FIELD, Sort.ASCENDING)
         }
diff --git a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordLocalDataSource.kt b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordLocalDataSource.kt
index e0826e3109..5fe58b49e9 100644
--- a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordLocalDataSource.kt
+++ b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordLocalDataSource.kt
@@ -294,6 +294,10 @@ internal class RoomEnrolmentRecordLocalDataSource @Inject constructor(
             val dbFaces = samples.map { it.toRoomDb(subject.subjectId) }
             subjectDao.insertBiometricSamples(dbFaces)
         }
+        subject.externalCredentials.takeIf { it.isNotEmpty() }?.let { credentials ->
+            val dbExternalCredentials = credentials.map { it.toRoomDb() }
+            subjectDao.insertExternalCredentials(dbExternalCredentials)
+        }
     }
 
     private suspend fun updateSubject(action: SubjectAction.Update) {
@@ -303,7 +307,8 @@ internal class RoomEnrolmentRecordLocalDataSource @Inject constructor(
             require(
                 referencesToDelete.size != dbSubject.biometricTemplates.size ||
                     action.faceSamplesToAdd.isNotEmpty() ||
-                    action.fingerprintSamplesToAdd.isNotEmpty(),
+                    action.fingerprintSamplesToAdd.isNotEmpty() ||
+                    action.externalCredentialsToAdd.isNotEmpty(),
             ) {
                 val errorMsg =
                     "Cannot delete all samples for subject ${action.subjectId} without adding new ones"
@@ -319,6 +324,9 @@ internal class RoomEnrolmentRecordLocalDataSource @Inject constructor(
             if (templatesToAdd.isNotEmpty()) {
                 subjectDao.insertBiometricSamples(templatesToAdd)
             }
+            if (action.externalCredentialsToAdd.isNotEmpty()) {
+                subjectDao.insertExternalCredentials(action.externalCredentialsToAdd.map { it.toRoomDb() })
+            }
         } else {
             Simber.e(
                 "[updateSubject] Subject ${action.subjectId} not found for update",
diff --git a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordQueryBuilder.kt b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordQueryBuilder.kt
index 61d7a07520..c997829a51 100644
--- a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordQueryBuilder.kt
+++ b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordQueryBuilder.kt
@@ -4,6 +4,8 @@ import androidx.sqlite.db.SimpleSQLiteQuery
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
 import com.simprints.infra.enrolment.records.room.store.models.DbBiometricTemplate.Companion.FORMAT_COLUMN
 import com.simprints.infra.enrolment.records.room.store.models.DbBiometricTemplate.Companion.TEMPLATE_TABLE_NAME
+import com.simprints.infra.enrolment.records.room.store.models.DbExternalCredential.Companion.EXTERNAL_CREDENTIAL_TABLE_NAME
+import com.simprints.infra.enrolment.records.room.store.models.DbExternalCredential.Companion.EXTERNAL_CREDENTIAL_VALUE_COLUMN
 import com.simprints.infra.enrolment.records.room.store.models.DbSubject.Companion.ATTENDANT_ID_COLUMN
 import com.simprints.infra.enrolment.records.room.store.models.DbSubject.Companion.MODULE_ID_COLUMN
 import com.simprints.infra.enrolment.records.room.store.models.DbSubject.Companion.PROJECT_ID_COLUMN
@@ -27,10 +29,12 @@ internal class RoomEnrolmentRecordQueryBuilder @Inject constructor() {
             "Cannot set format for subject query, use buildBiometricTemplatesQuery instead"
         }
         val (whereClause, args) = buildWhereClause(query)
+        val credentialJoinClause = buildCredentialJoinClause(query)
         val orderByClause = buildOrderByClause(query)
         val sql =
             """
             SELECT * FROM $SUBJECT_TABLE_NAME S
+            $credentialJoinClause
             $whereClause
             $orderByClause
             """.trimIndent()
@@ -88,6 +92,7 @@ internal class RoomEnrolmentRecordQueryBuilder @Inject constructor() {
             query,
             subjectAlias = "",
             templateAlias = "",
+            credentialAlias = "",
         )
         val sql = "DELETE FROM DbSubject $whereClause"
         return SimpleSQLiteQuery(sql, args.toTypedArray())
@@ -97,6 +102,7 @@ internal class RoomEnrolmentRecordQueryBuilder @Inject constructor() {
         query: SubjectQuery,
         subjectAlias: String = "S.", // Default alias for subject table, dot included. Empty string for no alias.
         templateAlias: String = "T.", // Default alias for template table, dot included. Empty string for no alias.
+        credentialAlias: String = "C.", // Default alias for credentials table, dot included. Empty string for no alias.
     ): Pair<String, List<Any?>> {
         val clauses = mutableListOf<String>()
         val args = mutableListOf<Any?>()
@@ -143,10 +149,25 @@ internal class RoomEnrolmentRecordQueryBuilder @Inject constructor() {
             args.add(it)
         }
 
+        query.externalCredential?.let { tokenizedCredential ->
+            clauses.add("${credentialAlias}$EXTERNAL_CREDENTIAL_VALUE_COLUMN = ?")
+            args.add(tokenizedCredential.value)
+        }
+
         var whereClauseResult = if (clauses.isNotEmpty()) "WHERE ${clauses.joinToString(" AND ")}" else ""
         return Pair(whereClauseResult, args)
     }
 
+    private fun buildCredentialJoinClause(
+        query: SubjectQuery,
+        subjectAlias: String = "S",
+        credentialAlias: String = "C",
+    ): String = if (query.externalCredential != null) {
+        "INNER JOIN $EXTERNAL_CREDENTIAL_TABLE_NAME $credentialAlias ON $subjectAlias.$SUBJECT_ID_COLUMN = $credentialAlias.$SUBJECT_ID_COLUMN"
+    } else {
+        ""
+    }
+
     private fun buildOrderByClause(
         query: SubjectQuery,
         subjectAlias: String = "S.",
diff --git a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RealmExternalCredentialConverter.kt b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RealmExternalCredentialConverter.kt
new file mode 100644
index 0000000000..8f3e2bb4cd
--- /dev/null
+++ b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RealmExternalCredentialConverter.kt
@@ -0,0 +1,20 @@
+package com.simprints.infra.enrolment.records.repository.local.models
+
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
+import com.simprints.infra.enrolment.records.realm.store.models.DbExternalCredential as RealmExternalCredential
+
+internal fun ExternalCredential.toRealmDb(): RealmExternalCredential = RealmExternalCredential().also { sample ->
+    sample.id = id
+    sample.value = value.value
+    sample.subjectId = subjectId
+    sample.type = type.toString()
+}
+
+internal fun RealmExternalCredential.toDomain(): ExternalCredential = ExternalCredential(
+    id = this.id,
+    value = this.value.asTokenizableEncrypted(),
+    subjectId = this.subjectId,
+    type = ExternalCredentialType.valueOf(this.type)
+)
diff --git a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RealmSubjectConverter.kt b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RealmSubjectConverter.kt
index cb93aa32b7..5b4ceff415 100644
--- a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RealmSubjectConverter.kt
+++ b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RealmSubjectConverter.kt
@@ -1,10 +1,12 @@
 package com.simprints.infra.enrolment.records.repository.local.models
 
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import com.simprints.core.domain.face.FaceSample
 import com.simprints.core.domain.fingerprint.FingerprintSample
 import com.simprints.core.domain.tokenization.asTokenizableEncrypted
 import com.simprints.core.domain.tokenization.asTokenizableRaw
 import com.simprints.core.domain.tokenization.isTokenized
+import com.simprints.infra.enrolment.records.realm.store.models.DbExternalCredential
 import com.simprints.infra.enrolment.records.realm.store.models.DbFaceSample
 import com.simprints.infra.enrolment.records.realm.store.models.DbFingerprintSample
 import com.simprints.infra.enrolment.records.realm.store.models.toDate
@@ -29,6 +31,7 @@ internal fun RealmSubject.toDomain(): Subject {
         updatedAt = updatedAt?.toDate(),
         fingerprintSamples = fingerprintSamples.map(DbFingerprintSample::toDomain),
         faceSamples = faceSamples.map(DbFaceSample::toDomain),
+        externalCredentials = externalCredentials.map(DbExternalCredential::toDomain)
     )
 }
 
@@ -44,4 +47,5 @@ internal fun Subject.toRealmDb(): RealmSubject = RealmSubject().also { subject -
     subject.faceSamples = faceSamples.map(FaceSample::toRealmDb).toRealmList()
     subject.isModuleIdTokenized = moduleId.isTokenized()
     subject.isAttendantIdTokenized = attendantId.isTokenized()
+    subject.externalCredentials = externalCredentials.map(ExternalCredential::toRealmDb).toRealmList()
 }
diff --git a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RoomExternalCredentialConverter.kt b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RoomExternalCredentialConverter.kt
new file mode 100644
index 0000000000..b12caae012
--- /dev/null
+++ b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RoomExternalCredentialConverter.kt
@@ -0,0 +1,21 @@
+package com.simprints.infra.enrolment.records.repository.local.models
+
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
+import com.simprints.infra.enrolment.records.room.store.models.DbExternalCredential
+
+internal fun DbExternalCredential.toDomain(): ExternalCredential = ExternalCredential(
+    id = id,
+    value = value.asTokenizableEncrypted(),
+    subjectId = subjectId,
+    type = ExternalCredentialType.valueOf(type)
+)
+
+internal fun ExternalCredential.toRoomDb(): DbExternalCredential = DbExternalCredential(
+    id = id,
+    value = value.value,
+    subjectId = subjectId,
+    type = type.name
+)
+
diff --git a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RoomSubjectConverter.kt b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RoomSubjectConverter.kt
index 385e341830..456b54b7e6 100644
--- a/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RoomSubjectConverter.kt
+++ b/infra/enrolment-records/repository/src/main/java/com/simprints/infra/enrolment/records/repository/local/models/RoomSubjectConverter.kt
@@ -15,6 +15,7 @@ internal fun SubjectBiometrics.toDomain() = Subject(
     updatedAt = subject.updatedAt?.toDate(),
     fingerprintSamples = biometricTemplates.filter { it.modality == Modality.FINGERPRINT.id }.map { it.toFingerprintSample() },
     faceSamples = biometricTemplates.filter { it.modality == Modality.FACE.id }.map { it.toFaceSample() },
+    externalCredentials = externalCredentials.map { it.toDomain() },
 )
 
 fun Long.toDate() = Date(this)
diff --git a/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/repository/local/RealmEnrolmentRecordLocalDataSourceTest.kt b/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/repository/local/RealmEnrolmentRecordLocalDataSourceTest.kt
index fa4225275c..97d48d1430 100644
--- a/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/repository/local/RealmEnrolmentRecordLocalDataSourceTest.kt
+++ b/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/repository/local/RealmEnrolmentRecordLocalDataSourceTest.kt
@@ -1,6 +1,8 @@
 package com.simprints.infra.enrolment.records.repository.local
 
 import com.google.common.truth.Truth.*
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.face.FaceSample
 import com.simprints.core.domain.fingerprint.FingerprintSample
 import com.simprints.core.domain.fingerprint.IFingerIdentifier
@@ -19,6 +21,7 @@ import com.simprints.infra.enrolment.records.repository.domain.models.Fingerprin
 import com.simprints.infra.enrolment.records.repository.domain.models.Subject
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectAction
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
+import com.simprints.infra.enrolment.records.repository.local.RealmEnrolmentRecordLocalDataSource.Companion.EXTERNAL_CREDENTIAL_FIELD
 import com.simprints.infra.enrolment.records.repository.local.RealmEnrolmentRecordLocalDataSource.Companion.FACE_SAMPLES_FIELD
 import com.simprints.infra.enrolment.records.repository.local.RealmEnrolmentRecordLocalDataSource.Companion.FINGERPRINT_SAMPLES_FIELD
 import com.simprints.infra.enrolment.records.repository.local.RealmEnrolmentRecordLocalDataSource.Companion.FORMAT_FIELD
@@ -321,6 +324,7 @@ class RealmEnrolmentRecordLocalDataSourceTest {
                     faceSamplesToAdd = listOf(getRandomFaceSample()),
                     fingerprintSamplesToAdd = listOf(getRandomFingerprintSample()),
                     referenceIdsToRemove = listOf(faceReferenceId, fingerReferenceId),
+                    externalCredentialsToAdd = listOf(),
                 ),
             ),
             project,
@@ -403,6 +407,32 @@ class RealmEnrolmentRecordLocalDataSourceTest {
         assertThat(result).contains("Number of Subjects: 6")
     }
 
+    @Test
+    fun `loads subjects by external credential value`() = runTest {
+        val credentialValue = "credentialValue"
+        val externalCredential = ExternalCredential(
+            id = "id",
+            value = credentialValue.asTokenizableEncrypted(),
+            subjectId = "subjectId",
+            type = ExternalCredentialType.NHISCard
+        )
+
+        saveFakePeople(listOf(
+            getRandomSubject(externalCredentials = listOf(externalCredential))
+        ))
+
+        enrolmentRecordLocalDataSource.load(
+            SubjectQuery(externalCredential = credentialValue.asTokenizableEncrypted())
+        )
+
+        verify {
+            realmQuery.query(
+                "ANY $EXTERNAL_CREDENTIAL_FIELD.value == $0",
+                credentialValue.asTokenizableEncrypted().value,
+            )
+        }
+    }
+
     private fun getFakePerson(): DbSubject = getRandomSubject().toRealmDb()
 
     private fun saveFakePerson(fakeSubject: DbSubject): DbSubject = fakeSubject.also { localSubjects.add(it.toDomain()) }
@@ -435,6 +465,9 @@ class RealmEnrolmentRecordLocalDataSourceTest {
             getRandomFaceSample(),
         ),
         fingerprintSamples: List<FingerprintSample> = listOf(),
+        externalCredentials: List<ExternalCredential> = listOf(
+            getRandomExternalCredential()
+        ),
     ): Subject = Subject(
         subjectId = patientId,
         projectId = projectId,
@@ -442,6 +475,7 @@ class RealmEnrolmentRecordLocalDataSourceTest {
         moduleId = moduleId.asTokenizableRaw(),
         faceSamples = faceSamples,
         fingerprintSamples = fingerprintSamples,
+        externalCredentials = externalCredentials
     )
 
     private fun getRandomFaceSample(
@@ -453,4 +487,11 @@ class RealmEnrolmentRecordLocalDataSourceTest {
         id: String = UUID.randomUUID().toString(),
         referenceId: String = "referenceId",
     ) = FingerprintSample(IFingerIdentifier.LEFT_3RD_FINGER, Random.nextBytes(64), "fingerprintTemplateFormat", referenceId, id)
+
+    private fun getRandomExternalCredential() = ExternalCredential(
+        id = "id",
+        value = "value".asTokenizableEncrypted(),
+        subjectId = "subjectId",
+        type = ExternalCredentialType.NHISCard
+    )
 }
diff --git a/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordLocalDataSourceTest.kt b/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordLocalDataSourceTest.kt
index 59f16d3f2d..7c8c63193b 100644
--- a/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordLocalDataSourceTest.kt
+++ b/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordLocalDataSourceTest.kt
@@ -2,6 +2,8 @@ package com.simprints.infra.enrolment.records.repository.local
 
 import androidx.test.core.app.ApplicationProvider
 import com.google.common.truth.Truth.assertThat
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.face.FaceSample
 import com.simprints.core.domain.fingerprint.FingerprintSample
 import com.simprints.core.domain.fingerprint.IFingerIdentifier
@@ -14,6 +16,7 @@ import com.simprints.infra.enrolment.records.repository.domain.models.Subject
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectAction
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
 import com.simprints.infra.enrolment.records.room.store.SubjectsDatabase
+import com.simprints.infra.enrolment.records.room.store.SubjectsDatabase.Companion.SUBJECT_DB_VERSION
 import com.simprints.infra.enrolment.records.room.store.SubjectsDatabaseFactory
 import com.simprints.infra.security.keyprovider.LocalDbKey
 import com.simprints.testtools.common.coroutines.TestCoroutineRule
@@ -68,6 +71,14 @@ class RoomEnrolmentRecordLocalDataSourceTest {
     // --- Test Data ---
     private val date = Date() // Use a fixed date for consistent timestamps in tests
 
+    // External credentials
+    private val externalCredential = ExternalCredential(
+        id = "id",
+        value = "value".asTokenizableEncrypted(),
+        subjectId = "subjectId",
+        type = ExternalCredentialType.NHISCard,
+    )
+
     // Samples defined first
     private val faceSample1 = FaceSample(
         template = byteArrayOf(1, 2, 3),
@@ -119,6 +130,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
         fingerprintSamples = emptyList(),
         createdAt = date,
         updatedAt = date,
+        externalCredentials = listOf(getExternalCredential("subj-001")),
     )
     private val subject2P1WithFinger = Subject(
         subjectId = "subj-002",
@@ -129,6 +141,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
         fingerprintSamples = listOf(fingerprintSample1),
         createdAt = date,
         updatedAt = date,
+        externalCredentials = listOf(getExternalCredential("subj-002")),
     )
     private val subject3P1WithBoth = Subject(
         subjectId = "subj-003",
@@ -137,6 +150,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
         moduleId = MODULE_2_ID,
         faceSamples = listOf(faceSample2),
         fingerprintSamples = listOf(fingerprintSample2),
+        externalCredentials = listOf(getExternalCredential("subj-003")),
     )
     private val subject4P2WithBoth = Subject(
         subjectId = "subj-004",
@@ -147,6 +161,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
         fingerprintSamples = listOf(fingerprintSample3),
         createdAt = date,
         updatedAt = date,
+        externalCredentials = listOf(getExternalCredential("subj-004")),
     )
     private val subject5P2WithFace = Subject(
         // Added subject
@@ -158,6 +173,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
         fingerprintSamples = emptyList(),
         createdAt = Date(date.time + 1000), // Slightly different time
         updatedAt = Date(date.time + 1000),
+        externalCredentials = listOf(getExternalCredential("subj-005")),
     )
     private val subject6P2WithFinger = Subject(
         // Added subject
@@ -169,6 +185,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
         fingerprintSamples = listOf(fingerprintSample3.copy(id = UUID.randomUUID().toString())),
         createdAt = Date(date.time + 2000), // Different time
         updatedAt = Date(date.time + 2000),
+        externalCredentials = listOf(getExternalCredential("subj-006")),
     )
     private val subjectInvalidNoSamples = Subject(
         subjectId = "subj-invalid",
@@ -177,6 +194,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
         moduleId = MODULE_1_ID,
         createdAt = date,
         updatedAt = date,
+        externalCredentials = listOf(getExternalCredential("subj-invalid")),
     )
 
     private val project: Project = mockk()
@@ -219,6 +237,13 @@ class RoomEnrolmentRecordLocalDataSourceTest {
         SubjectAction.Creation(subject6P2WithFinger),
     )
 
+    private fun getExternalCredential(subjectId: String) = ExternalCredential(
+        id = "id",
+        value = "value".asTokenizableEncrypted(),
+        subjectId = subjectId,
+        type = ExternalCredentialType.NHISCard,
+    )
+
     private suspend fun setupInitialData() {
         dataSource.performActions(
             initialData,
@@ -340,6 +365,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
             faceSamplesToAdd = listOf(faceSample2),
             fingerprintSamplesToAdd = listOf(fingerprintSample1),
             referenceIdsToRemove = listOf(),
+            externalCredentialsToAdd = listOf(),
         )
 
         // When
@@ -371,6 +397,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
             faceSamplesToAdd = listOf(), // Explicitly empty as in original
             fingerprintSamplesToAdd = listOf(), // Explicitly empty as in original
             referenceIdsToRemove = listOf(faceSample2.referenceId),
+            externalCredentialsToAdd = listOf(),
         )
 
         // When
@@ -400,6 +427,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
             faceSamplesToAdd = listOf(),
             fingerprintSamplesToAdd = listOf(),
             referenceIdsToRemove = listOf(fingerprintSample2.referenceId),
+            externalCredentialsToAdd = listOf(),
         )
 
         // When
@@ -428,6 +456,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
             faceSamplesToAdd = listOf(),
             fingerprintSamplesToAdd = listOf(),
             referenceIdsToRemove = listOf(faceSample1.referenceId),
+            externalCredentialsToAdd = listOf(),
         )
 
         // When
@@ -451,6 +480,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
             faceSamplesToAdd = listOf(),
             fingerprintSamplesToAdd = listOf(),
             referenceIdsToRemove = listOf(fingerprintSample1.referenceId),
+            externalCredentialsToAdd = listOf(),
         )
 
         // When
@@ -470,6 +500,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
             faceSamplesToAdd = listOf(faceSample1, faceSample2),
             fingerprintSamplesToAdd = listOf(fingerprintSample1),
             referenceIdsToRemove = listOf(),
+            externalCredentialsToAdd = listOf(),
         )
 
         // When
@@ -499,6 +530,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
             faceSamplesToAdd = listOf(faceSample1), // Try to add samples
             fingerprintSamplesToAdd = listOf(),
             referenceIdsToRemove = listOf(),
+            externalCredentialsToAdd = listOf(),
         )
 
         // When
@@ -607,6 +639,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
             faceSamplesToAdd = listOf(),
             fingerprintSamplesToAdd = listOf(fingerprintSample1),
             referenceIdsToRemove = listOf(),
+            externalCredentialsToAdd = listOf(),
         )
         dataSource.performActions(listOf(updateAction), project)
         loadedSubject =
@@ -1478,7 +1511,7 @@ class RoomEnrolmentRecordLocalDataSourceTest {
         val result = dataSource.getLocalDBInfo()
         // Then
         assertThat(result).contains("Database Name: db-subjects")
-        assertThat(result).contains("Database Version: 1")
+        assertThat(result).contains("Database Version: $SUBJECT_DB_VERSION")
         assertThat(result).contains("Is Encrypted: false") // db not encrypted in tests
         assertThat(result).contains("Number of Subjects: 6")
     }
@@ -1607,4 +1640,35 @@ class RoomEnrolmentRecordLocalDataSourceTest {
         // Then
         verify { mockedDb.close() }
     }
+
+    @Test
+    fun `performActions - Update - should succeed when removing all samples but adding external credentials`() = runTest {
+        dataSource.performActions(listOf(SubjectAction.Creation(subject3P1WithBoth)), project)
+        val initial = dataSource.load(SubjectQuery(subjectId = subject3P1WithBoth.subjectId)).first()
+        assertThat(initial.faceSamples).hasSize(1)
+        assertThat(initial.fingerprintSamples).hasSize(1)
+        assertThat(initial.externalCredentials).hasSize(1)
+
+        val newExternalCredential = ExternalCredential(
+            id = "new-credential-id",
+            value = "new-value".asTokenizableEncrypted(),
+            subjectId = subject3P1WithBoth.subjectId,
+            type = ExternalCredentialType.NHISCard,
+        )
+
+        val updateAction = SubjectAction.Update(
+            subjectId = subject3P1WithBoth.subjectId,
+            faceSamplesToAdd = listOf(),
+            fingerprintSamplesToAdd = listOf(),
+            referenceIdsToRemove = listOf(faceSample2.referenceId, fingerprintSample2.referenceId), // Remove all samples
+            externalCredentialsToAdd = listOf(newExternalCredential),
+        )
+
+        dataSource.performActions(listOf(updateAction), project)
+        val loaded = dataSource.load(SubjectQuery(subjectId = subject3P1WithBoth.subjectId)).first()
+        assertThat(loaded.faceSamples).isEmpty()
+        assertThat(loaded.fingerprintSamples).isEmpty()
+        assertThat(loaded.externalCredentials).hasSize(2)
+        assertThat(loaded.externalCredentials).contains(newExternalCredential)
+    }
 }
diff --git a/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordQueryBuilderTest.kt b/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordQueryBuilderTest.kt
index d68c21095c..aa90089724 100644
--- a/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordQueryBuilderTest.kt
+++ b/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/repository/local/RoomEnrolmentRecordQueryBuilderTest.kt
@@ -7,6 +7,8 @@ import com.simprints.core.domain.tokenization.asTokenizableEncrypted
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
 import com.simprints.infra.enrolment.records.room.store.models.DbBiometricTemplate.Companion.FORMAT_COLUMN
 import com.simprints.infra.enrolment.records.room.store.models.DbBiometricTemplate.Companion.TEMPLATE_TABLE_NAME
+import com.simprints.infra.enrolment.records.room.store.models.DbExternalCredential.Companion.EXTERNAL_CREDENTIAL_TABLE_NAME
+import com.simprints.infra.enrolment.records.room.store.models.DbExternalCredential.Companion.EXTERNAL_CREDENTIAL_VALUE_COLUMN
 import com.simprints.infra.enrolment.records.room.store.models.DbSubject.Companion.ATTENDANT_ID_COLUMN
 import com.simprints.infra.enrolment.records.room.store.models.DbSubject.Companion.MODULE_ID_COLUMN
 import com.simprints.infra.enrolment.records.room.store.models.DbSubject.Companion.PROJECT_ID_COLUMN
@@ -44,7 +46,7 @@ class RoomEnrolmentRecordQueryBuilderTest {
     fun `buildSubjectQuery with subjectId`() {
         val subjectId = "test-subject-id"
         val subjectQuery = SubjectQuery(subjectId = subjectId)
-        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n" +
+        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n\n" +
             "WHERE S.$SUBJECT_ID_COLUMN = ?"
 
         val resultQuery = queryBuilder.buildSubjectQuery(subjectQuery)
@@ -57,7 +59,7 @@ class RoomEnrolmentRecordQueryBuilderTest {
     fun `buildSubjectQuery with subjectIds`() {
         val subjectIds = listOf("id1", "id2", "id3")
         val subjectQuery = SubjectQuery(subjectIds = subjectIds)
-        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n" +
+        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n\n" +
             "WHERE S.$SUBJECT_ID_COLUMN IN (?,?,?)"
 
         val resultQuery = queryBuilder.buildSubjectQuery(subjectQuery)
@@ -70,7 +72,7 @@ class RoomEnrolmentRecordQueryBuilderTest {
     fun `buildSubjectQuery with afterSubjectId`() {
         val afterSubjectId = "last-subject-id"
         val subjectQuery = SubjectQuery(afterSubjectId = afterSubjectId)
-        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n" +
+        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n\n" +
             "WHERE S.$SUBJECT_ID_COLUMN > ?"
 
         val resultQuery = queryBuilder.buildSubjectQuery(subjectQuery)
@@ -83,7 +85,7 @@ class RoomEnrolmentRecordQueryBuilderTest {
     fun `buildSubjectQuery with projectId`() {
         val projectId = "test-project-id"
         val subjectQuery = SubjectQuery(projectId = projectId)
-        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n" +
+        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n\n" +
             "WHERE S.$PROJECT_ID_COLUMN = ?"
 
         val resultQuery = queryBuilder.buildSubjectQuery(subjectQuery)
@@ -96,7 +98,7 @@ class RoomEnrolmentRecordQueryBuilderTest {
     fun `buildSubjectQuery with attendantId`() {
         val attendantId = "test-attendant-id".asTokenizableEncrypted()
         val subjectQuery = SubjectQuery(attendantId = attendantId)
-        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n" +
+        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n\n" +
             "WHERE S.$ATTENDANT_ID_COLUMN = ?"
 
         val resultQuery = queryBuilder.buildSubjectQuery(subjectQuery)
@@ -109,7 +111,7 @@ class RoomEnrolmentRecordQueryBuilderTest {
     fun `buildSubjectQuery with moduleId`() {
         val moduleId = "test-module-id".asTokenizableEncrypted()
         val subjectQuery = SubjectQuery(moduleId = moduleId)
-        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n" +
+        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n\n" +
             "WHERE S.$MODULE_ID_COLUMN = ?"
 
         val resultQuery = queryBuilder.buildSubjectQuery(subjectQuery)
@@ -125,6 +127,7 @@ class RoomEnrolmentRecordQueryBuilderTest {
             """
             SELECT * FROM $SUBJECT_TABLE_NAME S
             
+            
             ORDER BY S.$SUBJECT_ID_COLUMN ASC
             """.trimIndent()
 
@@ -138,7 +141,7 @@ class RoomEnrolmentRecordQueryBuilderTest {
         val projectId = "proj1"
         val attendantId = "att1".asTokenizableEncrypted()
         val subjectQuery = SubjectQuery(projectId = projectId, attendantId = attendantId, sort = true)
-        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n" +
+        val expectedSql = "SELECT * FROM $SUBJECT_TABLE_NAME S\n\n" +
             "WHERE S.$PROJECT_ID_COLUMN = ? AND S.$ATTENDANT_ID_COLUMN = ?\n" +
             "ORDER BY S.$SUBJECT_ID_COLUMN ASC"
 
@@ -405,6 +408,27 @@ class RoomEnrolmentRecordQueryBuilderTest {
         assertThat(getArgs(resultQuery)).isEqualTo(arrayOf<Any?>(projectId, moduleId.value))
     }
 
+    @Test
+    fun `buildSubjectQuery includes credential join clause when externalCredential is provided`() {
+        val credentialValue = "credentialValue"
+        val query = SubjectQuery(
+            projectId = "projectId",
+            externalCredential = credentialValue.asTokenizableEncrypted(),
+        )
+
+        val result = RoomEnrolmentRecordQueryBuilder().buildSubjectQuery(query)
+
+        val expectedSql =
+            """
+            SELECT * FROM $SUBJECT_TABLE_NAME S
+            INNER JOIN $EXTERNAL_CREDENTIAL_TABLE_NAME C ON S.$SUBJECT_ID_COLUMN = C.$SUBJECT_ID_COLUMN
+            WHERE S.$PROJECT_ID_COLUMN = ? AND C.$EXTERNAL_CREDENTIAL_VALUE_COLUMN = ?
+            
+            """.trimIndent()
+
+        assertThat(result.sql).isEqualTo(expectedSql)
+    }
+
     private fun getArgs(query: SimpleSQLiteQuery): Array<Any?> {
         val argsMap = mutableMapOf<Int, Any?>()
         val program = object : SupportSQLiteProgram {
diff --git a/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/room/store/migration/Migration1to2Test.kt b/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/room/store/migration/Migration1to2Test.kt
new file mode 100644
index 0000000000..278023f419
--- /dev/null
+++ b/infra/enrolment-records/repository/src/test/java/com/simprints/infra/enrolment/records/room/store/migration/Migration1to2Test.kt
@@ -0,0 +1,42 @@
+package com.simprints.infra.enrolment.records.room.store.migration
+
+import androidx.room.testing.MigrationTestHelper
+import androidx.test.ext.junit.runners.*
+import androidx.test.platform.app.*
+import com.google.common.truth.Truth.*
+import com.simprints.infra.enrolment.records.room.store.SubjectsDatabase
+import org.junit.Rule
+import org.junit.runner.RunWith
+import kotlin.test.Test
+
+@RunWith(AndroidJUnit4::class)
+class Migration1to2Test {
+
+    @get:Rule
+    val helper = MigrationTestHelper(
+        InstrumentationRegistry.getInstrumentation(),
+        SubjectsDatabase::class.java,
+    )
+
+    @Test
+    fun `when migrating from 1 to 2 then external credential table should be added`() {
+        val db1 = helper.createDatabase(name = TEST_DB, version = 1)
+        val db2 = helper.runMigrationsAndValidate(
+            name = TEST_DB,
+            version = 2,
+            validateDroppedTables = true,
+            SubjectMigration1to2()
+        )
+
+        // Verify external credentials table exists
+        val cursor = db2.query("SELECT name FROM sqlite_master WHERE name='DbExternalCredential'")
+        assertThat(cursor.count).isEqualTo(1)
+        cursor.close()
+        db1.close()
+        db2.close()
+    }
+
+    companion object {
+        private const val TEST_DB = "migration-test"
+    }
+}
diff --git a/infra/enrolment-records/room-store/schemas/com.simprints.infra.enrolment.records.room.store.SubjectsDatabase/1.json b/infra/enrolment-records/room-store/schemas/com.simprints.infra.enrolment.records.room.store.SubjectsDatabase/1.json
index bbe29315e1..58b0f3827c 100644
--- a/infra/enrolment-records/room-store/schemas/com.simprints.infra.enrolment.records.room.store.SubjectsDatabase/1.json
+++ b/infra/enrolment-records/room-store/schemas/com.simprints.infra.enrolment.records.room.store.SubjectsDatabase/1.json
@@ -177,4 +177,4 @@
       "INSERT OR REPLACE INTO room_master_table (id,identity_hash) VALUES(42, '94bee827928a2618c6873579bc6bc63a')"
     ]
   }
-}
\ No newline at end of file
+}
diff --git a/infra/enrolment-records/room-store/schemas/com.simprints.infra.enrolment.records.room.store.SubjectsDatabase/2.json b/infra/enrolment-records/room-store/schemas/com.simprints.infra.enrolment.records.room.store.SubjectsDatabase/2.json
new file mode 100644
index 0000000000..6673ade6ff
--- /dev/null
+++ b/infra/enrolment-records/room-store/schemas/com.simprints.infra.enrolment.records.room.store.SubjectsDatabase/2.json
@@ -0,0 +1,241 @@
+{
+  "formatVersion": 1,
+  "database": {
+    "version": 2,
+    "identityHash": "8dad14b775cb4eea6cb7293fbcf84b30",
+    "entities": [
+      {
+        "tableName": "DbSubject",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`subjectId` TEXT NOT NULL, `projectId` TEXT NOT NULL, `attendantId` TEXT NOT NULL, `moduleId` TEXT NOT NULL, `createdAt` INTEGER, `updatedAt` INTEGER, PRIMARY KEY(`subjectId`))",
+        "fields": [
+          {
+            "fieldPath": "subjectId",
+            "columnName": "subjectId",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "projectId",
+            "columnName": "projectId",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "attendantId",
+            "columnName": "attendantId",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "moduleId",
+            "columnName": "moduleId",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "createdAt",
+            "columnName": "createdAt",
+            "affinity": "INTEGER"
+          },
+          {
+            "fieldPath": "updatedAt",
+            "columnName": "updatedAt",
+            "affinity": "INTEGER"
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "subjectId"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_DbSubject_projectId_subjectId",
+            "unique": false,
+            "columnNames": [
+              "projectId",
+              "subjectId"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_DbSubject_projectId_subjectId` ON `${TABLE_NAME}` (`projectId`, `subjectId`)"
+          },
+          {
+            "name": "index_DbSubject_projectId_moduleId_subjectId",
+            "unique": false,
+            "columnNames": [
+              "projectId",
+              "moduleId",
+              "subjectId"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_DbSubject_projectId_moduleId_subjectId` ON `${TABLE_NAME}` (`projectId`, `moduleId`, `subjectId`)"
+          },
+          {
+            "name": "index_DbSubject_projectId_attendantId_subjectId",
+            "unique": false,
+            "columnNames": [
+              "projectId",
+              "attendantId",
+              "subjectId"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_DbSubject_projectId_attendantId_subjectId` ON `${TABLE_NAME}` (`projectId`, `attendantId`, `subjectId`)"
+          }
+        ]
+      },
+      {
+        "tableName": "DbBiometricTemplate",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`uuid` TEXT NOT NULL, `subjectId` TEXT NOT NULL, `identifier` INTEGER, `templateData` BLOB NOT NULL, `format` TEXT NOT NULL, `referenceId` TEXT NOT NULL, `modality` INTEGER NOT NULL, PRIMARY KEY(`uuid`), FOREIGN KEY(`subjectId`) REFERENCES `DbSubject`(`subjectId`) ON UPDATE NO ACTION ON DELETE CASCADE )",
+        "fields": [
+          {
+            "fieldPath": "uuid",
+            "columnName": "uuid",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "subjectId",
+            "columnName": "subjectId",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "identifier",
+            "columnName": "identifier",
+            "affinity": "INTEGER"
+          },
+          {
+            "fieldPath": "templateData",
+            "columnName": "templateData",
+            "affinity": "BLOB",
+            "notNull": true
+          },
+          {
+            "fieldPath": "format",
+            "columnName": "format",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "referenceId",
+            "columnName": "referenceId",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "modality",
+            "columnName": "modality",
+            "affinity": "INTEGER",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "uuid"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_DbBiometricTemplate_format_subjectId",
+            "unique": false,
+            "columnNames": [
+              "format",
+              "subjectId"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_DbBiometricTemplate_format_subjectId` ON `${TABLE_NAME}` (`format`, `subjectId`)"
+          },
+          {
+            "name": "index_DbBiometricTemplate_subjectId",
+            "unique": false,
+            "columnNames": [
+              "subjectId"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_DbBiometricTemplate_subjectId` ON `${TABLE_NAME}` (`subjectId`)"
+          }
+        ],
+        "foreignKeys": [
+          {
+            "table": "DbSubject",
+            "onDelete": "CASCADE",
+            "onUpdate": "NO ACTION",
+            "columns": [
+              "subjectId"
+            ],
+            "referencedColumns": [
+              "subjectId"
+            ]
+          }
+        ]
+      },
+      {
+        "tableName": "DbExternalCredential",
+        "createSql": "CREATE TABLE IF NOT EXISTS `${TABLE_NAME}` (`id` TEXT NOT NULL, `value` TEXT NOT NULL, `subjectId` TEXT NOT NULL, `type` TEXT NOT NULL, PRIMARY KEY(`value`, `subjectId`), FOREIGN KEY(`subjectId`) REFERENCES `DbSubject`(`subjectId`) ON UPDATE NO ACTION ON DELETE CASCADE )",
+        "fields": [
+          {
+            "fieldPath": "id",
+            "columnName": "id",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "value",
+            "columnName": "value",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "subjectId",
+            "columnName": "subjectId",
+            "affinity": "TEXT",
+            "notNull": true
+          },
+          {
+            "fieldPath": "type",
+            "columnName": "type",
+            "affinity": "TEXT",
+            "notNull": true
+          }
+        ],
+        "primaryKey": {
+          "autoGenerate": false,
+          "columnNames": [
+            "value",
+            "subjectId"
+          ]
+        },
+        "indices": [
+          {
+            "name": "index_DbExternalCredential_subjectId",
+            "unique": false,
+            "columnNames": [
+              "subjectId"
+            ],
+            "orders": [],
+            "createSql": "CREATE INDEX IF NOT EXISTS `index_DbExternalCredential_subjectId` ON `${TABLE_NAME}` (`subjectId`)"
+          }
+        ],
+        "foreignKeys": [
+          {
+            "table": "DbSubject",
+            "onDelete": "CASCADE",
+            "onUpdate": "NO ACTION",
+            "columns": [
+              "subjectId"
+            ],
+            "referencedColumns": [
+              "subjectId"
+            ]
+          }
+        ]
+      }
+    ],
+    "setupQueries": [
+      "CREATE TABLE IF NOT EXISTS room_master_table (id INTEGER PRIMARY KEY,identity_hash TEXT)",
+      "INSERT OR REPLACE INTO room_master_table (id,identity_hash) VALUES(42, '8dad14b775cb4eea6cb7293fbcf84b30')"
+    ]
+  }
+}
\ No newline at end of file
diff --git a/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/SubjectDao.kt b/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/SubjectDao.kt
index 5247f7295e..ec12c72960 100644
--- a/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/SubjectDao.kt
+++ b/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/SubjectDao.kt
@@ -8,6 +8,7 @@ import androidx.room.Query
 import androidx.room.RawQuery
 import androidx.sqlite.db.SupportSQLiteQuery
 import com.simprints.infra.enrolment.records.room.store.models.DbBiometricTemplate
+import com.simprints.infra.enrolment.records.room.store.models.DbExternalCredential
 import com.simprints.infra.enrolment.records.room.store.models.DbSubject
 import com.simprints.infra.enrolment.records.room.store.models.SubjectBiometrics
 
@@ -19,12 +20,18 @@ interface SubjectDao {
     @Insert(onConflict = OnConflictStrategy.REPLACE)
     suspend fun insertBiometricSamples(samples: List<DbBiometricTemplate>)
 
+    @Insert(onConflict = OnConflictStrategy.REPLACE)
+    suspend fun insertExternalCredentials(value: List<DbExternalCredential>)
+
     @Query("DELETE FROM DbSubject WHERE subjectId = :subjectId")
     suspend fun deleteSubject(subjectId: String)
 
     @Query("DELETE FROM DbBiometricTemplate WHERE uuid = :uuid")
     suspend fun deleteBiometricSample(uuid: String)
 
+    @Query("DELETE FROM DbExternalCredential WHERE value = :value")
+    suspend fun deleteExternalCredential(value: String)
+
     @RawQuery
     suspend fun deleteSubjects(query: SupportSQLiteQuery): Int
 
@@ -34,6 +41,9 @@ interface SubjectDao {
     @RawQuery
     suspend fun loadSubjects(query: SupportSQLiteQuery): List<SubjectBiometrics>
 
+    @Query("SELECT * FROM DbExternalCredential")
+    suspend fun getAllExternalCredentials(): List<DbExternalCredential>
+
     @RawQuery
     suspend fun countSubjects(query: SupportSQLiteQuery): Int
 
diff --git a/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/SubjectsDatabase.kt b/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/SubjectsDatabase.kt
index 16f004f62d..157af2c0ab 100644
--- a/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/SubjectsDatabase.kt
+++ b/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/SubjectsDatabase.kt
@@ -5,7 +5,10 @@ import androidx.annotation.Keep
 import androidx.room.Database
 import androidx.room.Room
 import androidx.room.RoomDatabase
+import com.simprints.infra.enrolment.records.room.store.SubjectsDatabase.Companion.SUBJECT_DB_VERSION
+import com.simprints.infra.enrolment.records.room.store.migration.SubjectMigration1to2
 import com.simprints.infra.enrolment.records.room.store.models.DbBiometricTemplate
+import com.simprints.infra.enrolment.records.room.store.models.DbExternalCredential
 import com.simprints.infra.enrolment.records.room.store.models.DbSubject
 import net.zetetic.database.sqlcipher.SupportOpenHelperFactory
 import javax.inject.Singleton
@@ -15,8 +18,9 @@ import javax.inject.Singleton
     entities = [
         DbSubject::class,
         DbBiometricTemplate::class,
+        DbExternalCredential::class,
     ],
-    version = 1,
+    version = SUBJECT_DB_VERSION,
     exportSchema = true,
 )
 @Keep
@@ -29,11 +33,14 @@ abstract class SubjectsDatabase : RoomDatabase() {
             factory: SupportOpenHelperFactory,
             dbName: String,
         ): SubjectsDatabase {
-            val builder = Room.databaseBuilder(context, SubjectsDatabase::class.java, dbName)
+            val builder = Room
+                .databaseBuilder(context, SubjectsDatabase::class.java, dbName)
+                .addMigrations(SubjectMigration1to2())
             if (BuildConfig.DB_ENCRYPTION) {
                 builder.openHelperFactory(factory)
             }
             return builder.build()
         }
+        const val SUBJECT_DB_VERSION = 2
     }
 }
diff --git a/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/migration/SubjectMigration1to2.kt b/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/migration/SubjectMigration1to2.kt
new file mode 100644
index 0000000000..c7a250110b
--- /dev/null
+++ b/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/migration/SubjectMigration1to2.kt
@@ -0,0 +1,31 @@
+package com.simprints.infra.enrolment.records.room.store.migration
+
+import androidx.room.migration.Migration
+import androidx.sqlite.db.SupportSQLiteDatabase
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+
+/**
+ * Schema version 1 -> 2
+ *
+ * Changes:
+ * - Adding [DbExternalCredential] entity
+ * */
+@ExcludedFromGeneratedTestCoverageReports("Covered indirectly in the migration tests")
+class SubjectMigration1to2 : Migration(1, 2) {
+    override fun migrate(db: SupportSQLiteDatabase) {
+        db.execSQL(
+            """
+            CREATE TABLE IF NOT EXISTS `DbExternalCredential` (
+                `id` TEXT NOT NULL,
+                `value` TEXT NOT NULL,
+                `subjectId` TEXT NOT NULL,
+                `type` TEXT NOT NULL,
+                PRIMARY KEY(`value`, `subjectId`),
+                FOREIGN KEY(`subjectId`) REFERENCES `DbSubject`(`subjectId`) ON DELETE CASCADE
+            )
+            """.trimIndent()
+        )
+        db.execSQL("CREATE INDEX IF NOT EXISTS `index_DbExternalCredential_subjectId` ON `DbExternalCredential` (`subjectId`)")
+    }
+}
+
diff --git a/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/models/DbBiometricTemplate.kt b/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/models/DbBiometricTemplate.kt
index 7590c579bd..91c0075666 100644
--- a/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/models/DbBiometricTemplate.kt
+++ b/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/models/DbBiometricTemplate.kt
@@ -39,3 +39,4 @@ data class DbBiometricTemplate(
         const val FORMAT_COLUMN = "format"
     }
 }
+
diff --git a/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/models/DbExternalCredential.kt b/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/models/DbExternalCredential.kt
new file mode 100644
index 0000000000..7175998ebb
--- /dev/null
+++ b/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/models/DbExternalCredential.kt
@@ -0,0 +1,37 @@
+package com.simprints.infra.enrolment.records.room.store.models
+
+import androidx.room.ColumnInfo
+import androidx.room.Entity
+import androidx.room.ForeignKey
+import androidx.room.Index
+import com.simprints.infra.enrolment.records.room.store.models.DbExternalCredential.Companion.EXTERNAL_CREDENTIAL_TABLE_NAME
+import com.simprints.infra.enrolment.records.room.store.models.DbExternalCredential.Companion.EXTERNAL_CREDENTIAL_VALUE_COLUMN
+import com.simprints.infra.enrolment.records.room.store.models.DbSubject.Companion.SUBJECT_ID_COLUMN
+
+@Entity(
+    tableName = EXTERNAL_CREDENTIAL_TABLE_NAME,
+    primaryKeys = [EXTERNAL_CREDENTIAL_VALUE_COLUMN, SUBJECT_ID_COLUMN],
+    foreignKeys = [
+        ForeignKey(
+            entity = DbSubject::class,
+            parentColumns = [SUBJECT_ID_COLUMN],
+            childColumns = [SUBJECT_ID_COLUMN],
+            onDelete = ForeignKey.CASCADE,
+        )
+    ],
+    indices = [Index(SUBJECT_ID_COLUMN)]
+)
+data class DbExternalCredential(
+    // The ID is only used by BFSID for analytics. The primary key should be a composite of value+subjectId
+    val id: String,
+    @ColumnInfo(name = EXTERNAL_CREDENTIAL_VALUE_COLUMN)
+    val value: String,
+    @ColumnInfo(name = SUBJECT_ID_COLUMN)
+    val subjectId: String,
+    val type: String,
+) {
+    companion object {
+        const val EXTERNAL_CREDENTIAL_VALUE_COLUMN = "value"
+        const val EXTERNAL_CREDENTIAL_TABLE_NAME = "DbExternalCredential"
+    }
+}
diff --git a/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/models/SubjectBiometrics.kt b/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/models/SubjectBiometrics.kt
index 1ea2f722d2..d35bff3420 100644
--- a/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/models/SubjectBiometrics.kt
+++ b/infra/enrolment-records/room-store/src/main/java/com/simprints/infra/enrolment/records/room/store/models/SubjectBiometrics.kt
@@ -11,4 +11,9 @@ data class SubjectBiometrics(
         entityColumn = SUBJECT_ID_COLUMN,
     )
     val biometricTemplates: List<DbBiometricTemplate>,
+    @Relation(
+        parentColumn = SUBJECT_ID_COLUMN,
+        entityColumn = SUBJECT_ID_COLUMN,
+    )
+    val externalCredentials: List<DbExternalCredential>,
 )
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentPayloadV2.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentPayloadV2.kt
index 92fd4a0598..f18557c181 100644
--- a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentPayloadV2.kt
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentPayloadV2.kt
@@ -25,6 +25,7 @@ internal data class ApiEnrolmentPayloadV2(
     override fun getTokenizedFieldJsonPath(tokenKeyType: TokenKeyType): String? = when (tokenKeyType) {
         TokenKeyType.AttendantId -> "attendantId"
         TokenKeyType.ModuleId -> "moduleId"
+        TokenKeyType.ExternalCredential -> "externalCredential"
         TokenKeyType.Unknown -> null
     }
 }
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentPayloadV4.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentPayloadV4.kt
index 519e6ed6df..24d4c99723 100644
--- a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentPayloadV4.kt
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentPayloadV4.kt
@@ -1,10 +1,12 @@
 package com.simprints.infra.eventsync.event.remote.models
 
 import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
 import com.simprints.infra.config.store.models.TokenKeyType
 import com.simprints.infra.events.event.domain.models.EnrolmentEventV4
 
 @Keep
+@ExcludedFromGeneratedTestCoverageReports("Data class")
 internal data class ApiEnrolmentPayloadV4(
     override val startTime: ApiTimestamp,
     val subjectId: String,
@@ -12,19 +14,21 @@ internal data class ApiEnrolmentPayloadV4(
     val moduleId: String,
     val attendantId: String,
     val biometricReferenceIds: List<String>,
+    val externalCredentialIds: List<String>,
 ) : ApiEventPayload(startTime) {
     constructor(domainPayload: EnrolmentEventV4.EnrolmentPayload) : this(
-        domainPayload.createdAt.fromDomainToApi(),
-        domainPayload.subjectId,
-        domainPayload.projectId,
-        domainPayload.moduleId.value,
-        domainPayload.attendantId.value,
-        domainPayload.biometricReferenceIds,
+        startTime = domainPayload.createdAt.fromDomainToApi(),
+        subjectId = domainPayload.subjectId,
+        projectId = domainPayload.projectId,
+        moduleId = domainPayload.moduleId.value,
+        attendantId = domainPayload.attendantId.value,
+        biometricReferenceIds = domainPayload.biometricReferenceIds,
+        externalCredentialIds = domainPayload.externalCredentialIds,
     )
 
     override fun getTokenizedFieldJsonPath(tokenKeyType: TokenKeyType): String? = when (tokenKeyType) {
         TokenKeyType.AttendantId -> "attendantId"
         TokenKeyType.ModuleId -> "moduleId"
-        TokenKeyType.Unknown -> null
+        else -> null
     }
 }
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentUpdatePayload.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentUpdatePayload.kt
new file mode 100644
index 0000000000..2adebe0e1c
--- /dev/null
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentUpdatePayload.kt
@@ -0,0 +1,20 @@
+package com.simprints.infra.eventsync.event.remote.models
+
+import androidx.annotation.Keep
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.events.event.domain.models.EnrolmentUpdateEvent.EnrolmentUpdatePayload
+
+@Keep
+internal data class ApiEnrolmentUpdatePayload(
+    override val startTime: ApiTimestamp,
+    val subjectId: String,
+    val externalCredentialIdsToAdd: List<String>,
+) : ApiEventPayload(startTime) {
+    constructor(domainPayload: EnrolmentUpdatePayload) : this(
+        domainPayload.createdAt.fromDomainToApi(),
+        domainPayload.subjectId,
+        domainPayload.externalCredentialIdsToAdd,
+    )
+
+    override fun getTokenizedFieldJsonPath(tokenKeyType: TokenKeyType): String? = null
+}
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEventPayload.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEventPayload.kt
index 0bf9a3677c..54ace30792 100644
--- a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEventPayload.kt
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEventPayload.kt
@@ -13,6 +13,7 @@ import com.simprints.infra.events.event.domain.models.ConnectivitySnapshotEvent.
 import com.simprints.infra.events.event.domain.models.ConsentEvent.ConsentPayload
 import com.simprints.infra.events.event.domain.models.EnrolmentEventV2
 import com.simprints.infra.events.event.domain.models.EnrolmentEventV4
+import com.simprints.infra.events.event.domain.models.EnrolmentUpdateEvent.EnrolmentUpdatePayload
 import com.simprints.infra.events.event.domain.models.EventPayload
 import com.simprints.infra.events.event.domain.models.EventType.AGE_GROUP_SELECTION
 import com.simprints.infra.events.event.domain.models.EventType.ALERT_SCREEN
@@ -39,10 +40,16 @@ import com.simprints.infra.events.event.domain.models.EventType.CANDIDATE_READ
 import com.simprints.infra.events.event.domain.models.EventType.COMPLETION_CHECK
 import com.simprints.infra.events.event.domain.models.EventType.CONNECTIVITY_SNAPSHOT
 import com.simprints.infra.events.event.domain.models.EventType.CONSENT
+import com.simprints.infra.events.event.domain.models.EventType.ENROLMENT_UPDATE
 import com.simprints.infra.events.event.domain.models.EventType.ENROLMENT_V2
 import com.simprints.infra.events.event.domain.models.EventType.ENROLMENT_V4
 import com.simprints.infra.events.event.domain.models.EventType.EVENT_DOWN_SYNC_REQUEST
 import com.simprints.infra.events.event.domain.models.EventType.EVENT_UP_SYNC_REQUEST
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_CAPTURE
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_CAPTURE_VALUE
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_CONFIRMATION
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_SEARCH
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_SELECTION
 import com.simprints.infra.events.event.domain.models.EventType.FACE_CAPTURE
 import com.simprints.infra.events.event.domain.models.EventType.FACE_CAPTURE_BIOMETRICS
 import com.simprints.infra.events.event.domain.models.EventType.FACE_CAPTURE_CONFIRMATION
@@ -63,6 +70,11 @@ import com.simprints.infra.events.event.domain.models.EventType.SCANNER_CONNECTI
 import com.simprints.infra.events.event.domain.models.EventType.SCANNER_FIRMWARE_UPDATE
 import com.simprints.infra.events.event.domain.models.EventType.SUSPICIOUS_INTENT
 import com.simprints.infra.events.event.domain.models.EventType.VERO_2_INFO_SNAPSHOT
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureEvent.ExternalCredentialCapturePayload
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureValueEvent.ExternalCredentialCaptureValuePayload
+import com.simprints.infra.events.event.domain.models.ExternalCredentialConfirmationEvent.ExternalCredentialConfirmationPayload
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSearchEvent.ExternalCredentialSearchPayload
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSelectionEvent.ExternalCredentialSelectionPayload
 import com.simprints.infra.events.event.domain.models.GuidSelectionEvent.GuidSelectionPayload
 import com.simprints.infra.events.event.domain.models.IntentParsingEvent.IntentParsingPayload
 import com.simprints.infra.events.event.domain.models.InvalidIntentEvent.InvalidIntentPayload
@@ -170,4 +182,10 @@ internal fun EventPayload.fromDomainToApi(): ApiEventPayload = when (this.type)
     LICENSE_CHECK -> ApiLicenseCheckEventPayload(this as LicenseCheckEvent.LicenseCheckEventPayload)
     AGE_GROUP_SELECTION -> ApiAgeGroupSelectionPayload(this as AgeGroupSelectionEvent.AgeGroupSelectionPayload)
     BIOMETRIC_REFERENCE_CREATION -> ApiBiometricReferenceCreationPayload(this as BiometricReferenceCreationPayload)
+    ENROLMENT_UPDATE -> ApiEnrolmentUpdatePayload(this as EnrolmentUpdatePayload)
+    EXTERNAL_CREDENTIAL_SELECTION -> ApiExternalCredentialSelectionPayload(this as ExternalCredentialSelectionPayload)
+    EXTERNAL_CREDENTIAL_CAPTURE -> ApiExternalCredentialCapturePayload(this as ExternalCredentialCapturePayload)
+    EXTERNAL_CREDENTIAL_CAPTURE_VALUE -> ApiExternalCredentialCaptureValuePayload(this as ExternalCredentialCaptureValuePayload)
+    EXTERNAL_CREDENTIAL_SEARCH -> ApiExternalCredentialSearchPayload(this as ExternalCredentialSearchPayload)
+    EXTERNAL_CREDENTIAL_CONFIRMATION -> ApiExternalCredentialConfirmationPayload(this as ExternalCredentialConfirmationPayload)
 }
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEventPayloadType.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEventPayloadType.kt
index e2a4908b20..141a6ad0a5 100644
--- a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEventPayloadType.kt
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiEventPayloadType.kt
@@ -27,10 +27,16 @@ import com.simprints.infra.events.event.domain.models.EventType.CANDIDATE_READ
 import com.simprints.infra.events.event.domain.models.EventType.COMPLETION_CHECK
 import com.simprints.infra.events.event.domain.models.EventType.CONNECTIVITY_SNAPSHOT
 import com.simprints.infra.events.event.domain.models.EventType.CONSENT
+import com.simprints.infra.events.event.domain.models.EventType.ENROLMENT_UPDATE
 import com.simprints.infra.events.event.domain.models.EventType.ENROLMENT_V2
 import com.simprints.infra.events.event.domain.models.EventType.ENROLMENT_V4
 import com.simprints.infra.events.event.domain.models.EventType.EVENT_DOWN_SYNC_REQUEST
 import com.simprints.infra.events.event.domain.models.EventType.EVENT_UP_SYNC_REQUEST
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_CAPTURE
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_CAPTURE_VALUE
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_CONFIRMATION
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_SEARCH
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_SELECTION
 import com.simprints.infra.events.event.domain.models.EventType.FACE_CAPTURE
 import com.simprints.infra.events.event.domain.models.EventType.FACE_CAPTURE_BIOMETRICS
 import com.simprints.infra.events.event.domain.models.EventType.FACE_CAPTURE_CONFIRMATION
@@ -88,6 +94,12 @@ internal enum class ApiEventPayloadType {
     LicenseCheck,
     AgeGroupSelection,
     BiometricReferenceCreation,
+    EnrolmentUpdate,
+    ExternalCredentialSelection,
+    ExternalCredentialCaptureValue,
+    ExternalCredentialCapture,
+    ExternalCredentialSearch,
+    ExternalCredentialConfirmation,
 }
 
 internal fun EventType.fromDomainToApi(): ApiEventPayloadType = when (this) {
@@ -143,6 +155,12 @@ internal fun EventType.fromDomainToApi(): ApiEventPayloadType = when (this) {
     LICENSE_CHECK -> ApiEventPayloadType.LicenseCheck
     AGE_GROUP_SELECTION -> ApiEventPayloadType.AgeGroupSelection
     BIOMETRIC_REFERENCE_CREATION -> ApiEventPayloadType.BiometricReferenceCreation
+    ENROLMENT_UPDATE -> ApiEventPayloadType.EnrolmentUpdate
+    EXTERNAL_CREDENTIAL_SELECTION -> ApiEventPayloadType.ExternalCredentialSelection
+    EXTERNAL_CREDENTIAL_CAPTURE_VALUE -> ApiEventPayloadType.ExternalCredentialCaptureValue
+    EXTERNAL_CREDENTIAL_CAPTURE -> ApiEventPayloadType.ExternalCredentialCapture
+    EXTERNAL_CREDENTIAL_SEARCH -> ApiEventPayloadType.ExternalCredentialSearch
+    EXTERNAL_CREDENTIAL_CONFIRMATION -> ApiEventPayloadType.ExternalCredentialConfirmation
 }
 
 internal fun ApiEventPayloadType.fromApiToDomain(): EventType = when (this) {
@@ -180,4 +198,10 @@ internal fun ApiEventPayloadType.fromApiToDomain(): EventType = when (this) {
     ApiEventPayloadType.BiometricReferenceCreation -> BIOMETRIC_REFERENCE_CREATION
     ApiEventPayloadType.Callout -> throw UnsupportedOperationException("")
     ApiEventPayloadType.Callback -> throw UnsupportedOperationException("")
+    ApiEventPayloadType.EnrolmentUpdate -> ENROLMENT_UPDATE
+    ApiEventPayloadType.ExternalCredentialSelection -> EXTERNAL_CREDENTIAL_SELECTION
+    ApiEventPayloadType.ExternalCredentialCaptureValue -> EXTERNAL_CREDENTIAL_CAPTURE_VALUE
+    ApiEventPayloadType.ExternalCredentialCapture -> EXTERNAL_CREDENTIAL_CAPTURE
+    ApiEventPayloadType.ExternalCredentialSearch -> EXTERNAL_CREDENTIAL_SEARCH
+    ApiEventPayloadType.ExternalCredentialConfirmation -> EXTERNAL_CREDENTIAL_CONFIRMATION
 }
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialCapturePayload.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialCapturePayload.kt
new file mode 100644
index 0000000000..214901dcdc
--- /dev/null
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialCapturePayload.kt
@@ -0,0 +1,32 @@
+package com.simprints.infra.eventsync.event.remote.models
+
+import androidx.annotation.Keep
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureEvent.ExternalCredentialCapturePayload
+
+@Keep
+internal data class ApiExternalCredentialCapturePayload(
+    override val startTime: ApiTimestamp,
+    val id: String,
+    val endTime: ApiTimestamp?,
+    val autoCaptureStartTime: ApiTimestamp,
+    val autoCaptureEndTime: ApiTimestamp,
+    val ocrErrorCount: Int,
+    val capturedTextLength: Int,
+    val credentialTextLength: Int,
+    val selectionId: String,
+) : ApiEventPayload(startTime) {
+    constructor(domainPayload: ExternalCredentialCapturePayload) : this(
+        startTime = domainPayload.createdAt.fromDomainToApi(),
+        endTime = domainPayload.endedAt?.fromDomainToApi(),
+        id = domainPayload.id,
+        autoCaptureStartTime = domainPayload.autoCaptureStartTime.fromDomainToApi(),
+        autoCaptureEndTime = domainPayload.autoCaptureEndTime.fromDomainToApi(),
+        ocrErrorCount = domainPayload.ocrErrorCount,
+        capturedTextLength = domainPayload.capturedTextLength,
+        credentialTextLength = domainPayload.credentialTextLength,
+        selectionId = domainPayload.selectionId,
+    )
+
+    override fun getTokenizedFieldJsonPath(tokenKeyType: TokenKeyType): String? = null
+}
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialCaptureValuePayload.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialCaptureValuePayload.kt
new file mode 100644
index 0000000000..48d2a3753a
--- /dev/null
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialCaptureValuePayload.kt
@@ -0,0 +1,28 @@
+package com.simprints.infra.eventsync.event.remote.models
+
+import androidx.annotation.Keep
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureValueEvent.ExternalCredentialCaptureValuePayload
+import com.simprints.infra.eventsync.event.remote.models.subject.ApiExternalCredential
+import com.simprints.infra.eventsync.event.remote.models.subject.fromDomainToApi
+
+@Keep
+internal data class ApiExternalCredentialCaptureValuePayload(
+    override val startTime: ApiTimestamp,
+    val id: String,
+    val credential: ApiExternalCredential,
+) : ApiEventPayload(startTime) {
+    constructor(domainPayload: ExternalCredentialCaptureValuePayload) : this(
+        startTime = domainPayload.createdAt.fromDomainToApi(),
+        id = domainPayload.id,
+        credential = domainPayload.credential.fromDomainToApi(),
+    )
+
+    override fun getTokenizedFieldJsonPath(tokenKeyType: TokenKeyType): String? = when (tokenKeyType) {
+        TokenKeyType.ExternalCredential -> "credential.value"
+        TokenKeyType.AttendantId,
+        TokenKeyType.ModuleId,
+        TokenKeyType.Unknown,
+        -> null
+    }
+}
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialConfirmationPayload.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialConfirmationPayload.kt
new file mode 100644
index 0000000000..04ec17adad
--- /dev/null
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialConfirmationPayload.kt
@@ -0,0 +1,35 @@
+package com.simprints.infra.eventsync.event.remote.models
+
+import androidx.annotation.Keep
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.events.event.domain.models.ExternalCredentialConfirmationEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialConfirmationEvent.ExternalCredentialConfirmationResult
+import com.simprints.infra.eventsync.event.remote.models.ApiExternalCredentialConfirmationPayload.ApiExternalCredentialConfirmationResult
+
+@Keep
+internal data class ApiExternalCredentialConfirmationPayload(
+    override val startTime: ApiTimestamp,
+    val endTime: ApiTimestamp?,
+    val result: ApiExternalCredentialConfirmationResult,
+    val userInteractedWithImage: Boolean? = null,
+) : ApiEventPayload(startTime) {
+    constructor(domainPayload: ExternalCredentialConfirmationEvent.ExternalCredentialConfirmationPayload) : this(
+        startTime = domainPayload.createdAt.fromDomainToApi(),
+        endTime = domainPayload.endedAt?.fromDomainToApi(),
+        result = domainPayload.result.fromDomainToApi(),
+        userInteractedWithImage = domainPayload.userInteractedWithImage,
+    )
+
+    @Keep
+    enum class ApiExternalCredentialConfirmationResult {
+        CONTINUE,
+        RECAPTURE,
+    }
+
+    override fun getTokenizedFieldJsonPath(tokenKeyType: TokenKeyType): String? = null
+}
+
+internal fun ExternalCredentialConfirmationResult.fromDomainToApi(): ApiExternalCredentialConfirmationResult = when (this) {
+    ExternalCredentialConfirmationResult.CONTINUE -> ApiExternalCredentialConfirmationResult.CONTINUE
+    ExternalCredentialConfirmationResult.RECAPTURE -> ApiExternalCredentialConfirmationResult.RECAPTURE
+}
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialSearchPayload.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialSearchPayload.kt
new file mode 100644
index 0000000000..b0b2ae1832
--- /dev/null
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialSearchPayload.kt
@@ -0,0 +1,31 @@
+package com.simprints.infra.eventsync.event.remote.models
+
+import androidx.annotation.Keep
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSearchEvent
+
+@Keep
+internal data class ApiExternalCredentialSearchPayload(
+    override val startTime: ApiTimestamp,
+    val endTime: ApiTimestamp?,
+    val id: String,
+    val probeExternalCredentialId: String,
+    val result: ApiExternalCredentialSearchResult,
+) : ApiEventPayload(startTime) {
+    constructor(domainPayload: ExternalCredentialSearchEvent.ExternalCredentialSearchPayload) : this(
+        startTime = domainPayload.createdAt.fromDomainToApi(),
+        endTime = domainPayload.endedAt?.fromDomainToApi(),
+        id = domainPayload.id,
+        probeExternalCredentialId = domainPayload.probeExternalCredentialId,
+        result = ApiExternalCredentialSearchResult(
+            candidateIds = domainPayload.result.candidateIds,
+        ),
+    )
+
+    @Keep
+    data class ApiExternalCredentialSearchResult(
+        val candidateIds: List<String>,
+    )
+
+    override fun getTokenizedFieldJsonPath(tokenKeyType: TokenKeyType): String? = null
+}
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialSelectionPayload.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialSelectionPayload.kt
new file mode 100644
index 0000000000..1af14bb9bd
--- /dev/null
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/ApiExternalCredentialSelectionPayload.kt
@@ -0,0 +1,51 @@
+package com.simprints.infra.eventsync.event.remote.models
+
+import androidx.annotation.Keep
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.config.store.remote.models.ApiExternalCredentialType
+import com.simprints.infra.config.store.remote.models.fromDomainToApi
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSelectionEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSelectionEvent.SkipReason
+import com.simprints.infra.eventsync.event.remote.models.ApiExternalCredentialSelectionPayload.ApiExternalCredentialSkipReason
+
+@Keep
+internal data class ApiExternalCredentialSelectionPayload(
+    override val startTime: ApiTimestamp,
+    val endTime: ApiTimestamp?,
+    val id: String,
+    val credentialType: ApiExternalCredentialType?,
+    val skipReason: ApiExternalCredentialSkipReason?,
+    val skipOther: String?,
+) : ApiEventPayload(startTime) {
+    constructor(domainPayload: ExternalCredentialSelectionEvent.ExternalCredentialSelectionPayload) : this(
+        startTime = domainPayload.createdAt.fromDomainToApi(),
+        endTime = domainPayload.endedAt?.fromDomainToApi(),
+        id = domainPayload.id,
+        credentialType = domainPayload.credentialType?.fromDomainToApi(),
+        skipReason = domainPayload.skipReason?.toApiExternalCredentialSkipReason(),
+        skipOther = domainPayload.skipOther,
+    )
+
+    @Keep
+    enum class ApiExternalCredentialSkipReason {
+        DOES_NOT_HAVE_ID,
+        DID_NOT_BRING_ID,
+        BROUGHT_INCORRECT_ID,
+        NO_CONSENT,
+        ID_DAMAGED,
+        UNABLE_TO_SCAN,
+        OTHER,
+    }
+
+    override fun getTokenizedFieldJsonPath(tokenKeyType: TokenKeyType): String? = null
+}
+
+internal fun SkipReason.toApiExternalCredentialSkipReason(): ApiExternalCredentialSkipReason = when (this) {
+    SkipReason.DOES_NOT_HAVE_ID -> ApiExternalCredentialSkipReason.DOES_NOT_HAVE_ID
+    SkipReason.DID_NOT_BRING_ID -> ApiExternalCredentialSkipReason.DID_NOT_BRING_ID
+    SkipReason.BROUGHT_INCORRECT_ID -> ApiExternalCredentialSkipReason.BROUGHT_INCORRECT_ID
+    SkipReason.NO_CONSENT -> ApiExternalCredentialSkipReason.NO_CONSENT
+    SkipReason.ID_DAMAGED -> ApiExternalCredentialSkipReason.ID_DAMAGED
+    SkipReason.UNABLE_TO_SCAN -> ApiExternalCredentialSkipReason.UNABLE_TO_SCAN
+    SkipReason.OTHER -> ApiExternalCredentialSkipReason.OTHER
+}
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/callout/ApiCalloutPayloadV2.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/callout/ApiCalloutPayloadV2.kt
index 0475985a95..45441ef474 100644
--- a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/callout/ApiCalloutPayloadV2.kt
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/callout/ApiCalloutPayloadV2.kt
@@ -3,6 +3,7 @@ package com.simprints.infra.eventsync.event.remote.models.callout
 import androidx.annotation.Keep
 import com.fasterxml.jackson.annotation.JsonInclude
 import com.fasterxml.jackson.annotation.JsonInclude.Include
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
 import com.simprints.infra.config.store.models.TokenKeyType
 import com.simprints.infra.events.event.domain.models.callout.ConfirmationCalloutEventV2.ConfirmationCalloutPayload
 import com.simprints.infra.events.event.domain.models.callout.EnrolmentCalloutEventV2.EnrolmentCalloutPayload
@@ -15,6 +16,7 @@ import com.simprints.infra.eventsync.event.remote.models.fromDomainToApi
 
 @Keep
 @JsonInclude(Include.NON_NULL)
+@ExcludedFromGeneratedTestCoverageReports("Data class")
 internal data class ApiCalloutPayloadV2(
     override val startTime: ApiTimestamp,
     val callout: ApiCallout,
@@ -73,6 +75,7 @@ internal data class ApiCalloutPayloadV2(
     override fun getTokenizedFieldJsonPath(tokenKeyType: TokenKeyType): String? = when (tokenKeyType) {
         TokenKeyType.AttendantId -> "callout.userId"
         TokenKeyType.ModuleId -> "callout.moduleId"
+        TokenKeyType.ExternalCredential -> "callout.externalCredential"
         TokenKeyType.Unknown -> null
     }
 }
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/callout/ApiCalloutPayloadV3.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/callout/ApiCalloutPayloadV3.kt
index ab9f1a7cae..373e28cd0f 100644
--- a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/callout/ApiCalloutPayloadV3.kt
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/callout/ApiCalloutPayloadV3.kt
@@ -3,6 +3,7 @@ package com.simprints.infra.eventsync.event.remote.models.callout
 import androidx.annotation.Keep
 import com.fasterxml.jackson.annotation.JsonInclude
 import com.fasterxml.jackson.annotation.JsonInclude.Include
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
 import com.simprints.infra.config.store.models.TokenKeyType
 import com.simprints.infra.events.event.domain.models.callout.ConfirmationCalloutEventV3.ConfirmationCalloutPayload
 import com.simprints.infra.events.event.domain.models.callout.EnrolmentCalloutEventV3.EnrolmentCalloutPayload
@@ -15,6 +16,7 @@ import com.simprints.infra.eventsync.event.remote.models.fromDomainToApi
 
 @Keep
 @JsonInclude(Include.NON_NULL)
+@ExcludedFromGeneratedTestCoverageReports("Data class")
 internal data class ApiCalloutPayloadV3(
     override val startTime: ApiTimestamp,
     val callout: ApiCallout,
@@ -76,6 +78,7 @@ internal data class ApiCalloutPayloadV3(
     override fun getTokenizedFieldJsonPath(tokenKeyType: TokenKeyType): String? = when (tokenKeyType) {
         TokenKeyType.AttendantId -> "callout.userId"
         TokenKeyType.ModuleId -> "callout.moduleId"
+        TokenKeyType.ExternalCredential -> "callout.externalCredential"
         TokenKeyType.Unknown -> null
     }
 }
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordCreationPayload.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordCreationPayload.kt
index 94f749f810..8a552a4a4e 100644
--- a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordCreationPayload.kt
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordCreationPayload.kt
@@ -16,12 +16,14 @@ internal data class ApiEnrolmentRecordCreationPayload(
     val moduleId: String,
     val attendantId: String,
     val biometricReferences: List<ApiBiometricReference>?,
+    val externalCredentials: List<ApiExternalCredential>?,
 ) : ApiEnrolmentRecordEventPayload(ApiEnrolmentRecordPayloadType.EnrolmentRecordCreation)
 
 internal fun ApiEnrolmentRecordCreationPayload.fromApiToDomain() = EnrolmentRecordCreationEvent.EnrolmentRecordCreationPayload(
-    subjectId,
-    projectId,
-    moduleId.asTokenizableEncrypted(),
-    attendantId.asTokenizableEncrypted(),
-    biometricReferences?.map { it.fromApiToDomain() } ?: emptyList(),
+    subjectId = subjectId,
+    projectId = projectId,
+    moduleId = moduleId.asTokenizableEncrypted(),
+    attendantId = attendantId.asTokenizableEncrypted(),
+    biometricReferences = biometricReferences?.map { it.fromApiToDomain() } ?: emptyList(),
+    externalCredentials = externalCredentials?.map { it.fromApiToDomain(subjectId) } ?: emptyList(),
 )
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordMovePayload.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordMovePayload.kt
index 87a8b7d67a..53e5492ab7 100644
--- a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordMovePayload.kt
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordMovePayload.kt
@@ -31,25 +31,27 @@ internal data class ApiEnrolmentRecordMovePayload(
         val moduleId: String,
         val attendantId: String,
         val biometricReferences: List<ApiBiometricReference>?,
+        val externalCredential: ApiExternalCredential?,
     )
 }
 
 internal fun ApiEnrolmentRecordMovePayload.fromApiToDomain() = EnrolmentRecordMoveEvent.EnrolmentRecordMovePayload(
     with(enrolmentRecordCreation) {
         EnrolmentRecordCreationInMove(
-            subjectId,
-            projectId,
-            moduleId.asTokenizableEncrypted(),
-            attendantId.asTokenizableEncrypted(),
-            biometricReferences?.map { it.fromApiToDomain() },
+            subjectId = subjectId,
+            projectId = projectId,
+            moduleId = moduleId.asTokenizableEncrypted(),
+            attendantId = attendantId.asTokenizableEncrypted(),
+            biometricReferences = biometricReferences?.map { it.fromApiToDomain() },
+            externalCredential = externalCredential?.fromApiToDomain(subjectId)
         )
     },
     enrolmentRecordDeletion.let {
         EnrolmentRecordDeletionInMove(
-            it.subjectId,
-            it.projectId,
-            it.moduleId.asTokenizableEncrypted(),
-            it.attendantId.asTokenizableEncrypted(),
+            subjectId = it.subjectId,
+            projectId = it.projectId,
+            moduleId = it.moduleId.asTokenizableEncrypted(),
+            attendantId = it.attendantId.asTokenizableEncrypted(),
         )
     },
 )
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordUpdatePayload.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordUpdatePayload.kt
index 57014fc4ef..2e972b74b0 100644
--- a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordUpdatePayload.kt
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordUpdatePayload.kt
@@ -10,10 +10,12 @@ internal data class ApiEnrolmentRecordUpdatePayload(
     val subjectId: String,
     val biometricReferencesAdded: List<ApiBiometricReference>?,
     val biometricReferencesRemoved: List<String>?,
+    val externalCredentialsAdded: List<ApiExternalCredential>?,
 ) : ApiEnrolmentRecordEventPayload(ApiEnrolmentRecordPayloadType.EnrolmentRecordUpdate)
 
 internal fun ApiEnrolmentRecordUpdatePayload.fromApiToDomain() = EnrolmentRecordUpdateEvent.EnrolmentRecordUpdatePayload(
     subjectId,
     biometricReferencesAdded?.map { it.fromApiToDomain() }.orEmpty(),
     biometricReferencesRemoved.orEmpty(),
+    externalCredentialsAdded?.map { it.fromApiToDomain(subjectId) }.orEmpty(),
 )
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiExternalCredential.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiExternalCredential.kt
new file mode 100644
index 0000000000..e49afdded8
--- /dev/null
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiExternalCredential.kt
@@ -0,0 +1,26 @@
+package com.simprints.infra.eventsync.event.remote.models.subject
+
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
+import com.simprints.infra.config.store.remote.models.ApiExternalCredentialType
+import com.simprints.infra.config.store.remote.models.fromDomainToApi
+
+data class ApiExternalCredential(
+    val id: String,
+    val type: ApiExternalCredentialType,
+    val value: String,
+)
+
+internal fun ApiExternalCredential.fromApiToDomain(subjectId: String) = ExternalCredential(
+    id = id,
+    value = value.asTokenizableEncrypted(),
+    subjectId = subjectId,
+    type = type.toDomain(),
+)
+
+internal fun ExternalCredential.fromDomainToApi() = ApiExternalCredential(
+    id = id,
+    value = value.value,
+    type = type.fromDomainToApi(),
+)
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/sync/common/SubjectFactory.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/sync/common/SubjectFactory.kt
index 571b3d9b1c..9e28301c3c 100644
--- a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/sync/common/SubjectFactory.kt
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/sync/common/SubjectFactory.kt
@@ -1,5 +1,6 @@
 package com.simprints.infra.eventsync.sync.common
 
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import com.simprints.core.domain.face.FaceSample
 import com.simprints.core.domain.fingerprint.FingerprintSample
 import com.simprints.core.domain.tokenization.TokenizableString
@@ -32,6 +33,7 @@ class SubjectFactory @Inject constructor(
             moduleId = moduleId,
             fingerprintSamples = extractFingerprintSamplesFromBiometricReferences(this.biometricReferences),
             faceSamples = extractFaceSamplesFromBiometricReferences(this.biometricReferences),
+            externalCredentials = payload.externalCredentials,
         )
     }
 
@@ -43,6 +45,7 @@ class SubjectFactory @Inject constructor(
             moduleId = moduleId,
             fingerprintSamples = extractFingerprintSamplesFromBiometricReferences(this.biometricReferences),
             faceSamples = extractFaceSamplesFromBiometricReferences(this.biometricReferences),
+            externalCredentials = externalCredential?.let { listOf(it) } ?: emptyList(),
         )
     }
 
@@ -53,6 +56,7 @@ class SubjectFactory @Inject constructor(
         val removedBiometricReferences = payload.biometricReferencesRemoved.toSet() // to make lookup O(1)
         val addedFaceSamples = extractFaceSamplesFromBiometricReferences(payload.biometricReferencesAdded)
         val addedFingerprintSamples = extractFingerprintSamplesFromBiometricReferences(payload.biometricReferencesAdded)
+        val externalCredentialsAdded = payload.externalCredentialsAdded
 
         return existingSubject.copy(
             faceSamples = existingSubject.faceSamples
@@ -61,27 +65,30 @@ class SubjectFactory @Inject constructor(
             fingerprintSamples = existingSubject.fingerprintSamples
                 .filterNot { it.referenceId in removedBiometricReferences }
                 .plus(addedFingerprintSamples),
+            externalCredentials = existingSubject.externalCredentials
+                .plus(externalCredentialsAdded)
+                .distinctBy { it.value.value },
         )
     }
 
     fun buildSubjectFromCaptureResults(
+        subjectId: String,
         projectId: String,
         attendantId: TokenizableString,
         moduleId: TokenizableString,
         fingerprintResponse: FingerprintCaptureResult?,
         faceResponse: FaceCaptureResult?,
-    ): Subject {
-        val subjectId = UUID.randomUUID().toString()
-        return buildSubject(
-            subjectId = subjectId,
-            projectId = projectId,
-            attendantId = attendantId,
-            moduleId = moduleId,
-            createdAt = Date(timeHelper.now().ms),
-            fingerprintSamples = fingerprintResponse?.let { extractFingerprintSamples(it) }.orEmpty(),
-            faceSamples = faceResponse?.let { extractFaceSamples(it) }.orEmpty(),
-        )
-    }
+        externalCredential: ExternalCredential?,
+    ): Subject = buildSubject(
+        subjectId = subjectId,
+        projectId = projectId,
+        attendantId = attendantId,
+        moduleId = moduleId,
+        createdAt = Date(timeHelper.now().ms),
+        fingerprintSamples = fingerprintResponse?.let { extractFingerprintSamples(it) }.orEmpty(),
+        faceSamples = faceResponse?.let { extractFaceSamples(it) }.orEmpty(),
+        externalCredentials = externalCredential?.let { listOf(it) } ?: emptyList(),
+    )
 
     fun buildSubject(
         subjectId: String,
@@ -92,6 +99,7 @@ class SubjectFactory @Inject constructor(
         updatedAt: Date? = null,
         fingerprintSamples: List<FingerprintSample> = emptyList(),
         faceSamples: List<FaceSample> = emptyList(),
+        externalCredentials: List<ExternalCredential> = emptyList(),
     ) = Subject(
         subjectId = subjectId,
         projectId = projectId,
@@ -101,6 +109,7 @@ class SubjectFactory @Inject constructor(
         updatedAt = updatedAt,
         fingerprintSamples = fingerprintSamples,
         faceSamples = faceSamples,
+        externalCredentials = externalCredentials,
     )
 
     private fun extractFingerprintSamples(fingerprintResponse: FingerprintCaptureResult) =
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/sync/down/tasks/BaseEventDownSyncTask.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/sync/down/tasks/BaseEventDownSyncTask.kt
index 624b575778..33e7e19fa3 100644
--- a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/sync/down/tasks/BaseEventDownSyncTask.kt
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/sync/down/tasks/BaseEventDownSyncTask.kt
@@ -42,7 +42,6 @@ internal abstract class BaseEventDownSyncTask(
     protected val timeHelper: TimeHelper,
     protected val eventRepository: EventRepository,
 ) {
-
     abstract suspend fun fetchEvents(
         operation: EventDownSyncOperation,
         scope: CoroutineScope,
@@ -277,6 +276,7 @@ internal abstract class BaseEventDownSyncTask(
                 faceSamplesToAdd = subjectFactory.extractFaceSamplesFromBiometricReferences(biometricReferencesAdded),
                 fingerprintSamplesToAdd = subjectFactory.extractFingerprintSamplesFromBiometricReferences(biometricReferencesAdded),
                 referenceIdsToRemove = biometricReferencesRemoved,
+                externalCredentialsToAdd = externalCredentialsAdded,
             ),
         )
     }
diff --git a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/sync/up/tasks/EventUpSyncTask.kt b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/sync/up/tasks/EventUpSyncTask.kt
index 58efb54f81..17f3964b03 100644
--- a/infra/event-sync/src/main/java/com/simprints/infra/eventsync/sync/up/tasks/EventUpSyncTask.kt
+++ b/infra/event-sync/src/main/java/com/simprints/infra/eventsync/sync/up/tasks/EventUpSyncTask.kt
@@ -17,7 +17,9 @@ import com.simprints.infra.events.EventRepository
 import com.simprints.infra.events.event.domain.models.BiometricReferenceCreationEvent
 import com.simprints.infra.events.event.domain.models.EnrolmentEventV2
 import com.simprints.infra.events.event.domain.models.EnrolmentEventV4
+import com.simprints.infra.events.event.domain.models.EnrolmentUpdateEvent
 import com.simprints.infra.events.event.domain.models.Event
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureValueEvent
 import com.simprints.infra.events.event.domain.models.PersonCreationEvent
 import com.simprints.infra.events.event.domain.models.face.FaceCaptureBiometricsEvent
 import com.simprints.infra.events.event.domain.models.fingerprint.FingerprintCaptureBiometricsEvent
@@ -334,11 +336,15 @@ internal class EventUpSyncTask @Inject constructor(
                 it is PersonCreationEvent ||
                 it is FingerprintCaptureBiometricsEvent ||
                 it is FaceCaptureBiometricsEvent ||
-                it is BiometricReferenceCreationEvent
+                it is BiometricReferenceCreationEvent ||
+                it is EnrolmentUpdateEvent ||
+                it is ExternalCredentialCaptureValueEvent
         }
 
         config.canSyncAnalyticsDataToSimprints() -> events.filterNot {
-            it is FingerprintCaptureBiometricsEvent || it is FaceCaptureBiometricsEvent
+            it is FingerprintCaptureBiometricsEvent ||
+                it is FaceCaptureBiometricsEvent ||
+                it is ExternalCredentialCaptureValueEvent
         }
 
         else -> emptyList()
diff --git a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/EventValidationUtils.kt b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/EventValidationUtils.kt
index 8d0e66f0f5..175c1de6ed 100644
--- a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/EventValidationUtils.kt
+++ b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/EventValidationUtils.kt
@@ -392,7 +392,8 @@ fun validateEnrolmentEventV4ApiModel(json: JSONObject) {
         assertThat(getString("moduleId")).isNotNull()
         assertThat(getString("attendantId")).isNotNull()
         assertThat(getJSONArray("biometricReferenceIds")).isNotNull()
-        assertThat(length()).isEqualTo(6)
+        assertThat(getJSONArray("externalCredentialIds")).isNotNull()
+        assertThat(length()).isEqualTo(7)
     }
 }
 
@@ -724,4 +725,68 @@ fun validateBiometricReferenceCreationEventApiModel(json: JSONObject) {
     }
 }
 
+fun validateEnrolmentUpdateEventApiModel(json: JSONObject) {
+    validateCommonParams(json, "EnrolmentUpdate", 0)
+    with(json.getJSONObject("payload")) {
+        validateTimestamp(getJSONObject("startTime"))
+        assertThat(getString("subjectId")).isNotNull()
+        assertThat(getString("externalCredentialIdsToAdd")).isNotNull()
+    }
+}
+
+fun validateExternalCredentialSelectionEventApiModel(json: JSONObject) {
+    validateCommonParams(json, "ExternalCredentialSelection", 0)
+    with(json.getJSONObject("payload")) {
+        validateTimestamp(getJSONObject("startTime"))
+        validateTimestamp(getJSONObject("endTime"))
+        assertThat(getString("id")).isNotNull()
+        assertThat(getString("skipReason")).isNotNull()
+        assertThat(getString("skipOther")).isNotNull()
+    }
+}
+
+fun validateExternalCredentialCaptureValueEventApiModel(json: JSONObject) {
+    validateCommonParams(json, "ExternalCredentialCaptureValue", 0)
+    with(json.getJSONObject("payload")) {
+        validateTimestamp(getJSONObject("startTime"))
+        assertThat(getString("id")).isNotNull()
+        assertThat(getString("credential")).isNotNull()
+    }
+}
+
+fun validateExternalCredentialCaptureEventApiModel(json: JSONObject) {
+    validateCommonParams(json, "ExternalCredentialCapture", 0)
+    with(json.getJSONObject("payload")) {
+        validateTimestamp(getJSONObject("startTime"))
+        assertThat(getString("id")).isNotNull()
+        assertThat(getString("endTime")).isNotNull()
+        assertThat(getString("autoCaptureStartTime")).isNotNull()
+        assertThat(getString("autoCaptureEndTime")).isNotNull()
+        assertThat(getString("ocrErrorCount")).isNotNull()
+        assertThat(getString("capturedTextLength")).isNotNull()
+        assertThat(getString("credentialTextLength")).isNotNull()
+        assertThat(getString("selectionId")).isNotNull()
+    }
+}
+
+fun validateExternalCredentialSearchApiModel(json: JSONObject) {
+    validateCommonParams(json, "ExternalCredentialSearch", 0)
+    with(json.getJSONObject("payload")) {
+        validateTimestamp(getJSONObject("startTime"))
+        assertThat(getString("id")).isNotNull()
+        assertThat(getString("endTime")).isNotNull()
+        assertThat(getString("probeExternalCredentialId")).isNotNull()
+        assertThat(getJSONObject("result")).isNotNull()
+        assertThat(getJSONObject("result").getJSONArray("candidateIds").length()).isGreaterThan(0)
+    }
+}
+
+fun validateExternalCredentialConfirmationApiModel(json: JSONObject) {
+    validateCommonParams(json, "ExternalCredentialConfirmation", 0)
+    with(json.getJSONObject("payload")) {
+        validateTimestamp(getJSONObject("startTime"))
+        assertThat(getString("result")).isNotNull()
+    }
+}
+
 private fun <T> Array<T>.valuesAsStrings(): List<String> = this.map { it.toString() }
diff --git a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentPayloadV2Test.kt b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentPayloadV2Test.kt
index 523977bddb..de5b9695a7 100644
--- a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentPayloadV2Test.kt
+++ b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/ApiEnrolmentPayloadV2Test.kt
@@ -14,7 +14,8 @@ class ApiEnrolmentPayloadV2Test {
             when (it) {
                 TokenKeyType.AttendantId -> assertThat(result).isEqualTo("attendantId")
                 TokenKeyType.ModuleId -> assertThat(result).isEqualTo("moduleId")
-                else -> assertThat(result).isNull()
+                TokenKeyType.ExternalCredential -> assertThat(result).isEqualTo("externalCredential")
+                TokenKeyType.Unknown -> assertThat(result).isNull()
             }
         }
     }
diff --git a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordCreationEventTest.kt b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordCreationEventTest.kt
index 72bda216d3..1456f98a7f 100644
--- a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordCreationEventTest.kt
+++ b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordCreationEventTest.kt
@@ -1,8 +1,11 @@
 package com.simprints.infra.eventsync.event.remote.models.subject
 
 import com.google.common.truth.Truth.assertThat
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.fingerprint.IFingerIdentifier
 import com.simprints.core.domain.tokenization.asTokenizableEncrypted
+import com.simprints.infra.config.store.remote.models.ApiExternalCredentialType
 import com.simprints.infra.events.event.domain.models.subject.EnrolmentRecordCreationEvent
 import com.simprints.infra.events.event.domain.models.subject.FingerprintReference
 import com.simprints.infra.events.event.domain.models.subject.FingerprintTemplate
@@ -14,11 +17,11 @@ class ApiEnrolmentRecordCreationEventTest {
     @Test
     fun convert_EnrolmentRecordCreationEvent() {
         val apiPayload = ApiEnrolmentRecordCreationPayload(
-            "subjectId",
-            "projectId",
-            "moduleId",
-            "attendantId",
-            listOf(
+            subjectId = "subjectId",
+            projectId = "projectId",
+            moduleId = "moduleId",
+            attendantId = "attendantId",
+            biometricReferences = listOf(
                 ApiFingerprintReference(
                     "fpRefId",
                     listOf(
@@ -27,13 +30,20 @@ class ApiEnrolmentRecordCreationEventTest {
                     "NEC_1",
                 ),
             ),
+            externalCredentials = listOf(
+                ApiExternalCredential(
+                    id = "id",
+                    type = ApiExternalCredentialType.NHIS_CARD,
+                    value = "value",
+                ),
+            ),
         )
         val expectedPayload = EnrolmentRecordCreationEvent.EnrolmentRecordCreationPayload(
-            "subjectId",
-            "projectId",
-            "moduleId".asTokenizableEncrypted(),
-            "attendantId".asTokenizableEncrypted(),
-            listOf(
+            subjectId = "subjectId",
+            projectId = "projectId",
+            moduleId = "moduleId".asTokenizableEncrypted(),
+            attendantId = "attendantId".asTokenizableEncrypted(),
+            biometricReferences = listOf(
                 FingerprintReference(
                     "fpRefId",
                     listOf(
@@ -42,6 +52,14 @@ class ApiEnrolmentRecordCreationEventTest {
                     "NEC_1",
                 ),
             ),
+            externalCredentials = listOf(
+                ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard,
+                ),
+            ),
         )
 
         assertThat(apiPayload.fromApiToDomain()).isEqualTo(expectedPayload)
diff --git a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordMoveEventTest.kt b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordMoveEventTest.kt
index c1ae48e35e..ab91b997b3 100644
--- a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordMoveEventTest.kt
+++ b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordMoveEventTest.kt
@@ -1,8 +1,11 @@
 package com.simprints.infra.eventsync.event.remote.models.subject
 
 import com.google.common.truth.Truth.assertThat
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.fingerprint.IFingerIdentifier
 import com.simprints.core.domain.tokenization.asTokenizableEncrypted
+import com.simprints.infra.config.store.remote.models.ApiExternalCredentialType
 import com.simprints.infra.events.event.domain.models.subject.EnrolmentRecordMoveEvent
 import com.simprints.infra.events.event.domain.models.subject.FingerprintReference
 import com.simprints.infra.events.event.domain.models.subject.FingerprintTemplate
@@ -28,6 +31,11 @@ class ApiEnrolmentRecordMoveEventTest {
                         "NEC_1",
                     ),
                 ),
+                ApiExternalCredential(
+                    id = "id",
+                    value = "value",
+                    type = ApiExternalCredentialType.NHIS_CARD,
+                ),
             ),
             ApiEnrolmentRecordMovePayload.ApiEnrolmentRecordDeletionInMove(
                 "subjectId",
@@ -51,6 +59,12 @@ class ApiEnrolmentRecordMoveEventTest {
                         "NEC_1",
                     ),
                 ),
+                ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard,
+                ),
             ),
             EnrolmentRecordMoveEvent.EnrolmentRecordDeletionInMove(
                 "subjectId",
diff --git a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordUpdateEventTest.kt b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordUpdateEventTest.kt
index 030c7bf493..98e24e00e4 100644
--- a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordUpdateEventTest.kt
+++ b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/remote/models/subject/ApiEnrolmentRecordUpdateEventTest.kt
@@ -1,7 +1,11 @@
 package com.simprints.infra.eventsync.event.remote.models.subject
 
 import com.google.common.truth.Truth.assertThat
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.fingerprint.IFingerIdentifier
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
+import com.simprints.infra.config.store.remote.models.ApiExternalCredentialType
 import com.simprints.infra.events.event.domain.models.subject.EnrolmentRecordUpdateEvent
 import com.simprints.infra.events.event.domain.models.subject.FaceReference
 import com.simprints.infra.events.event.domain.models.subject.FaceTemplate
@@ -17,8 +21,8 @@ class ApiEnrolmentRecordUpdateEventTest {
     @Test
     fun convert_EnrolmentRecordUpdateEvent() {
         val apiPayload = ApiEnrolmentRecordUpdatePayload(
-            "subjectId",
-            listOf(
+            subjectId = "subjectId",
+            biometricReferencesAdded = listOf(
                 ApiFingerprintReference(
                     "fpRefId",
                     listOf(
@@ -32,11 +36,18 @@ class ApiEnrolmentRecordUpdateEventTest {
                     "ROC_3",
                 ),
             ),
-            listOf("fpRefId2"),
+            biometricReferencesRemoved = listOf("fpRefId2"),
+            externalCredentialsAdded = listOf(
+                ApiExternalCredential(
+                    id = "id",
+                    type = ApiExternalCredentialType.NHIS_CARD,
+                    value = "value",
+                ),
+            ),
         )
         val expectedPayload = EnrolmentRecordUpdateEvent.EnrolmentRecordUpdatePayload(
-            "subjectId",
-            listOf(
+            subjectId = "subjectId",
+            biometricReferencesAdded = listOf(
                 FingerprintReference(
                     "fpRefId",
                     listOf(FingerprintTemplate("template", IFingerIdentifier.LEFT_THUMB)),
@@ -48,7 +59,15 @@ class ApiEnrolmentRecordUpdateEventTest {
                     "ROC_3",
                 ),
             ),
-            listOf("fpRefId2"),
+            biometricReferencesRemoved = listOf("fpRefId2"),
+            externalCredentialsAdded = listOf(
+                ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard,
+                ),
+            ),
         )
 
         assertThat(apiPayload.fromApiToDomain()).isEqualTo(expectedPayload)
diff --git a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/usecases/MapDomainEventScopeToApiUseCaseTest.kt b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/usecases/MapDomainEventScopeToApiUseCaseTest.kt
index 883d28bfda..15d5550b9b 100644
--- a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/usecases/MapDomainEventScopeToApiUseCaseTest.kt
+++ b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/usecases/MapDomainEventScopeToApiUseCaseTest.kt
@@ -9,14 +9,12 @@ import com.simprints.infra.events.event.domain.models.scope.EventScope
 import com.simprints.infra.events.event.domain.models.scope.EventScopePayload
 import com.simprints.infra.events.event.domain.models.scope.EventScopeType
 import com.simprints.infra.eventsync.event.remote.models.ApiEvent
-import com.simprints.infra.eventsync.event.remote.models.fromDomainToApi
 import io.mockk.*
 import io.mockk.impl.annotations.MockK
 import org.junit.Assert.assertEquals
 import org.junit.Before
 import org.junit.Test
 
-
 internal class MapDomainEventScopeToApiUseCaseTest {
     @MockK
     lateinit var mapDomainEventToApiUseCase: MapDomainEventToApiUseCase
@@ -36,7 +34,7 @@ internal class MapDomainEventScopeToApiUseCaseTest {
     fun `should map events using use case`() {
         val scope = createBlankSessionScope()
         val events = listOf(
-            mockk<Event>()
+            mockk<Event>(),
         )
         val resultEvent = mockk<ApiEvent>()
         every { mapDomainEventToApiUseCase(any(), any()) } returns resultEvent
@@ -50,7 +48,7 @@ internal class MapDomainEventScopeToApiUseCaseTest {
     fun `should map fields correctly`() {
         val scope = createBlankSessionScope()
         val events = listOf(
-            mockk<Event>()
+            mockk<Event>(),
         )
         val resultEvent = mockk<ApiEvent>()
         every { mapDomainEventToApiUseCase(any(), any()) } returns resultEvent
@@ -61,7 +59,6 @@ internal class MapDomainEventScopeToApiUseCaseTest {
             assertEquals(startTime.unixMs, scope.createdAt.ms)
             assertEquals(endTime, scope.endedAt)
         }
-
     }
 
     private fun createBlankSessionScope() = EventScope(
diff --git a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/usecases/MapDomainEventToApiUseCaseTest.kt b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/usecases/MapDomainEventToApiUseCaseTest.kt
index f7fa756e4e..294f6a4cf5 100644
--- a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/usecases/MapDomainEventToApiUseCaseTest.kt
+++ b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/event/usecases/MapDomainEventToApiUseCaseTest.kt
@@ -28,8 +28,14 @@ import com.simprints.infra.events.sampledata.createEnrolmentCalloutEventV2
 import com.simprints.infra.events.sampledata.createEnrolmentCalloutEventV3
 import com.simprints.infra.events.sampledata.createEnrolmentEventV2
 import com.simprints.infra.events.sampledata.createEnrolmentEventV4
+import com.simprints.infra.events.sampledata.createEnrolmentUpdateEvent
 import com.simprints.infra.events.sampledata.createEventDownSyncRequestEvent
 import com.simprints.infra.events.sampledata.createEventUpSyncRequestEvent
+import com.simprints.infra.events.sampledata.createExternalCredentialCaptureEvent
+import com.simprints.infra.events.sampledata.createExternalCredentialCaptureValueEvent
+import com.simprints.infra.events.sampledata.createExternalCredentialConfirmationEvent
+import com.simprints.infra.events.sampledata.createExternalCredentialSearchEvent
+import com.simprints.infra.events.sampledata.createExternalCredentialSelectionEvent
 import com.simprints.infra.events.sampledata.createFaceCaptureBiometricsEvent
 import com.simprints.infra.events.sampledata.createFaceCaptureConfirmationEvent
 import com.simprints.infra.events.sampledata.createFaceCaptureEvent
@@ -61,40 +67,7 @@ import com.simprints.infra.events.sampledata.createVerificationCalloutEventV2
 import com.simprints.infra.events.sampledata.createVerificationCalloutEventV3
 import com.simprints.infra.events.sampledata.createVero2InfoSnapshotEvent
 import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.AgeGroupSelection
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.AlertScreen
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.Authentication
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.Authorization
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.BiometricReferenceCreation
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.Callback
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.Callout
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.CandidateRead
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.CompletionCheck
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.ConnectivitySnapshot
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.Consent
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.Enrolment
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.EventDownSyncRequest
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.EventUpSyncRequest
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.FaceCapture
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.FaceCaptureBiometrics
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.FaceCaptureConfirmation
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.FaceFallbackCapture
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.FaceOnboardingComplete
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.FingerprintCapture
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.FingerprintCaptureBiometrics
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.GuidSelection
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.IntentParsing
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.InvalidIntent
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.LicenseCheck
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.OneToManyMatch
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.OneToOneMatch
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.PersonCreation
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.Refusal
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.SampleUpSyncRequest
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.ScannerConnection
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.ScannerFirmwareUpdate
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.SuspiciousIntent
-import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.Vero2InfoSnapshot
+import com.simprints.infra.eventsync.event.remote.models.ApiEventPayloadType.*
 import com.simprints.infra.eventsync.event.validateAgeGroupSelectionEventApiModel
 import com.simprints.infra.eventsync.event.validateAlertScreenEventApiModel
 import com.simprints.infra.eventsync.event.validateAuthenticationEventApiModel
@@ -112,6 +85,12 @@ import com.simprints.infra.eventsync.event.validateConsentEventApiModel
 import com.simprints.infra.eventsync.event.validateDownSyncRequestEventApiModel
 import com.simprints.infra.eventsync.event.validateEnrolmentEventV2ApiModel
 import com.simprints.infra.eventsync.event.validateEnrolmentEventV4ApiModel
+import com.simprints.infra.eventsync.event.validateEnrolmentUpdateEventApiModel
+import com.simprints.infra.eventsync.event.validateExternalCredentialCaptureEventApiModel
+import com.simprints.infra.eventsync.event.validateExternalCredentialCaptureValueEventApiModel
+import com.simprints.infra.eventsync.event.validateExternalCredentialConfirmationApiModel
+import com.simprints.infra.eventsync.event.validateExternalCredentialSearchApiModel
+import com.simprints.infra.eventsync.event.validateExternalCredentialSelectionEventApiModel
 import com.simprints.infra.eventsync.event.validateFaceCaptureBiometricsEventApiModel
 import com.simprints.infra.eventsync.event.validateFaceCaptureConfirmationEventApiModel
 import com.simprints.infra.eventsync.event.validateFaceCaptureEventApiModel
@@ -596,6 +575,60 @@ internal class MapDomainEventToApiUseCaseTest {
         validateBiometricReferenceCreationEventApiModel(json)
     }
 
+    @Test
+    fun validate_enrolmentUpdateEventApiModel() {
+        val event = createEnrolmentUpdateEvent()
+        val apiEvent = useCase(event, project)
+        val json = JSONObject(jackson.writeValueAsString(apiEvent))
+
+        validateEnrolmentUpdateEventApiModel(json)
+    }
+
+    @Test
+    fun validate_externalCredentialSelectionEventApiModel() {
+        val event = createExternalCredentialSelectionEvent()
+        val apiEvent = useCase(event, project)
+        val json = JSONObject(jackson.writeValueAsString(apiEvent))
+
+        validateExternalCredentialSelectionEventApiModel(json)
+    }
+
+    @Test
+    fun validate_externalCredentialCaptureValueEventApiModel() {
+        val event = createExternalCredentialCaptureValueEvent()
+        val apiEvent = useCase(event, project)
+        val json = JSONObject(jackson.writeValueAsString(apiEvent))
+
+        validateExternalCredentialCaptureValueEventApiModel(json)
+    }
+
+    @Test
+    fun validate_externalCredentialCaptureEventApiModel() {
+        val event = createExternalCredentialCaptureEvent()
+        val apiEvent = useCase(event, project)
+        val json = JSONObject(jackson.writeValueAsString(apiEvent))
+
+        validateExternalCredentialCaptureEventApiModel(json)
+    }
+
+    @Test
+    fun validate_externalCredentialSearchEventApiModel() {
+        val event = createExternalCredentialSearchEvent()
+        val apiEvent = useCase(event, project)
+        val json = JSONObject(jackson.writeValueAsString(apiEvent))
+
+        validateExternalCredentialSearchApiModel(json)
+    }
+
+    @Test
+    fun validate_externalCredentialConfirmationEventApiModel() {
+        val event = createExternalCredentialConfirmationEvent()
+        val apiEvent = useCase(event, project)
+        val json = JSONObject(jackson.writeValueAsString(apiEvent))
+
+        validateExternalCredentialConfirmationApiModel(json)
+    }
+
     @Test
     fun `when event contains tokenized attendant id, then ApiEvent should contain tokenizedField`() {
         validateUserIdTokenization(attendantId = "attendantId".asTokenizableEncrypted())
@@ -698,6 +731,12 @@ internal class MapDomainEventToApiUseCaseTest {
             LicenseCheck -> validate_licenseCheckEventApiModel()
             AgeGroupSelection -> validate_ageGroupSelectionEventApiModel()
             BiometricReferenceCreation -> validate_biometricReferenceCreationEventApiModel()
+            EnrolmentUpdate -> validate_enrolmentUpdateEventApiModel()
+            ExternalCredentialSelection -> validate_externalCredentialSelectionEventApiModel()
+            ExternalCredentialCaptureValue -> validate_externalCredentialCaptureValueEventApiModel()
+            ExternalCredentialCapture -> validate_externalCredentialCaptureEventApiModel()
+            ExternalCredentialSearch -> validate_externalCredentialSearchEventApiModel()
+            ExternalCredentialConfirmation -> validate_externalCredentialConfirmationEventApiModel()
             null -> TODO()
         }.safeSealedWhens
     }
diff --git a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/sync/down/tasks/CommCareEventSyncTaskTest.kt b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/sync/down/tasks/CommCareEventSyncTaskTest.kt
index 4f2ce42871..7a44a0b38f 100644
--- a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/sync/down/tasks/CommCareEventSyncTaskTest.kt
+++ b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/sync/down/tasks/CommCareEventSyncTaskTest.kt
@@ -1,7 +1,10 @@
 package com.simprints.infra.eventsync.sync.down.tasks
 
 import com.google.common.truth.Truth.assertThat
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.face.FaceSample
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
 import com.simprints.core.domain.tokenization.asTokenizableRaw
 import com.simprints.core.tools.time.TimeHelper
 import com.simprints.infra.config.store.models.DeviceConfiguration
@@ -57,46 +60,74 @@ class CommCareEventSyncTaskTest {
             "attendantId",
         )
         val ENROLMENT_RECORD_CREATION = EnrolmentRecordCreationEvent(
-            "subjectId",
-            "projectId",
-            "moduleId".asTokenizableRaw(),
-            "attendantId".asTokenizableRaw(),
-            listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+            subjectId = "subjectId",
+            projectId = "projectId",
+            moduleId = "moduleId".asTokenizableRaw(),
+            attendantId = "attendantId".asTokenizableRaw(),
+            biometricReferences = listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+            externalCredentials = listOf(
+                ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard,
+                ),
+            ),
         )
         val ENROLMENT_RECORD_MOVE_MODULE = EnrolmentRecordMoveEvent(
             EnrolmentRecordMoveEvent.EnrolmentRecordCreationInMove(
-                "subjectId",
-                "projectId",
-                DEFAULT_MODULE_ID_2,
-                "attendantId".asTokenizableRaw(),
-                listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+                subjectId = "subjectId",
+                projectId = "projectId",
+                moduleId = DEFAULT_MODULE_ID_2,
+                attendantId = "attendantId".asTokenizableRaw(),
+                biometricReferences = listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+                externalCredential = ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard,
+                ),
             ),
             EnrolmentRecordMoveEvent.EnrolmentRecordDeletionInMove(
-                "subjectId",
-                "projectId",
-                DEFAULT_MODULE_ID,
-                "attendantId".asTokenizableRaw(),
+                subjectId = "subjectId",
+                projectId = "projectId",
+                moduleId = DEFAULT_MODULE_ID,
+                attendantId = "attendantId".asTokenizableRaw(),
             ),
         )
         val ENROLMENT_RECORD_MOVE_ATTENDANT = EnrolmentRecordMoveEvent(
             EnrolmentRecordMoveEvent.EnrolmentRecordCreationInMove(
-                "subjectId",
-                "projectId",
-                "moduleId".asTokenizableRaw(),
-                DEFAULT_USER_ID,
-                listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+                subjectId = "subjectId",
+                projectId = "projectId",
+                moduleId = "moduleId".asTokenizableRaw(),
+                attendantId = DEFAULT_USER_ID,
+                biometricReferences = listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+                externalCredential = ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard,
+                ),
             ),
             EnrolmentRecordMoveEvent.EnrolmentRecordDeletionInMove(
-                "subjectId",
-                "projectId",
-                "moduleId".asTokenizableRaw(),
-                DEFAULT_USER_ID_2,
+                subjectId = "subjectId",
+                projectId = "projectId",
+                moduleId = "moduleId".asTokenizableRaw(),
+                attendantId = DEFAULT_USER_ID_2,
             ),
         )
         val ENROLMENT_RECORD_UPDATE = EnrolmentRecordUpdateEvent(
-            "subjectId",
-            listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
-            listOf("referenceIdToDelete"),
+            subjectId = "subjectId",
+            biometricReferencesAdded = listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+            biometricReferencesRemoved = listOf("referenceIdToDelete"),
+            externalCredentialsAdded = listOf(
+                ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard,
+                ),
+            ),
         )
     }
 
diff --git a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/sync/down/tasks/SimprintsEventDownSyncTaskTest.kt b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/sync/down/tasks/SimprintsEventDownSyncTaskTest.kt
index d7640603ba..b7764841c9 100644
--- a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/sync/down/tasks/SimprintsEventDownSyncTaskTest.kt
+++ b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/sync/down/tasks/SimprintsEventDownSyncTaskTest.kt
@@ -1,7 +1,10 @@
 package com.simprints.infra.eventsync.sync.down.tasks
 
-import com.google.common.truth.Truth.assertThat
+import com.google.common.truth.Truth.*
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.face.FaceSample
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
 import com.simprints.core.domain.tokenization.asTokenizableRaw
 import com.simprints.core.tools.time.TimeHelper
 import com.simprints.infra.authstore.exceptions.RemoteDbNotSignedInException
@@ -11,7 +14,9 @@ import com.simprints.infra.config.sync.ConfigManager
 import com.simprints.infra.enrolment.records.repository.EnrolmentRecordRepository
 import com.simprints.infra.enrolment.records.repository.domain.models.Subject
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectAction
-import com.simprints.infra.enrolment.records.repository.domain.models.SubjectAction.*
+import com.simprints.infra.enrolment.records.repository.domain.models.SubjectAction.Creation
+import com.simprints.infra.enrolment.records.repository.domain.models.SubjectAction.Deletion
+import com.simprints.infra.enrolment.records.repository.domain.models.SubjectAction.Update
 import com.simprints.infra.events.EventRepository
 import com.simprints.infra.events.event.domain.models.downsync.EventDownSyncRequestEvent
 import com.simprints.infra.events.event.domain.models.scope.EventScope
@@ -37,9 +42,7 @@ import com.simprints.infra.eventsync.sync.common.SubjectFactory
 import com.simprints.infra.eventsync.sync.down.tasks.BaseEventDownSyncTask.Companion.EVENTS_BATCH_SIZE
 import com.simprints.testtools.common.coroutines.TestCoroutineRule
 import com.simprints.testtools.unit.EncodingUtilsImplForTests
-import io.mockk.MockKAnnotations
-import io.mockk.coEvery
-import io.mockk.coVerify
+import io.mockk.*
 import io.mockk.impl.annotations.MockK
 import kotlinx.coroutines.CancellationException
 import kotlinx.coroutines.channels.Channel
@@ -59,11 +62,19 @@ class SimprintsEventDownSyncTaskTest {
             "attendantId",
         )
         val ENROLMENT_RECORD_CREATION = EnrolmentRecordCreationEvent(
-            "subjectId",
-            "projectId",
-            "moduleId".asTokenizableRaw(),
-            "attendantId".asTokenizableRaw(),
-            listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+            subjectId = "subjectId",
+            projectId = "projectId",
+            moduleId = "moduleId".asTokenizableRaw(),
+            attendantId = "attendantId".asTokenizableRaw(),
+            biometricReferences = listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+            externalCredentials = listOf(
+                ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard,
+                ),
+            ),
         )
         val ENROLMENT_RECORD_MOVE_MODULE = EnrolmentRecordMoveEvent(
             EnrolmentRecordMoveEvent.EnrolmentRecordCreationInMove(
@@ -72,6 +83,12 @@ class SimprintsEventDownSyncTaskTest {
                 DEFAULT_MODULE_ID_2,
                 "attendantId".asTokenizableRaw(),
                 listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+                ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard,
+                ),
             ),
             EnrolmentRecordMoveEvent.EnrolmentRecordDeletionInMove(
                 "subjectId",
@@ -87,6 +104,12 @@ class SimprintsEventDownSyncTaskTest {
                 "moduleId".asTokenizableRaw(),
                 DEFAULT_USER_ID,
                 listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+                ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard,
+                ),
             ),
             EnrolmentRecordMoveEvent.EnrolmentRecordDeletionInMove(
                 "subjectId",
@@ -102,6 +125,12 @@ class SimprintsEventDownSyncTaskTest {
                 "moduleId".asTokenizableRaw(),
                 DEFAULT_USER_ID_2,
                 listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+                ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard,
+                ),
             ),
             EnrolmentRecordMoveEvent.EnrolmentRecordDeletionInMove(
                 "subjectId",
@@ -111,9 +140,17 @@ class SimprintsEventDownSyncTaskTest {
             ),
         )
         val ENROLMENT_RECORD_UPDATE = EnrolmentRecordUpdateEvent(
-            "subjectId",
-            listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
-            listOf("referenceIdToDelete"),
+            subjectId = "subjectId",
+            biometricReferencesAdded = listOf(FaceReference("id", listOf(FaceTemplate("template")), "format")),
+            biometricReferencesRemoved = listOf("referenceIdToDelete"),
+            externalCredentialsAdded = listOf(
+                ExternalCredential(
+                    id = "id",
+                    value = "value".asTokenizableEncrypted(),
+                    subjectId = "subjectId",
+                    type = ExternalCredentialType.NHISCard,
+                ),
+            ),
         )
     }
 
@@ -520,6 +557,14 @@ class SimprintsEventDownSyncTaskTest {
                 faceSamples = listOf(
                     FaceSample(byteArrayOf(), "format", "referenceId"),
                 ),
+                externalCredentials = listOf(
+                    ExternalCredential(
+                        id = "id",
+                        value = "value".asTokenizableEncrypted(),
+                        subjectId = "subjectId",
+                        type = ExternalCredentialType.NHISCard,
+                    ),
+                ),
             ),
         )
 
diff --git a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/sync/down/tasks/SubjectFactoryTest.kt b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/sync/down/tasks/SubjectFactoryTest.kt
index 72b1bd1001..fc33c754b5 100644
--- a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/sync/down/tasks/SubjectFactoryTest.kt
+++ b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/sync/down/tasks/SubjectFactoryTest.kt
@@ -1,9 +1,12 @@
 package com.simprints.infra.eventsync.sync.down.tasks
 
 import com.google.common.truth.Truth.assertThat
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.face.FaceSample
 import com.simprints.core.domain.fingerprint.FingerprintSample
 import com.simprints.core.domain.fingerprint.IFingerIdentifier
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
 import com.simprints.core.domain.tokenization.asTokenizableRaw
 import com.simprints.core.tools.time.TimeHelper
 import com.simprints.core.tools.utils.EncodingUtils
@@ -62,6 +65,7 @@ class SubjectFactoryTest {
             attendantId = ATTENDANT_ID,
             moduleId = MODULE_ID,
             biometricReferences = listOf(FINGERPRINT_REFERENCE, faceReference),
+            externalCredentials = emptyList(),
         )
         val result = factory.buildSubjectFromCreationPayload(payload)
         val expected = Subject(
@@ -96,6 +100,7 @@ class SubjectFactoryTest {
             attendantId = ATTENDANT_ID,
             moduleId = MODULE_ID,
             biometricReferences = listOf(FINGERPRINT_REFERENCE, faceReference),
+            externalCredential = null,
         )
         val result = factory.buildSubjectFromMovePayload(payload)
 
@@ -156,6 +161,7 @@ class SubjectFactoryTest {
                     referenceId = "referenceId-finger-4",
                 ),
             ),
+            externalCredentials = listOf(EXTERNAL_CREDENTIAL),
         )
 
         val payload = EnrolmentRecordUpdatePayload(
@@ -178,6 +184,7 @@ class SubjectFactoryTest {
                     templates = listOf(FaceTemplate(template = BASE_64_BYTES.toString())),
                 ),
             ),
+            externalCredentialsAdded = listOf(EXTERNAL_CREDENTIAL),
         )
         val result = factory.buildSubjectFromUpdatePayload(subject, payload)
 
@@ -212,6 +219,7 @@ class SubjectFactoryTest {
                     referenceId = "referenceId-finger-6",
                 ),
             ),
+            externalCredentials = listOf(EXTERNAL_CREDENTIAL),
         )
         assertThat(result).isEqualTo(expected)
     }
@@ -241,9 +249,11 @@ class SubjectFactoryTest {
                     referenceId = REFERENCE_ID,
                 ),
             ),
+            externalCredentials = listOf(EXTERNAL_CREDENTIAL),
         )
 
         val result = factory.buildSubjectFromCaptureResults(
+            subjectId = expected.subjectId,
             projectId = expected.projectId,
             attendantId = expected.attendantId,
             moduleId = expected.moduleId,
@@ -278,6 +288,7 @@ class SubjectFactoryTest {
                     ),
                 ),
             ),
+            externalCredential = EXTERNAL_CREDENTIAL,
         )
         assertThat(result).isEqualTo(expected)
     }
@@ -304,6 +315,7 @@ class SubjectFactoryTest {
                     referenceId = REFERENCE_ID,
                 ),
             ),
+            externalCredentials = listOf(EXTERNAL_CREDENTIAL),
         )
 
         val result = factory.buildSubject(
@@ -313,6 +325,7 @@ class SubjectFactoryTest {
             moduleId = expected.moduleId,
             fingerprintSamples = expected.fingerprintSamples,
             faceSamples = expected.faceSamples,
+            externalCredentials = expected.externalCredentials,
         )
         assertThat(result).isEqualTo(expected)
     }
@@ -321,12 +334,15 @@ class SubjectFactoryTest {
         private lateinit var factory: SubjectFactory
         private const val PROJECT_ID = "projectId"
         private const val SUBJECT_ID = "subjectId"
+        private const val EXTERNAL_CREDENTIAL_ID = "credentialId"
         private val ATTENDANT_ID = "encryptedAttendantId".asTokenizableRaw()
         private val MODULE_ID = "encryptedModuleId".asTokenizableRaw()
         private val BASE_64_BYTES = byteArrayOf(1)
         private const val REFERENCE_ID = "fpRefId"
         private const val REFERENCE_FORMAT = "NEC_1"
         private const val TEMPLATE_NAME = "template"
+        private val EXTERNAL_CREDENTIAL_VALUE = "value".asTokenizableEncrypted()
+        private val EXTERNAL_CREDENTIAL_TYPE = ExternalCredentialType.NHISCard
         private val IDENTIFIER = IFingerIdentifier.LEFT_THUMB
         private const val QUALITY = 10
         private val FINGERPRINT_REFERENCE = FingerprintReference(
@@ -344,5 +360,11 @@ class SubjectFactoryTest {
             templates = listOf(FaceTemplate(TEMPLATE_NAME)),
             format = REFERENCE_FORMAT,
         )
+        private val EXTERNAL_CREDENTIAL = ExternalCredential(
+            id = EXTERNAL_CREDENTIAL_ID,
+            value = EXTERNAL_CREDENTIAL_VALUE,
+            subjectId = SUBJECT_ID,
+            type = EXTERNAL_CREDENTIAL_TYPE,
+        )
     }
 }
diff --git a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/testtools/RemoteTestingHelper.kt b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/testtools/RemoteTestingHelper.kt
index d029848cbf..0cdbe50524 100644
--- a/infra/event-sync/src/test/java/com/simprints/infra/eventsync/testtools/RemoteTestingHelper.kt
+++ b/infra/event-sync/src/test/java/com/simprints/infra/eventsync/testtools/RemoteTestingHelper.kt
@@ -18,7 +18,9 @@ internal class RemoteTestingHelper {
             ApiEventPayloadType.FingerprintCaptureBiometrics, ApiEventPayloadType.FaceCaptureBiometrics,
             ApiEventPayloadType.EventDownSyncRequest, ApiEventPayloadType.EventUpSyncRequest, ApiEventPayloadType.LicenseCheck,
             ApiEventPayloadType.AgeGroupSelection, ApiEventPayloadType.BiometricReferenceCreation, ApiEventPayloadType.SampleUpSyncRequest,
-            null,
+            ApiEventPayloadType.EnrolmentUpdate, ApiEventPayloadType.ExternalCredentialSelection,
+            ApiEventPayloadType.ExternalCredentialCaptureValue, ApiEventPayloadType.ExternalCredentialCapture,
+            ApiEventPayloadType.ExternalCredentialSearch, ApiEventPayloadType.ExternalCredentialConfirmation, null,
             -> {
                 // ADD TEST FOR NEW EVENT IN THIS CLASS
             }
diff --git a/infra/events/build.gradle.kts b/infra/events/build.gradle.kts
index d2474f9214..6243555bd0 100644
--- a/infra/events/build.gradle.kts
+++ b/infra/events/build.gradle.kts
@@ -10,6 +10,7 @@ android {
 dependencies {
     implementation(project(":infra:config-store"))
     implementation(project(":infra:auth-store"))
+    implementation(project(":infra:credential-store"))
 
     implementation(libs.jackson.core)
 
diff --git a/infra/events/src/debug/java/com/simprints/infra/events/sampledata/EventFactoryUtils.kt b/infra/events/src/debug/java/com/simprints/infra/events/sampledata/EventFactoryUtils.kt
index b12eb638f4..17925d2d93 100644
--- a/infra/events/src/debug/java/com/simprints/infra/events/sampledata/EventFactoryUtils.kt
+++ b/infra/events/src/debug/java/com/simprints/infra/events/sampledata/EventFactoryUtils.kt
@@ -27,8 +27,15 @@ import com.simprints.infra.events.event.domain.models.ConsentEvent.ConsentPayloa
 import com.simprints.infra.events.event.domain.models.ConsentEvent.ConsentPayload.Type.INDIVIDUAL
 import com.simprints.infra.events.event.domain.models.EnrolmentEventV2
 import com.simprints.infra.events.event.domain.models.EnrolmentEventV4
+import com.simprints.infra.events.event.domain.models.EnrolmentUpdateEvent
 import com.simprints.infra.events.event.domain.models.Event
 import com.simprints.infra.events.event.domain.models.EventType
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureValueEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialConfirmationEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialConfirmationEvent.ExternalCredentialConfirmationResult
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSearchEvent
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSelectionEvent
 import com.simprints.infra.events.event.domain.models.FingerComparisonStrategy
 import com.simprints.infra.events.event.domain.models.GuidSelectionEvent
 import com.simprints.infra.events.event.domain.models.IntentParsingEvent
@@ -87,12 +94,14 @@ import com.simprints.infra.events.event.domain.models.scope.EventScopeType
 import com.simprints.infra.events.event.domain.models.scope.Location
 import com.simprints.infra.events.event.domain.models.upsync.EventUpSyncRequestEvent
 import com.simprints.infra.events.sampledata.SampleDefaults.CREATED_AT
+import com.simprints.infra.events.sampledata.SampleDefaults.CREDENTIAL_ID
 import com.simprints.infra.events.sampledata.SampleDefaults.DEFAULT_BIOMETRIC_DATA_SOURCE
 import com.simprints.infra.events.sampledata.SampleDefaults.DEFAULT_METADATA
 import com.simprints.infra.events.sampledata.SampleDefaults.DEFAULT_MODULE_ID
 import com.simprints.infra.events.sampledata.SampleDefaults.DEFAULT_PROJECT_ID
 import com.simprints.infra.events.sampledata.SampleDefaults.DEFAULT_USER_ID
 import com.simprints.infra.events.sampledata.SampleDefaults.ENDED_AT
+import com.simprints.infra.events.sampledata.SampleDefaults.EXTERNAL_CREDENTIAL
 import com.simprints.infra.events.sampledata.SampleDefaults.GUID1
 import com.simprints.infra.events.sampledata.SampleDefaults.GUID2
 
@@ -378,6 +387,7 @@ fun createEnrolmentEventV4() = EnrolmentEventV4(
     DEFAULT_MODULE_ID,
     DEFAULT_USER_ID,
     listOf(GUID1, GUID2),
+    listOf(CREDENTIAL_ID),
 )
 
 fun createFingerprintCaptureEvent() = FingerprintCaptureEvent(
@@ -531,3 +541,48 @@ fun createBiometricReferenceCreationEvent() = BiometricReferenceCreationEvent(
     modality = BiometricReferenceCreationEvent.BiometricReferenceModality.FACE,
     captureIds = listOf(GUID1, GUID2),
 )
+
+fun createEnrolmentUpdateEvent() = EnrolmentUpdateEvent(
+    createdAt = CREATED_AT,
+    subjectId = GUID1,
+    externalCredentialIdsToAdd = listOf(CREDENTIAL_ID),
+)
+
+fun createExternalCredentialSelectionEvent() = ExternalCredentialSelectionEvent(
+    createdAt = CREATED_AT,
+    endedAt = CREATED_AT,
+    skipReason = ExternalCredentialSelectionEvent.SkipReason.OTHER,
+    skipOther = DEFAULT_METADATA,
+)
+
+fun createExternalCredentialCaptureValueEvent() = ExternalCredentialCaptureValueEvent(
+    createdAt = CREATED_AT,
+    payloadId = CREDENTIAL_ID,
+    credential = EXTERNAL_CREDENTIAL,
+)
+
+fun createExternalCredentialCaptureEvent() = ExternalCredentialCaptureEvent(
+    startTime = CREATED_AT,
+    payloadId = CREDENTIAL_ID,
+    endTime = CREATED_AT,
+    autoCaptureStartTime = CREATED_AT,
+    autoCaptureEndTime = CREATED_AT,
+    ocrErrorCount = 0,
+    capturedTextLength = 0,
+    credentialTextLength = 0,
+    selectionId = GUID1,
+)
+
+fun createExternalCredentialSearchEvent() = ExternalCredentialSearchEvent(
+    createdAt = CREATED_AT,
+    endedAt = CREATED_AT,
+    probeExternalCredentialId = GUID1,
+    candidateIds = listOf(GUID1, GUID2),
+)
+
+fun createExternalCredentialConfirmationEvent() = ExternalCredentialConfirmationEvent(
+    createdAt = CREATED_AT,
+    endedAt = CREATED_AT,
+    result = ExternalCredentialConfirmationResult.CONTINUE,
+    userInteractedWithImage = true,
+)
diff --git a/infra/events/src/debug/java/com/simprints/infra/events/sampledata/SampleDefaults.kt b/infra/events/src/debug/java/com/simprints/infra/events/sampledata/SampleDefaults.kt
index 677831bd2d..7a349d360f 100644
--- a/infra/events/src/debug/java/com/simprints/infra/events/sampledata/SampleDefaults.kt
+++ b/infra/events/src/debug/java/com/simprints/infra/events/sampledata/SampleDefaults.kt
@@ -1,6 +1,9 @@
 package com.simprints.infra.events.sampledata
 
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.modality.Modes
+import com.simprints.core.domain.tokenization.asTokenizableEncrypted
 import com.simprints.core.domain.tokenization.asTokenizableRaw
 import com.simprints.core.tools.time.Timestamp
 import com.simprints.infra.events.event.domain.models.callout.BiometricDataSource
@@ -28,4 +31,13 @@ object SampleDefaults {
     val TIME1 = System.currentTimeMillis()
 
     val DEFAULT_MODES = listOf(Modes.FINGERPRINT)
+    const val CREDENTIAL_ID = "CREDENTIAL_ID"
+    val CREDENTIAL_TYPE = ExternalCredentialType.NHISCard
+    val CREDENTIAL_VALUE = "CREDENTIAL_VALUE".asTokenizableEncrypted()
+    val EXTERNAL_CREDENTIAL = ExternalCredential(
+        id = CREDENTIAL_ID,
+        value = CREDENTIAL_VALUE,
+        subjectId = GUID1,
+        type = CREDENTIAL_TYPE,
+    )
 }
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/cosync/CoSyncEnrolmentRecordCreationEventDeserializer.kt b/infra/events/src/main/java/com/simprints/infra/events/event/cosync/CoSyncEnrolmentRecordCreationEventDeserializer.kt
index e3fc850615..df5939165b 100644
--- a/infra/events/src/main/java/com/simprints/infra/events/event/cosync/CoSyncEnrolmentRecordCreationEventDeserializer.kt
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/cosync/CoSyncEnrolmentRecordCreationEventDeserializer.kt
@@ -50,11 +50,13 @@ class CoSyncEnrolmentRecordCreationEventDeserializer :
         return EnrolmentRecordCreationEvent(
             id,
             EnrolmentRecordCreationEvent.EnrolmentRecordCreationPayload(
-                subjectId,
-                projectId,
-                moduleId,
-                attendantId,
-                biometricReferences,
+                subjectId = subjectId,
+                projectId = projectId,
+                moduleId = moduleId,
+                attendantId = attendantId,
+                biometricReferences = biometricReferences,
+                // TODO [CORE-3421] Update when CoSync supports external credentials (MfID)
+                externalCredentials = emptyList()
             ),
         )
     }
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EnrolmentEventV4.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EnrolmentEventV4.kt
index 01cb57dc1f..a223c54076 100644
--- a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EnrolmentEventV4.kt
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EnrolmentEventV4.kt
@@ -22,6 +22,7 @@ data class EnrolmentEventV4(
         moduleId: TokenizableString,
         attendantId: TokenizableString,
         biometricReferenceIds: List<String>,
+        externalCredentialIds: List<String>,
     ) : this(
         UUID.randomUUID().toString(),
         EnrolmentPayload(
@@ -32,6 +33,7 @@ data class EnrolmentEventV4(
             moduleId = moduleId,
             attendantId = attendantId,
             biometricReferenceIds = biometricReferenceIds,
+            externalCredentialIds = externalCredentialIds,
         ),
         ENROLMENT_V4,
     )
@@ -57,6 +59,7 @@ data class EnrolmentEventV4(
         val moduleId: TokenizableString,
         val attendantId: TokenizableString,
         val biometricReferenceIds: List<String>,
+        val externalCredentialIds: List<String>,
         override val endedAt: Timestamp? = null,
         override val type: EventType = ENROLMENT_V4,
     ) : EventPayload() {
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EnrolmentUpdateEvent.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EnrolmentUpdateEvent.kt
new file mode 100644
index 0000000000..f7d0c6aeb4
--- /dev/null
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EnrolmentUpdateEvent.kt
@@ -0,0 +1,50 @@
+package com.simprints.infra.events.event.domain.models
+
+import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.events.event.domain.models.EventType.ENROLMENT_UPDATE
+import java.util.UUID
+
+@Keep
+@ExcludedFromGeneratedTestCoverageReports("Data struct")
+data class EnrolmentUpdateEvent(
+    override val id: String = UUID.randomUUID().toString(),
+    override val payload: EnrolmentUpdatePayload,
+    override val type: EventType,
+    override var scopeId: String? = null,
+    override var projectId: String? = null,
+) : Event() {
+    constructor(
+        createdAt: Timestamp,
+        subjectId: String,
+        externalCredentialIdsToAdd: List<String>,
+    ) : this(
+        UUID.randomUUID().toString(),
+        EnrolmentUpdatePayload(createdAt, EVENT_VERSION, subjectId, externalCredentialIdsToAdd),
+        ENROLMENT_UPDATE,
+    )
+
+    override fun getTokenizableFields(): Map<TokenKeyType, TokenizableString> = emptyMap()
+
+    override fun setTokenizedFields(map: Map<TokenKeyType, TokenizableString>) = this // No tokenized fields
+
+    @Keep
+    @ExcludedFromGeneratedTestCoverageReports("Data struct")
+    data class EnrolmentUpdatePayload(
+        override val createdAt: Timestamp,
+        override val eventVersion: Int,
+        val subjectId: String,
+        val externalCredentialIdsToAdd: List<String>,
+        override val endedAt: Timestamp? = null,
+        override val type: EventType = ENROLMENT_UPDATE,
+    ) : EventPayload() {
+        override fun toSafeString(): String = "subjectId: $subjectId, credentials: $externalCredentialIdsToAdd"
+    }
+
+    companion object Companion {
+        const val EVENT_VERSION = 0
+    }
+}
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/Event.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/Event.kt
index 66119a3c73..0846658873 100644
--- a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/Event.kt
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/Event.kt
@@ -30,10 +30,16 @@ import com.simprints.infra.events.event.domain.models.EventType.Companion.CANDID
 import com.simprints.infra.events.event.domain.models.EventType.Companion.COMPLETION_CHECK_KEY
 import com.simprints.infra.events.event.domain.models.EventType.Companion.CONNECTIVITY_SNAPSHOT_KEY
 import com.simprints.infra.events.event.domain.models.EventType.Companion.CONSENT_KEY
+import com.simprints.infra.events.event.domain.models.EventType.Companion.ENROLMENT_UPDATE_KEY
 import com.simprints.infra.events.event.domain.models.EventType.Companion.ENROLMENT_V2_KEY
 import com.simprints.infra.events.event.domain.models.EventType.Companion.ENROLMENT_V4_KEY
 import com.simprints.infra.events.event.domain.models.EventType.Companion.EVENT_DOWN_SYNC_REQUEST_KEY
 import com.simprints.infra.events.event.domain.models.EventType.Companion.EVENT_UP_SYNC_REQUEST_KEY
+import com.simprints.infra.events.event.domain.models.EventType.Companion.EXTERNAL_CREDENTIAL_CAPTURE_KEY
+import com.simprints.infra.events.event.domain.models.EventType.Companion.EXTERNAL_CREDENTIAL_CAPTURE_VALUE_KEY
+import com.simprints.infra.events.event.domain.models.EventType.Companion.EXTERNAL_CREDENTIAL_CONFIRMATION_KEY
+import com.simprints.infra.events.event.domain.models.EventType.Companion.EXTERNAL_CREDENTIAL_SEARCH_KEY
+import com.simprints.infra.events.event.domain.models.EventType.Companion.EXTERNAL_CREDENTIAL_SELECTION_KEY
 import com.simprints.infra.events.event.domain.models.EventType.Companion.FACE_CAPTURE_BIOMETRICS_KEY
 import com.simprints.infra.events.event.domain.models.EventType.Companion.FACE_CAPTURE_CONFIRMATION_KEY
 import com.simprints.infra.events.event.domain.models.EventType.Companion.FACE_CAPTURE_KEY
@@ -137,6 +143,12 @@ import com.simprints.infra.events.event.domain.models.upsync.EventUpSyncRequestE
     JsonSubTypes.Type(value = AgeGroupSelectionEvent::class, name = AGE_GROUP_SELECTION_KEY),
     JsonSubTypes.Type(value = BiometricReferenceCreationEvent::class, name = BIOMETRIC_REFERENCE_CREATION_KEY),
     JsonSubTypes.Type(value = SampleUpSyncRequestEvent::class, name = SAMPLE_UP_SYNC_REQUEST),
+    JsonSubTypes.Type(value = EnrolmentUpdateEvent::class, name = ENROLMENT_UPDATE_KEY),
+    JsonSubTypes.Type(value = ExternalCredentialSelectionEvent::class, name = EXTERNAL_CREDENTIAL_SELECTION_KEY),
+    JsonSubTypes.Type(value = ExternalCredentialCaptureValueEvent::class, name = EXTERNAL_CREDENTIAL_CAPTURE_VALUE_KEY),
+    JsonSubTypes.Type(value = ExternalCredentialCaptureEvent::class, name = EXTERNAL_CREDENTIAL_CAPTURE_KEY),
+    JsonSubTypes.Type(value = ExternalCredentialSearchEvent::class, name = EXTERNAL_CREDENTIAL_SEARCH_KEY),
+    JsonSubTypes.Type(value = ExternalCredentialConfirmationEvent::class, name = EXTERNAL_CREDENTIAL_CONFIRMATION_KEY),
 )
 abstract class Event {
     abstract val id: String
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EventPayload.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EventPayload.kt
index 9cd815e5f1..2ce01dac51 100644
--- a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EventPayload.kt
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EventPayload.kt
@@ -12,7 +12,13 @@ import com.simprints.infra.events.event.domain.models.CandidateReadEvent.Candida
 import com.simprints.infra.events.event.domain.models.CompletionCheckEvent.CompletionCheckPayload
 import com.simprints.infra.events.event.domain.models.ConnectivitySnapshotEvent.ConnectivitySnapshotPayload
 import com.simprints.infra.events.event.domain.models.ConsentEvent.ConsentPayload
+import com.simprints.infra.events.event.domain.models.EnrolmentUpdateEvent.EnrolmentUpdatePayload
 import com.simprints.infra.events.event.domain.models.EventType.Companion
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureEvent.ExternalCredentialCapturePayload
+import com.simprints.infra.events.event.domain.models.ExternalCredentialCaptureValueEvent.ExternalCredentialCaptureValuePayload
+import com.simprints.infra.events.event.domain.models.ExternalCredentialConfirmationEvent.*
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSearchEvent.*
+import com.simprints.infra.events.event.domain.models.ExternalCredentialSelectionEvent.*
 import com.simprints.infra.events.event.domain.models.GuidSelectionEvent.GuidSelectionPayload
 import com.simprints.infra.events.event.domain.models.IntentParsingEvent.IntentParsingPayload
 import com.simprints.infra.events.event.domain.models.InvalidIntentEvent.InvalidIntentPayload
@@ -115,6 +121,12 @@ import com.simprints.infra.events.event.domain.models.upsync.EventUpSyncRequestE
     JsonSubTypes.Type(value = AgeGroupSelectionPayload::class, name = Companion.AGE_GROUP_SELECTION_KEY),
     JsonSubTypes.Type(value = BiometricReferenceCreationPayload::class, name = Companion.BIOMETRIC_REFERENCE_CREATION_KEY),
     JsonSubTypes.Type(value = SampleUpSyncRequestPayload::class, name = Companion.SAMPLE_UP_SYNC_REQUEST),
+    JsonSubTypes.Type(value = EnrolmentUpdatePayload::class, name = Companion.ENROLMENT_UPDATE_KEY),
+    JsonSubTypes.Type(value = ExternalCredentialSelectionPayload::class, name = Companion.EXTERNAL_CREDENTIAL_SELECTION_KEY),
+    JsonSubTypes.Type(value = ExternalCredentialCaptureValuePayload::class, name = Companion.EXTERNAL_CREDENTIAL_CAPTURE_VALUE_KEY),
+    JsonSubTypes.Type(value = ExternalCredentialCapturePayload::class, name = Companion.EXTERNAL_CREDENTIAL_CAPTURE_KEY),
+    JsonSubTypes.Type(value = ExternalCredentialSearchPayload::class, name = Companion.EXTERNAL_CREDENTIAL_SEARCH_KEY),
+    JsonSubTypes.Type(value = ExternalCredentialConfirmationPayload::class, name = Companion.EXTERNAL_CREDENTIAL_CONFIRMATION_KEY),
 )
 abstract class EventPayload {
     abstract val type: EventType
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EventType.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EventType.kt
index 505b0b4a88..f40f370c22 100644
--- a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EventType.kt
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/EventType.kt
@@ -154,6 +154,24 @@ enum class EventType {
 
     // key added: BIOMETRIC_REFERENCE_CREATION_KEY
     BIOMETRIC_REFERENCE_CREATION,
+
+    // key added: ENROLMENT_UPDATE_KEY
+    ENROLMENT_UPDATE,
+
+    // key added: EXTERNAL_CREDENTIAL_CAPTURE_KEY
+    EXTERNAL_CREDENTIAL_CAPTURE,
+
+    // key added: EXTERNAL_CREDENTIAL_SELECTION_KEY
+    EXTERNAL_CREDENTIAL_SELECTION,
+
+    // key added: EXTERNAL_CREDENTIAL_CAPTURE_VALUE_KEY
+    EXTERNAL_CREDENTIAL_CAPTURE_VALUE,
+
+    // key added: EXTERNAL_CREDENTIAL_SEARCH_KEY
+    EXTERNAL_CREDENTIAL_SEARCH,
+
+    // key added: EXTERNAL_CREDENTIAL_CONFIRMATION_KEY
+    EXTERNAL_CREDENTIAL_CONFIRMATION,
     ;
 
     companion object {
@@ -206,5 +224,11 @@ enum class EventType {
         const val LICENSE_CHECK_KEY = "LICENSE_CHECK"
         const val AGE_GROUP_SELECTION_KEY = "AGE_GROUP_SELECTION"
         const val BIOMETRIC_REFERENCE_CREATION_KEY = "BIOMETRIC_REFERENCE_CREATION"
+        const val ENROLMENT_UPDATE_KEY = "ENROLMENT_UPDATE"
+        const val EXTERNAL_CREDENTIAL_SELECTION_KEY = "EXTERNAL_CREDENTIAL_SELECTION"
+        const val EXTERNAL_CREDENTIAL_CAPTURE_KEY = "EXTERNAL_CREDENTIAL_CAPTURE"
+        const val EXTERNAL_CREDENTIAL_CAPTURE_VALUE_KEY = "EXTERNAL_CREDENTIAL_CAPTURE_VALUE"
+        const val EXTERNAL_CREDENTIAL_SEARCH_KEY = "EXTERNAL_CREDENTIAL_SEARCH"
+        const val EXTERNAL_CREDENTIAL_CONFIRMATION_KEY = "EXTERNAL_CREDENTIAL_CONFIRMATION"
     }
 }
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialCaptureEvent.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialCaptureEvent.kt
new file mode 100644
index 0000000000..5701decf3f
--- /dev/null
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialCaptureEvent.kt
@@ -0,0 +1,73 @@
+package com.simprints.infra.events.event.domain.models
+
+import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_CAPTURE
+import java.util.UUID
+
+@Keep
+@ExcludedFromGeneratedTestCoverageReports("Data struct")
+data class ExternalCredentialCaptureEvent(
+    override val id: String = UUID.randomUUID().toString(),
+    override val payload: ExternalCredentialCapturePayload,
+    override val type: EventType,
+    override var scopeId: String? = null,
+    override var projectId: String? = null,
+) : Event() {
+    constructor(
+        startTime: Timestamp,
+        endTime: Timestamp,
+        payloadId: String,
+        autoCaptureStartTime: Timestamp,
+        autoCaptureEndTime: Timestamp,
+        ocrErrorCount: Int,
+        capturedTextLength: Int,
+        credentialTextLength: Int,
+        selectionId: String,
+    ) : this(
+        id = UUID.randomUUID().toString(),
+        payload = ExternalCredentialCapturePayload(
+            createdAt = startTime,
+            eventVersion = EVENT_VERSION,
+            id = payloadId,
+            endedAt = endTime,
+            autoCaptureStartTime = autoCaptureStartTime,
+            autoCaptureEndTime = autoCaptureEndTime,
+            ocrErrorCount = ocrErrorCount,
+            capturedTextLength = capturedTextLength,
+            credentialTextLength = credentialTextLength,
+            selectionId = selectionId,
+        ),
+        type = EXTERNAL_CREDENTIAL_CAPTURE,
+    )
+
+    override fun getTokenizableFields(): Map<TokenKeyType, TokenizableString> = emptyMap()
+
+    override fun setTokenizedFields(map: Map<TokenKeyType, TokenizableString>) = this // No tokenized field
+
+    @Keep
+    @ExcludedFromGeneratedTestCoverageReports("Data struct")
+    data class ExternalCredentialCapturePayload(
+        override val createdAt: Timestamp,
+        override val eventVersion: Int,
+        val id: String,
+        val autoCaptureStartTime: Timestamp,
+        val autoCaptureEndTime: Timestamp,
+        val ocrErrorCount: Int,
+        val capturedTextLength: Int,
+        val credentialTextLength: Int,
+        val selectionId: String,
+        override val endedAt: Timestamp? = null,
+        override val type: EventType = EXTERNAL_CREDENTIAL_CAPTURE,
+    ) : EventPayload() {
+        override fun toSafeString(): String = "capture ID: $id, ocrErrors: $ocrErrorCount, captured text length: $capturedTextLength" +
+            "credential length: $credentialTextLength, selection id: $selectionId"
+    }
+
+    companion object {
+        const val EVENT_VERSION = 0
+    }
+}
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialCaptureValueEvent.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialCaptureValueEvent.kt
new file mode 100644
index 0000000000..14634e64e0
--- /dev/null
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialCaptureValueEvent.kt
@@ -0,0 +1,65 @@
+package com.simprints.infra.events.event.domain.models
+
+import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.externalcredential.ExternalCredential
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_CAPTURE_VALUE
+import java.util.UUID
+
+@Keep
+@ExcludedFromGeneratedTestCoverageReports("Data struct")
+data class ExternalCredentialCaptureValueEvent(
+    override val id: String = UUID.randomUUID().toString(),
+    override val payload: ExternalCredentialCaptureValuePayload,
+    override val type: EventType,
+    override var scopeId: String? = null,
+    override var projectId: String? = null,
+) : Event() {
+    constructor(
+        createdAt: Timestamp,
+        payloadId: String,
+        credential: ExternalCredential,
+    ) : this(
+        id = UUID.randomUUID().toString(),
+        payload = ExternalCredentialCaptureValuePayload(
+            createdAt = createdAt,
+            eventVersion = EVENT_VERSION,
+            id = payloadId,
+            credential = credential,
+        ),
+        type = EXTERNAL_CREDENTIAL_CAPTURE_VALUE,
+    )
+
+    override fun getTokenizableFields(): Map<TokenKeyType, TokenizableString> = mapOf(
+        TokenKeyType.ExternalCredential to payload.credential.value,
+    )
+
+    override fun setTokenizedFields(map: Map<TokenKeyType, TokenizableString>) = this.copy(
+        payload = payload.copy(
+            credential = payload.credential.copy(
+                value = map[TokenKeyType.ExternalCredential] as? TokenizableString.Tokenized
+                    ?: payload.credential.value,
+            ),
+        ),
+    )
+
+    @Keep
+    @ExcludedFromGeneratedTestCoverageReports("Data struct")
+    data class ExternalCredentialCaptureValuePayload(
+        override val createdAt: Timestamp,
+        override val eventVersion: Int,
+        val id: String,
+        val credential: ExternalCredential,
+        override val endedAt: Timestamp? = null,
+        override val type: EventType = EXTERNAL_CREDENTIAL_CAPTURE_VALUE,
+    ) : EventPayload() {
+        override fun toSafeString(): String = "id $id, credential: $credential"
+    }
+
+    companion object {
+        const val EVENT_VERSION = 0
+    }
+}
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialConfirmationEvent.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialConfirmationEvent.kt
new file mode 100644
index 0000000000..09b4b0cc97
--- /dev/null
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialConfirmationEvent.kt
@@ -0,0 +1,59 @@
+package com.simprints.infra.events.event.domain.models
+
+import androidx.annotation.Keep
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.core.tools.utils.randomUUID
+import com.simprints.infra.config.store.models.TokenKeyType
+
+@Keep
+data class ExternalCredentialConfirmationEvent(
+    override val id: String = randomUUID(),
+    override val payload: ExternalCredentialConfirmationPayload,
+    override val type: EventType,
+    override var scopeId: String? = null,
+    override var projectId: String? = null,
+) : Event() {
+    constructor(
+        createdAt: Timestamp,
+        endedAt: Timestamp,
+        result: ExternalCredentialConfirmationResult,
+        userInteractedWithImage: Boolean? = null,
+    ) : this(
+        id = randomUUID(),
+        payload = ExternalCredentialConfirmationPayload(
+            createdAt = createdAt,
+            endedAt = endedAt,
+            eventVersion = EVENT_VERSION,
+            result = result,
+            userInteractedWithImage = userInteractedWithImage,
+        ),
+        type = EventType.EXTERNAL_CREDENTIAL_CONFIRMATION,
+    )
+
+    @Keep
+    data class ExternalCredentialConfirmationPayload(
+        override val createdAt: Timestamp,
+        override val endedAt: Timestamp? = null,
+        override val eventVersion: Int,
+        val result: ExternalCredentialConfirmationResult,
+        val userInteractedWithImage: Boolean?,
+        override val type: EventType = EventType.EXTERNAL_CREDENTIAL_CONFIRMATION,
+    ) : EventPayload() {
+        override fun toSafeString(): String = "result: $result"
+    }
+
+    @Keep
+    enum class ExternalCredentialConfirmationResult {
+        CONTINUE,
+        RECAPTURE,
+    }
+
+    override fun getTokenizableFields(): Map<TokenKeyType, TokenizableString> = emptyMap()
+
+    override fun setTokenizedFields(map: Map<TokenKeyType, TokenizableString>) = this // No tokenized field
+
+    companion object {
+        const val EVENT_VERSION = 0
+    }
+}
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialSearchEvent.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialSearchEvent.kt
new file mode 100644
index 0000000000..f5f30a1130
--- /dev/null
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialSearchEvent.kt
@@ -0,0 +1,64 @@
+package com.simprints.infra.events.event.domain.models
+
+import androidx.annotation.Keep
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.core.tools.utils.randomUUID
+import com.simprints.infra.config.store.models.TokenKeyType
+import com.simprints.infra.events.event.domain.models.EventType.EXTERNAL_CREDENTIAL_SEARCH
+
+@Keep
+data class ExternalCredentialSearchEvent(
+    override val id: String = randomUUID(),
+    override val payload: ExternalCredentialSearchPayload,
+    override val type: EventType,
+    override var scopeId: String? = null,
+    override var projectId: String? = null,
+) : Event() {
+    constructor(
+        id: String = randomUUID(),
+        createdAt: Timestamp,
+        endedAt: Timestamp,
+        probeExternalCredentialId: String,
+        candidateIds: List<String>,
+    ) : this(
+        id = id,
+        payload = ExternalCredentialSearchPayload(
+            id = id,
+            createdAt = createdAt,
+            endedAt = endedAt,
+            eventVersion = EVENT_VERSION,
+            probeExternalCredentialId = probeExternalCredentialId,
+            result = ExternalCredentialSearchResult(
+                candidateIds = candidateIds,
+            ),
+        ),
+        type = EXTERNAL_CREDENTIAL_SEARCH,
+    )
+
+    @Keep
+    data class ExternalCredentialSearchPayload(
+        override val createdAt: Timestamp,
+        override val endedAt: Timestamp? = null,
+        override val eventVersion: Int,
+        val id: String,
+        val probeExternalCredentialId: String,
+        val result: ExternalCredentialSearchResult,
+        override val type: EventType = EXTERNAL_CREDENTIAL_SEARCH,
+    ) : EventPayload() {
+        override fun toSafeString(): String = "results: $result, probe ID: $probeExternalCredentialId"
+    }
+
+    @Keep
+    data class ExternalCredentialSearchResult(
+        val candidateIds: List<String>,
+    )
+
+    override fun getTokenizableFields(): Map<TokenKeyType, TokenizableString> = emptyMap()
+
+    override fun setTokenizedFields(map: Map<TokenKeyType, TokenizableString>) = this // No tokenized field
+
+    companion object {
+        const val EVENT_VERSION = 0
+    }
+}
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialSelectionEvent.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialSelectionEvent.kt
new file mode 100644
index 0000000000..60e0efa838
--- /dev/null
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/ExternalCredentialSelectionEvent.kt
@@ -0,0 +1,96 @@
+package com.simprints.infra.events.event.domain.models
+
+import androidx.annotation.Keep
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.TokenizableString
+import com.simprints.core.tools.time.Timestamp
+import com.simprints.core.tools.utils.randomUUID
+import com.simprints.infra.config.store.models.TokenKeyType
+
+@Keep
+data class ExternalCredentialSelectionEvent(
+    override val id: String = randomUUID(),
+    override val payload: ExternalCredentialSelectionPayload,
+    override val type: EventType,
+    override var scopeId: String? = null,
+    override var projectId: String? = null,
+) : Event() {
+    constructor(
+        createdAt: Timestamp,
+        endedAt: Timestamp,
+        credentialType: ExternalCredentialType,
+    ) : this(
+        createdAt = createdAt,
+        endedAt = endedAt,
+        credentialType = credentialType,
+        skipReason = null,
+        skipOther = null,
+    )
+
+    constructor(
+        createdAt: Timestamp,
+        endedAt: Timestamp,
+        skipReason: SkipReason,
+        skipOther: String?,
+    ) : this(
+        createdAt = createdAt,
+        endedAt = endedAt,
+        credentialType = null,
+        skipReason = skipReason,
+        skipOther = skipOther.takeIf { skipReason == SkipReason.OTHER },
+    )
+
+    constructor(
+        id: String = randomUUID(),
+        createdAt: Timestamp,
+        endedAt: Timestamp,
+        credentialType: ExternalCredentialType?,
+        skipReason: SkipReason?,
+        skipOther: String?,
+    ) : this(
+        id = id,
+        payload = ExternalCredentialSelectionPayload(
+            createdAt = createdAt,
+            endedAt = endedAt,
+            eventVersion = EVENT_VERSION,
+            id = id,
+            credentialType = credentialType,
+            skipReason = skipReason,
+            skipOther = skipOther,
+        ),
+        type = EventType.EXTERNAL_CREDENTIAL_SELECTION,
+    )
+
+    @Keep
+    data class ExternalCredentialSelectionPayload(
+        override val createdAt: Timestamp,
+        override val endedAt: Timestamp? = null,
+        override val eventVersion: Int,
+        val id: String,
+        val credentialType: ExternalCredentialType?,
+        val skipReason: SkipReason?,
+        val skipOther: String?,
+        override val type: EventType = EventType.EXTERNAL_CREDENTIAL_SELECTION,
+    ) : EventPayload() {
+        override fun toSafeString(): String = "credentialType: $credentialType, skipReason: $skipReason, skipOther: $skipOther"
+    }
+
+    @Keep
+    enum class SkipReason {
+        DOES_NOT_HAVE_ID,
+        DID_NOT_BRING_ID,
+        BROUGHT_INCORRECT_ID,
+        NO_CONSENT,
+        ID_DAMAGED,
+        UNABLE_TO_SCAN,
+        OTHER,
+    }
+
+    override fun getTokenizableFields(): Map<TokenKeyType, TokenizableString> = emptyMap()
+
+    override fun setTokenizedFields(map: Map<TokenKeyType, TokenizableString>) = this // No tokenized field
+
+    companion object {
+        const val EVENT_VERSION = 0
+    }
+}
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/subject/EnrolmentRecordCreationEvent.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/subject/EnrolmentRecordCreationEvent.kt
index e583230b9b..3e17b20424 100644
--- a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/subject/EnrolmentRecordCreationEvent.kt
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/subject/EnrolmentRecordCreationEvent.kt
@@ -1,6 +1,8 @@
 package com.simprints.infra.events.event.domain.models.subject
 
 import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import com.simprints.core.domain.face.FaceSample
 import com.simprints.core.domain.fingerprint.FingerprintSample
 import com.simprints.core.domain.tokenization.TokenizableString
@@ -8,6 +10,7 @@ import com.simprints.core.tools.utils.EncodingUtils
 import java.util.UUID
 
 @Keep
+@ExcludedFromGeneratedTestCoverageReports("Data class")
 data class EnrolmentRecordCreationEvent(
     override val id: String,
     val payload: EnrolmentRecordCreationPayload,
@@ -18,14 +21,16 @@ data class EnrolmentRecordCreationEvent(
         moduleId: TokenizableString,
         attendantId: TokenizableString,
         biometricReferences: List<BiometricReference>,
+        externalCredentials: List<ExternalCredential>,
     ) : this(
         UUID.randomUUID().toString(),
         EnrolmentRecordCreationPayload(
-            subjectId,
-            projectId,
-            moduleId,
-            attendantId,
-            biometricReferences,
+            subjectId = subjectId,
+            projectId = projectId,
+            moduleId = moduleId,
+            attendantId = attendantId,
+            biometricReferences = biometricReferences,
+            externalCredentials = externalCredentials,
         ),
     )
 
@@ -36,6 +41,7 @@ data class EnrolmentRecordCreationEvent(
         val moduleId: TokenizableString,
         val attendantId: TokenizableString,
         val biometricReferences: List<BiometricReference>,
+        val externalCredentials: List<ExternalCredential>
     )
 
     companion object {
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/subject/EnrolmentRecordMoveEvent.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/subject/EnrolmentRecordMoveEvent.kt
index 32dcd17da6..21392b5452 100644
--- a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/subject/EnrolmentRecordMoveEvent.kt
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/subject/EnrolmentRecordMoveEvent.kt
@@ -1,6 +1,7 @@
 package com.simprints.infra.events.event.domain.models.subject
 
 import androidx.annotation.Keep
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import com.simprints.core.domain.tokenization.TokenizableString
 import java.util.UUID
 
@@ -35,5 +36,6 @@ data class EnrolmentRecordMoveEvent(
         val moduleId: TokenizableString,
         val attendantId: TokenizableString,
         val biometricReferences: List<BiometricReference>?,
+        val externalCredential: ExternalCredential?,
     )
 }
diff --git a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/subject/EnrolmentRecordUpdateEvent.kt b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/subject/EnrolmentRecordUpdateEvent.kt
index 4ca63c97f8..af513be965 100644
--- a/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/subject/EnrolmentRecordUpdateEvent.kt
+++ b/infra/events/src/main/java/com/simprints/infra/events/event/domain/models/subject/EnrolmentRecordUpdateEvent.kt
@@ -1,9 +1,12 @@
 package com.simprints.infra.events.event.domain.models.subject
 
 import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import java.util.UUID
 
 @Keep
+@ExcludedFromGeneratedTestCoverageReports("Data class")
 data class EnrolmentRecordUpdateEvent(
     override val id: String,
     val payload: EnrolmentRecordUpdatePayload,
@@ -12,12 +15,14 @@ data class EnrolmentRecordUpdateEvent(
         subjectId: String,
         biometricReferencesAdded: List<BiometricReference>,
         biometricReferencesRemoved: List<String>,
+        externalCredentialsAdded: List<ExternalCredential>,
     ) : this(
         UUID.randomUUID().toString(),
         EnrolmentRecordUpdatePayload(
-            subjectId,
-            biometricReferencesAdded,
-            biometricReferencesRemoved,
+            subjectId = subjectId,
+            biometricReferencesAdded = biometricReferencesAdded,
+            biometricReferencesRemoved = biometricReferencesRemoved,
+            externalCredentialsAdded = externalCredentialsAdded,
         ),
     )
 
@@ -26,5 +31,6 @@ data class EnrolmentRecordUpdateEvent(
         val subjectId: String,
         val biometricReferencesAdded: List<BiometricReference>,
         val biometricReferencesRemoved: List<String>,
+        val externalCredentialsAdded: List<ExternalCredential>,
     )
 }
diff --git a/infra/events/src/main/java/com/simprints/infra/events/session/SessionEventRepositoryImpl.kt b/infra/events/src/main/java/com/simprints/infra/events/session/SessionEventRepositoryImpl.kt
index aec3b4149e..8ba99ea1ea 100644
--- a/infra/events/src/main/java/com/simprints/infra/events/session/SessionEventRepositoryImpl.kt
+++ b/infra/events/src/main/java/com/simprints/infra/events/session/SessionEventRepositoryImpl.kt
@@ -1,5 +1,6 @@
 package com.simprints.infra.events.session
 
+import com.simprints.infra.credential.store.CredentialImageRepository
 import com.simprints.infra.events.EventRepository
 import com.simprints.infra.events.event.domain.models.Event
 import com.simprints.infra.events.event.domain.models.scope.EventScope
@@ -15,6 +16,7 @@ import javax.inject.Singleton
 internal class SessionEventRepositoryImpl @Inject constructor(
     private val eventRepository: EventRepository,
     private val sessionDataCache: SessionDataCache,
+    private val credentialImageRepository: CredentialImageRepository,
 ) : SessionEventRepository {
     private val eventsLock = Mutex()
 
@@ -66,6 +68,7 @@ internal class SessionEventRepositoryImpl @Inject constructor(
 
     override suspend fun closeCurrentSession(reason: EventScopeEndCause?) = withLockedContext {
         eventRepository.closeEventScope(getCurrentScopeInternal(), reason)
+        credentialImageRepository.deleteAllCredentialScans()
         sessionDataCache.eventCache.clear()
         sessionDataCache.eventScope = null
     }
diff --git a/infra/events/src/test/java/com/simprints/infra/events/event/domain/models/EnrolmentEventV4Test.kt b/infra/events/src/test/java/com/simprints/infra/events/event/domain/models/EnrolmentEventV4Test.kt
index 15c7bf54be..ac1c2d986c 100644
--- a/infra/events/src/test/java/com/simprints/infra/events/event/domain/models/EnrolmentEventV4Test.kt
+++ b/infra/events/src/test/java/com/simprints/infra/events/event/domain/models/EnrolmentEventV4Test.kt
@@ -3,9 +3,11 @@ package com.simprints.infra.events.event.domain.models
 import com.google.common.truth.Truth.assertThat
 import com.simprints.infra.events.event.domain.models.EventType.ENROLMENT_V4
 import com.simprints.infra.events.sampledata.SampleDefaults.CREATED_AT
+import com.simprints.infra.events.sampledata.SampleDefaults.CREDENTIAL_ID
 import com.simprints.infra.events.sampledata.SampleDefaults.DEFAULT_MODULE_ID
 import com.simprints.infra.events.sampledata.SampleDefaults.DEFAULT_PROJECT_ID
 import com.simprints.infra.events.sampledata.SampleDefaults.DEFAULT_USER_ID
+import com.simprints.infra.events.sampledata.SampleDefaults.EXTERNAL_CREDENTIAL
 import com.simprints.infra.events.sampledata.SampleDefaults.GUID1
 import com.simprints.infra.events.sampledata.SampleDefaults.GUID2
 import org.junit.Test
@@ -20,6 +22,7 @@ class EnrolmentEventV4Test {
             DEFAULT_MODULE_ID,
             DEFAULT_USER_ID,
             listOf(GUID2),
+            listOf(CREDENTIAL_ID),
         )
 
         assertThat(event.id).isNotNull()
diff --git a/infra/events/src/test/java/com/simprints/infra/events/event/domain/models/EventPayloadTest.kt b/infra/events/src/test/java/com/simprints/infra/events/event/domain/models/EventPayloadTest.kt
index 6e1391fc34..ac441a3c13 100644
--- a/infra/events/src/test/java/com/simprints/infra/events/event/domain/models/EventPayloadTest.kt
+++ b/infra/events/src/test/java/com/simprints/infra/events/event/domain/models/EventPayloadTest.kt
@@ -43,6 +43,7 @@ import com.simprints.infra.events.event.domain.models.fingerprint.FingerprintCap
 import com.simprints.infra.events.event.domain.models.fingerprint.FingerprintCaptureEvent
 import com.simprints.infra.events.sampledata.FACE_TEMPLATE_FORMAT
 import com.simprints.infra.events.sampledata.SampleDefaults.CREATED_AT
+import com.simprints.infra.events.sampledata.SampleDefaults.CREDENTIAL_ID
 import com.simprints.infra.events.sampledata.SampleDefaults.DEFAULT_BIOMETRIC_DATA_SOURCE
 import com.simprints.infra.events.sampledata.SampleDefaults.DEFAULT_METADATA
 import com.simprints.infra.events.sampledata.SampleDefaults.DEFAULT_MODULE_ID
@@ -217,6 +218,7 @@ class EventPayloadTest {
             moduleId = DEFAULT_MODULE_ID,
             attendantId = DEFAULT_USER_ID,
             biometricReferenceIds = listOf(GUID1, GUID2),
+            externalCredentialIds = listOf(CREDENTIAL_ID),
         ),
         GuidSelectionEvent(CREATED_AT, GUID1),
         IntentParsingEvent(CREATED_AT, COMMCARE),
diff --git a/infra/events/src/test/java/com/simprints/infra/events/event/local/migrations/EventMigrationTest.kt b/infra/events/src/test/java/com/simprints/infra/events/event/local/migrations/EventMigrationTest.kt
index 8410831378..13f3e1e9f1 100644
--- a/infra/events/src/test/java/com/simprints/infra/events/event/local/migrations/EventMigrationTest.kt
+++ b/infra/events/src/test/java/com/simprints/infra/events/event/local/migrations/EventMigrationTest.kt
@@ -47,7 +47,7 @@ class EventMigrationTest {
             }
             close()
         }
-        val db = helper.runMigrationsAndValidate(TEST_DB, 14, true, *ALL_MIGRATIONS)
+        val db = helper.runMigrationsAndValidate(TEST_DB, 16, true, *ALL_MIGRATIONS)
         db.query("SELECT * FROM $TABLE_NAME").use { cursor ->
             while (cursor.moveToNext()) {
                 val eventJson = cursor.getStringWithColumnName("eventJson")!!
@@ -112,6 +112,7 @@ class EventMigrationTest {
             EventMigration12to13(),
             EventMigration13to14(),
             EventMigration14to15(),
+            EventMigration15to16(),
         )
         val tokenizeSerializationModule = SimpleModule().apply {
             addSerializer(TokenizableString::class.java, TokenizationClassNameSerializer())
diff --git a/infra/events/src/test/java/com/simprints/infra/events/event/local/models/DbEventTest.kt b/infra/events/src/test/java/com/simprints/infra/events/event/local/models/DbEventTest.kt
index e210fda3c2..886e5b7868 100644
--- a/infra/events/src/test/java/com/simprints/infra/events/event/local/models/DbEventTest.kt
+++ b/infra/events/src/test/java/com/simprints/infra/events/event/local/models/DbEventTest.kt
@@ -320,4 +320,44 @@ class DbEventTest {
 
         assertThat(original).isEqualTo(transformed)
     }
+
+    @Test
+    fun convert_ExternalCredentialSelectionEvent() {
+        val original = createExternalCredentialSelectionEvent()
+        val transformed = original.fromDomainToDb().fromDbToDomain()
+
+        assertThat(original).isEqualTo(transformed)
+    }
+
+    @Test
+    fun convert_ExternalCredentialCaptureEvent() {
+        val original = createExternalCredentialCaptureEvent()
+        val transformed = original.fromDomainToDb().fromDbToDomain()
+
+        assertThat(original).isEqualTo(transformed)
+    }
+
+    @Test
+    fun convert_ExternalCredentialCaptureValueEvent() {
+        val original = createExternalCredentialCaptureValueEvent()
+        val transformed = original.fromDomainToDb().fromDbToDomain()
+
+        assertThat(original).isEqualTo(transformed)
+    }
+
+    @Test
+    fun convert_ExternalCredentialSearchEvent() {
+        val original = createExternalCredentialSearchEvent()
+        val transformed = original.fromDomainToDb().fromDbToDomain()
+
+        assertThat(original).isEqualTo(transformed)
+    }
+
+    @Test
+    fun convert_ExternalCredentialConfirmationEvent() {
+        val original = createExternalCredentialConfirmationEvent()
+        val transformed = original.fromDomainToDb().fromDbToDomain()
+
+        assertThat(original).isEqualTo(transformed)
+    }
 }
diff --git a/infra/events/src/test/java/com/simprints/infra/events/session/SessionEventRepositoryImplTest.kt b/infra/events/src/test/java/com/simprints/infra/events/session/SessionEventRepositoryImplTest.kt
index 4b87f68411..9070cbcbe5 100644
--- a/infra/events/src/test/java/com/simprints/infra/events/session/SessionEventRepositoryImplTest.kt
+++ b/infra/events/src/test/java/com/simprints/infra/events/session/SessionEventRepositoryImplTest.kt
@@ -1,18 +1,15 @@
 package com.simprints.infra.events.session
 
-import com.google.common.truth.Truth.assertThat
+import com.google.common.truth.Truth.*
 import com.simprints.core.tools.time.Timestamp
+import com.simprints.infra.credential.store.CredentialImageRepository
 import com.simprints.infra.events.EventRepository
 import com.simprints.infra.events.event.domain.models.scope.EventScope
 import com.simprints.infra.events.event.domain.models.scope.EventScopeType
 import com.simprints.infra.events.sampledata.createEventWithSessionId
 import com.simprints.infra.events.sampledata.createSessionScope
-import io.mockk.MockKAnnotations
-import io.mockk.coEvery
-import io.mockk.coVerify
-import io.mockk.every
+import io.mockk.*
 import io.mockk.impl.annotations.MockK
-import io.mockk.mockk
 import kotlinx.coroutines.test.runTest
 import org.junit.Before
 import org.junit.Test
@@ -24,6 +21,9 @@ internal class SessionEventRepositoryImplTest {
     @MockK
     private lateinit var sessionDataCache: SessionDataCache
 
+    @MockK
+    private lateinit var credentialImageRepository: CredentialImageRepository
+
     private lateinit var sessionEventRepository: SessionEventRepositoryImpl
 
     @Before
@@ -32,8 +32,9 @@ internal class SessionEventRepositoryImplTest {
         sessionDataCache = SessionDataCache()
 
         sessionEventRepository = SessionEventRepositoryImpl(
-            eventRepository,
-            sessionDataCache,
+            eventRepository = eventRepository,
+            sessionDataCache = sessionDataCache,
+            credentialImageRepository = credentialImageRepository,
         )
     }
 
@@ -210,6 +211,7 @@ internal class SessionEventRepositoryImplTest {
 
         sessionEventRepository.closeCurrentSession(null)
 
+        coVerify { credentialImageRepository.deleteAllCredentialScans() }
         coVerify { eventRepository.closeEventScope(any<EventScope>(), null) }
         assertThat(sessionDataCache.eventScope).isNull()
         assertThat(sessionDataCache.eventCache).isEmpty()
diff --git a/infra/events/src/test/resources/all-events/enrolment_update_v0.json b/infra/events/src/test/resources/all-events/enrolment_update_v0.json
new file mode 100644
index 0000000000..7be0dc2c77
--- /dev/null
+++ b/infra/events/src/test/resources/all-events/enrolment_update_v0.json
@@ -0,0 +1,14 @@
+{
+  "id": "f9cb378f-eb6d-4c6f-86e8-c1621c7e2ddd",
+  "type": "ENROLMENT_UPDATE",
+  "payload": {
+    "type": "ENROLMENT_UPDATE",
+    "eventVersion": 0,
+    "subjectId": "9aa64aff-46b5-4ab4-90b5-82c0e6d9725f",
+    "createdAt": 1078967890,
+    "endedAt": 0,
+    "externalCredentialIdsToAdd": [
+      "dbc27bdb-cab3-463e-9004-68065e05f812"
+    ]
+  }
+}
diff --git a/infra/events/src/test/resources/all-events/enrolment_v4.json b/infra/events/src/test/resources/all-events/enrolment_v4.json
index d4b3824cf1..976b1a39ee 100644
--- a/infra/events/src/test/resources/all-events/enrolment_v4.json
+++ b/infra/events/src/test/resources/all-events/enrolment_v4.json
@@ -23,6 +23,9 @@
     },
     "biometricReferenceIds": [
       "94828488-47ce-4c76-8ace-33d69b2a6d75"
+    ],
+    "externalCredentialIds": [
+      "dbc27bdb-cab3-463e-9004-68065e05f812"
     ]
   }
 }
diff --git a/infra/events/src/test/resources/all-events/external_credential_capture_v0.json b/infra/events/src/test/resources/all-events/external_credential_capture_v0.json
new file mode 100644
index 0000000000..f976af861e
--- /dev/null
+++ b/infra/events/src/test/resources/all-events/external_credential_capture_v0.json
@@ -0,0 +1,27 @@
+{
+  "id": "f9cb378f-eb6d-4c6f-86e8-c1621c7e2d12",
+  "type": "EXTERNAL_CREDENTIAL_CAPTURE",
+  "payload": {
+    "type": "EXTERNAL_CREDENTIAL_CAPTURE",
+    "id": "dbc27bdb-cab3-463e-9004-68065e05f8ab",
+    "createdAt": 178967890,
+    "autoCaptureStartTime": {
+      "ms": 178967890,
+      "isTrustworthy": false,
+      "msSinceBoot": null
+    },
+    "autoCaptureEndTime": {
+      "ms": 178967891,
+      "isTrustworthy": false,
+      "msSinceBoot": null
+    },
+    "endedAt": 178967891,
+    "ocrErrorCount": 0,
+    "capturedTextLength": 0,
+    "credentialTextLength": 0,
+    "selectionId": "dbc27bdb-cab3-463e-9004-68065e05f8ec",
+    "externalCredentialIdsToAdd": [
+      "dbc27bdb-cab3-463e-9004-68065e05f812"
+    ]
+  }
+}
diff --git a/infra/events/src/test/resources/all-events/external_credential_capture_value_v0.json b/infra/events/src/test/resources/all-events/external_credential_capture_value_v0.json
new file mode 100644
index 0000000000..4ebb8bf667
--- /dev/null
+++ b/infra/events/src/test/resources/all-events/external_credential_capture_value_v0.json
@@ -0,0 +1,19 @@
+{
+  "id": "f9cb378f-eb6d-4c6f-86e8-c1621c7e2d34",
+  "type": "EXTERNAL_CREDENTIAL_CAPTURE_VALUE",
+  "payload": {
+    "type": "EXTERNAL_CREDENTIAL_CAPTURE_VALUE",
+    "id": "dbc27bdb-cab3-463e-9004-68065e05f8ec",
+    "createdAt": 1078967890,
+    "endedAt": 0,
+    "credential": {
+      "id": "dbc27bdb-cab3-463e-9004-68065e05f812",
+      "value": {
+        "className": "TokenizableString.Tokenized",
+        "value": "value"
+      },
+      "subjectId": "9aa64aff-46b5-4ab4-90b5-82c0e6d9725f",
+      "type": "NHISCard"
+    }
+  }
+}
diff --git a/infra/events/src/test/resources/all-events/external_credential_confirmation_v0.json b/infra/events/src/test/resources/all-events/external_credential_confirmation_v0.json
new file mode 100644
index 0000000000..812e515b67
--- /dev/null
+++ b/infra/events/src/test/resources/all-events/external_credential_confirmation_v0.json
@@ -0,0 +1,12 @@
+{
+  "id": "0c78469d-15fe-4a65-8e0c-698f996ed115",
+  "type": "EXTERNAL_CREDENTIAL_CONFIRMATION",
+  "payload": {
+    "type": "EXTERNAL_CREDENTIAL_CONFIRMATION",
+    "id": "dbc27bdb-cab3-463e-9004-68065e05f8ab",
+    "createdAt": 178967890,
+    "endedAt": 178967891,
+    "result": "CONTINUE",
+    "userInteractedWithImage": true
+  }
+}
diff --git a/infra/events/src/test/resources/all-events/external_credential_search_v0.json b/infra/events/src/test/resources/all-events/external_credential_search_v0.json
new file mode 100644
index 0000000000..62e22f9f24
--- /dev/null
+++ b/infra/events/src/test/resources/all-events/external_credential_search_v0.json
@@ -0,0 +1,17 @@
+{
+  "id": "18baadd9-e67f-44af-bc04-de3279591f1f",
+  "type": "EXTERNAL_CREDENTIAL_SEARCH",
+  "payload": {
+    "type": "EXTERNAL_CREDENTIAL_SEARCH",
+    "id": "dbc27bdb-cab3-463e-9004-68065e05f8ab",
+    "createdAt": 178967890,
+    "endedAt": 178967891,
+    "result": {
+      "candidateIds": [
+        "c12345a9-4b6d-4a3f-bb5c-82f7f9a6d2c1",
+        "a98765c2-1234-4ef8-9abc-3e8a5f1b2e77"
+      ]
+    },
+    "probeExternalCredentialId": "e1f5c9d7-3a6b-47c9-bd6a-8f1c2e4a5b33"
+  }
+}
diff --git a/infra/events/src/test/resources/all-events/external_credential_selection_v0.json b/infra/events/src/test/resources/all-events/external_credential_selection_v0.json
new file mode 100644
index 0000000000..bda4c2715a
--- /dev/null
+++ b/infra/events/src/test/resources/all-events/external_credential_selection_v0.json
@@ -0,0 +1,21 @@
+{
+  "id": "2aae55d8-e679-49bb-99d4-53c13792a31c",
+  "type": "EXTERNAL_CREDENTIAL_SELECTION",
+  "payload": {
+    "type": "EXTERNAL_CREDENTIAL_SELECTION",
+    "id": "2aae55d8-e679-49bb-99d4-53c13792a31c",
+    "createdAt": 178967890,
+    "autoCaptureStartTime": {
+      "ms": 178967890,
+      "isTrustworthy": false,
+      "msSinceBoot": null
+    },
+    "autoCaptureEndTime": {
+      "ms": 178967891,
+      "isTrustworthy": false,
+      "msSinceBoot": null
+    },
+    "endedAt": 178967891,
+    "skipReason": "NO_CONSENT"
+  }
+}
diff --git a/infra/logging/src/main/java/com/simprints/infra/logging/LoggingConstants.kt b/infra/logging/src/main/java/com/simprints/infra/logging/LoggingConstants.kt
index 9039eb5c8b..852dcaf5ac 100644
--- a/infra/logging/src/main/java/com/simprints/infra/logging/LoggingConstants.kt
+++ b/infra/logging/src/main/java/com/simprints/infra/logging/LoggingConstants.kt
@@ -51,6 +51,7 @@ object LoggingConstants {
         SAMPLE_UPLOAD,
         APPLICATION,
         COMMCARE_SYNC,
+        MULTI_FACTOR_ID,
     }
 
     // Tags eligible for Firebase Analytics logging
diff --git a/infra/matching/.gitignore b/infra/matching/.gitignore
new file mode 100644
index 0000000000..796b96d1c4
--- /dev/null
+++ b/infra/matching/.gitignore
@@ -0,0 +1 @@
+/build
diff --git a/infra/matching/README.md b/infra/matching/README.md
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/infra/matching/build.gradle.kts b/infra/matching/build.gradle.kts
new file mode 100644
index 0000000000..6d93bcfa4c
--- /dev/null
+++ b/infra/matching/build.gradle.kts
@@ -0,0 +1,21 @@
+plugins {
+    id("simprints.feature")
+}
+
+android {
+    namespace = "com.simprints.infra.mathching"
+}
+
+dependencies {
+
+    implementation(project(":infra:orchestrator-data"))
+    implementation(project(":infra:enrolment-records:repository"))
+    implementation(project(":infra:events"))
+    implementation(project(":infra:config-store"))
+    implementation(project(":infra:config-sync"))
+
+    implementation(project(":face:infra:bio-sdk-resolver"))
+
+    implementation(project(":fingerprint:infra:bio-sdk"))
+    implementation(project(":infra:auth-store"))
+}
diff --git a/infra/matching/src/main/AndroidManifest.xml b/infra/matching/src/main/AndroidManifest.xml
new file mode 100644
index 0000000000..e100076157
--- /dev/null
+++ b/infra/matching/src/main/AndroidManifest.xml
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest>
+
+</manifest>
diff --git a/feature/matcher/src/main/java/com/simprints/matcher/MatchBatchInfo.kt b/infra/matching/src/main/java/com/simprints/infra/matching/MatchBatchInfo.kt
similarity index 86%
rename from feature/matcher/src/main/java/com/simprints/matcher/MatchBatchInfo.kt
rename to infra/matching/src/main/java/com/simprints/infra/matching/MatchBatchInfo.kt
index 1255722ed8..41ade6ca98 100644
--- a/feature/matcher/src/main/java/com/simprints/matcher/MatchBatchInfo.kt
+++ b/infra/matching/src/main/java/com/simprints/infra/matching/MatchBatchInfo.kt
@@ -1,4 +1,4 @@
-package com.simprints.matcher
+package com.simprints.infra.matching
 
 import com.simprints.core.tools.time.Timestamp
 
diff --git a/feature/matcher/src/main/java/com/simprints/matcher/MatchParams.kt b/infra/matching/src/main/java/com/simprints/infra/matching/MatchParams.kt
similarity index 98%
rename from feature/matcher/src/main/java/com/simprints/matcher/MatchParams.kt
rename to infra/matching/src/main/java/com/simprints/infra/matching/MatchParams.kt
index 56df8746ba..5d32f1b864 100644
--- a/feature/matcher/src/main/java/com/simprints/matcher/MatchParams.kt
+++ b/infra/matching/src/main/java/com/simprints/infra/matching/MatchParams.kt
@@ -1,4 +1,4 @@
-package com.simprints.matcher
+package com.simprints.infra.matching
 
 import androidx.annotation.Keep
 import com.simprints.core.domain.common.FlowType
diff --git a/feature/matcher/src/main/java/com/simprints/matcher/MatchResult.kt b/infra/matching/src/main/java/com/simprints/infra/matching/MatchResult.kt
similarity index 96%
rename from feature/matcher/src/main/java/com/simprints/matcher/MatchResult.kt
rename to infra/matching/src/main/java/com/simprints/infra/matching/MatchResult.kt
index 17748a9494..6cf595c3eb 100644
--- a/feature/matcher/src/main/java/com/simprints/matcher/MatchResult.kt
+++ b/infra/matching/src/main/java/com/simprints/infra/matching/MatchResult.kt
@@ -1,4 +1,4 @@
-package com.simprints.matcher
+package com.simprints.infra.matching
 
 import androidx.annotation.Keep
 import com.simprints.core.domain.step.StepResult
diff --git a/feature/matcher/src/main/java/com/simprints/matcher/usecases/CreateRangesUseCase.kt b/infra/matching/src/main/java/com/simprints/infra/matching/usecase/CreateRangesUseCase.kt
similarity index 94%
rename from feature/matcher/src/main/java/com/simprints/matcher/usecases/CreateRangesUseCase.kt
rename to infra/matching/src/main/java/com/simprints/infra/matching/usecase/CreateRangesUseCase.kt
index dd1ed5f129..ffc6f68db6 100644
--- a/feature/matcher/src/main/java/com/simprints/matcher/usecases/CreateRangesUseCase.kt
+++ b/infra/matching/src/main/java/com/simprints/infra/matching/usecase/CreateRangesUseCase.kt
@@ -1,10 +1,10 @@
-package com.simprints.matcher.usecases
+package com.simprints.infra.matching.usecase
 
 import com.simprints.core.AvailableProcessors
 import javax.inject.Inject
 import kotlin.math.ceil
 
-internal class CreateRangesUseCase @Inject constructor(
+class CreateRangesUseCase @Inject constructor(
     @AvailableProcessors private val availableProcessors: Int,
 ) {
     /**
diff --git a/feature/matcher/src/main/java/com/simprints/matcher/usecases/FaceMatcherUseCase.kt b/infra/matching/src/main/java/com/simprints/infra/matching/usecase/FaceMatcherUseCase.kt
similarity index 94%
rename from feature/matcher/src/main/java/com/simprints/matcher/usecases/FaceMatcherUseCase.kt
rename to infra/matching/src/main/java/com/simprints/infra/matching/usecase/FaceMatcherUseCase.kt
index b48b050260..227e4de282 100644
--- a/feature/matcher/src/main/java/com/simprints/matcher/usecases/FaceMatcherUseCase.kt
+++ b/infra/matching/src/main/java/com/simprints/infra/matching/usecase/FaceMatcherUseCase.kt
@@ -1,4 +1,4 @@
-package com.simprints.matcher.usecases
+package com.simprints.infra.matching.usecase
 
 import com.simprints.core.DispatcherBG
 import com.simprints.core.tools.time.TimeHelper
@@ -12,10 +12,10 @@ import com.simprints.infra.enrolment.records.repository.EnrolmentRecordRepositor
 import com.simprints.infra.enrolment.records.repository.domain.models.IdentityBatch
 import com.simprints.infra.logging.LoggingConstants
 import com.simprints.infra.logging.Simber
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.MatchBatchInfo
-import com.simprints.matcher.MatchParams
-import com.simprints.matcher.usecases.MatcherUseCase.MatcherState
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.MatchBatchInfo
+import com.simprints.infra.matching.MatchParams
+import com.simprints.infra.matching.usecase.MatcherUseCase.MatcherState
 import kotlinx.coroutines.CoroutineDispatcher
 import kotlinx.coroutines.channels.ReceiveChannel
 import kotlinx.coroutines.flow.Flow
@@ -25,7 +25,7 @@ import java.util.concurrent.atomic.AtomicInteger
 import javax.inject.Inject
 import com.simprints.infra.enrolment.records.repository.domain.models.FaceIdentity as DomainFaceIdentity
 
-internal class FaceMatcherUseCase @Inject constructor(
+class FaceMatcherUseCase @Inject constructor(
     private val timeHelper: TimeHelper,
     private val enrolmentRecordRepository: EnrolmentRecordRepository,
     private val resolveFaceBioSdk: ResolveFaceBioSdkUseCase,
diff --git a/feature/matcher/src/main/java/com/simprints/matcher/usecases/FingerprintMatcherUseCase.kt b/infra/matching/src/main/java/com/simprints/infra/matching/usecase/FingerprintMatcherUseCase.kt
similarity index 96%
rename from feature/matcher/src/main/java/com/simprints/matcher/usecases/FingerprintMatcherUseCase.kt
rename to infra/matching/src/main/java/com/simprints/infra/matching/usecase/FingerprintMatcherUseCase.kt
index a6a4bdc93d..0a48bbc1c1 100644
--- a/feature/matcher/src/main/java/com/simprints/matcher/usecases/FingerprintMatcherUseCase.kt
+++ b/infra/matching/src/main/java/com/simprints/infra/matching/usecase/FingerprintMatcherUseCase.kt
@@ -1,4 +1,4 @@
-package com.simprints.matcher.usecases
+package com.simprints.infra.matching.usecase
 
 import com.simprints.core.DispatcherBG
 import com.simprints.core.domain.common.FlowType
@@ -17,10 +17,10 @@ import com.simprints.infra.enrolment.records.repository.EnrolmentRecordRepositor
 import com.simprints.infra.enrolment.records.repository.domain.models.IdentityBatch
 import com.simprints.infra.logging.LoggingConstants
 import com.simprints.infra.logging.Simber
-import com.simprints.matcher.FingerprintMatchResult
-import com.simprints.matcher.MatchBatchInfo
-import com.simprints.matcher.MatchParams
-import com.simprints.matcher.usecases.MatcherUseCase.MatcherState
+import com.simprints.infra.matching.FingerprintMatchResult
+import com.simprints.infra.matching.MatchBatchInfo
+import com.simprints.infra.matching.MatchParams
+import com.simprints.infra.matching.usecase.MatcherUseCase.MatcherState
 import kotlinx.coroutines.CoroutineDispatcher
 import kotlinx.coroutines.channels.ReceiveChannel
 import kotlinx.coroutines.flow.Flow
@@ -30,7 +30,7 @@ import java.util.concurrent.atomic.AtomicInteger
 import javax.inject.Inject
 import com.simprints.infra.enrolment.records.repository.domain.models.FingerprintIdentity as DomainFingerprintIdentity
 
-internal class FingerprintMatcherUseCase @Inject constructor(
+class FingerprintMatcherUseCase @Inject constructor(
     private val timeHelper: TimeHelper,
     private val enrolmentRecordRepository: EnrolmentRecordRepository,
     private val resolveBioSdkWrapper: ResolveBioSdkWrapperUseCase,
diff --git a/feature/matcher/src/main/java/com/simprints/matcher/usecases/MatchResultSet.kt b/infra/matching/src/main/java/com/simprints/infra/matching/usecase/MatchResultSet.kt
similarity index 92%
rename from feature/matcher/src/main/java/com/simprints/matcher/usecases/MatchResultSet.kt
rename to infra/matching/src/main/java/com/simprints/infra/matching/usecase/MatchResultSet.kt
index 928d028397..f0129ff06f 100644
--- a/feature/matcher/src/main/java/com/simprints/matcher/usecases/MatchResultSet.kt
+++ b/infra/matching/src/main/java/com/simprints/infra/matching/usecase/MatchResultSet.kt
@@ -1,12 +1,12 @@
-package com.simprints.matcher.usecases
+package com.simprints.infra.matching.usecase
 
-import com.simprints.matcher.MatchResultItem
+import com.simprints.infra.matching.MatchResultItem
 import java.util.concurrent.ConcurrentSkipListSet
 import java.util.concurrent.atomic.AtomicReference
 import java.util.concurrent.locks.ReentrantLock
 import kotlin.concurrent.withLock
 
-internal class MatchResultSet<T : MatchResultItem>(
+class MatchResultSet<T : MatchResultItem>(
     private val maxSize: Int = MAX_RESULTS,
 ) {
     private val lowestConfidence = AtomicReference(0f)
diff --git a/feature/matcher/src/main/java/com/simprints/matcher/usecases/MatcherUseCase.kt b/infra/matching/src/main/java/com/simprints/infra/matching/usecase/MatcherUseCase.kt
similarity index 80%
rename from feature/matcher/src/main/java/com/simprints/matcher/usecases/MatcherUseCase.kt
rename to infra/matching/src/main/java/com/simprints/infra/matching/usecase/MatcherUseCase.kt
index 0633a13940..061a39fc4c 100644
--- a/feature/matcher/src/main/java/com/simprints/matcher/usecases/MatcherUseCase.kt
+++ b/infra/matching/src/main/java/com/simprints/infra/matching/usecase/MatcherUseCase.kt
@@ -1,13 +1,13 @@
-package com.simprints.matcher.usecases
+package com.simprints.infra.matching.usecase
 
 import com.simprints.infra.config.store.models.Project
 import com.simprints.infra.logging.LoggingConstants
-import com.simprints.matcher.MatchBatchInfo
-import com.simprints.matcher.MatchParams
-import com.simprints.matcher.MatchResultItem
+import com.simprints.infra.matching.MatchBatchInfo
+import com.simprints.infra.matching.MatchParams
+import com.simprints.infra.matching.MatchResultItem
 import kotlinx.coroutines.flow.Flow
 
-internal interface MatcherUseCase {
+interface MatcherUseCase {
     val crashReportTag: LoggingConstants.CrashReportTag
 
     /**
diff --git a/feature/matcher/src/main/java/com/simprints/matcher/usecases/SaveMatchEventUseCase.kt b/infra/matching/src/main/java/com/simprints/infra/matching/usecase/SaveMatchEventUseCase.kt
similarity index 95%
rename from feature/matcher/src/main/java/com/simprints/matcher/usecases/SaveMatchEventUseCase.kt
rename to infra/matching/src/main/java/com/simprints/infra/matching/usecase/SaveMatchEventUseCase.kt
index ee20206b99..b223d97f03 100644
--- a/feature/matcher/src/main/java/com/simprints/matcher/usecases/SaveMatchEventUseCase.kt
+++ b/infra/matching/src/main/java/com/simprints/infra/matching/usecase/SaveMatchEventUseCase.kt
@@ -1,4 +1,4 @@
-package com.simprints.matcher.usecases
+package com.simprints.infra.matching.usecase
 
 import com.simprints.core.SessionCoroutineScope
 import com.simprints.core.domain.common.FlowType
@@ -11,15 +11,15 @@ import com.simprints.infra.events.event.domain.models.MatchEntry
 import com.simprints.infra.events.event.domain.models.OneToManyMatchEvent
 import com.simprints.infra.events.event.domain.models.OneToOneMatchEvent
 import com.simprints.infra.events.session.SessionEventRepository
-import com.simprints.matcher.MatchBatchInfo
-import com.simprints.matcher.MatchParams
-import com.simprints.matcher.MatchResultItem
+import com.simprints.infra.matching.MatchBatchInfo
+import com.simprints.infra.matching.MatchParams
+import com.simprints.infra.matching.MatchResultItem
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.launch
 import javax.inject.Inject
 import com.simprints.infra.config.store.models.FingerprintConfiguration.FingerComparisonStrategy as ConfigFingerComparisonStrategy
 
-internal class SaveMatchEventUseCase @Inject constructor(
+class SaveMatchEventUseCase @Inject constructor(
     private val eventRepository: SessionEventRepository,
     private val configManager: ConfigManager,
     @SessionCoroutineScope private val sessionCoroutineScope: CoroutineScope,
diff --git a/feature/matcher/src/test/java/com/simprints/matcher/usecases/CreateRangesUseCaseTest.kt b/infra/matching/src/test/java/com/simprints/infra/matching/usecase/CreateRangesUseCaseTest.kt
similarity index 99%
rename from feature/matcher/src/test/java/com/simprints/matcher/usecases/CreateRangesUseCaseTest.kt
rename to infra/matching/src/test/java/com/simprints/infra/matching/usecase/CreateRangesUseCaseTest.kt
index e0b73d2a98..594e6329c8 100644
--- a/feature/matcher/src/test/java/com/simprints/matcher/usecases/CreateRangesUseCaseTest.kt
+++ b/infra/matching/src/test/java/com/simprints/infra/matching/usecase/CreateRangesUseCaseTest.kt
@@ -1,4 +1,4 @@
-package com.simprints.matcher.usecases
+package com.simprints.infra.matching.usecase
 
 import com.google.common.truth.Truth.assertThat
 import org.junit.Test
diff --git a/feature/matcher/src/test/java/com/simprints/matcher/usecases/FaceMatcherUseCaseTest.kt b/infra/matching/src/test/java/com/simprints/infra/matching/usecase/FaceMatcherUseCaseTest.kt
similarity index 97%
rename from feature/matcher/src/test/java/com/simprints/matcher/usecases/FaceMatcherUseCaseTest.kt
rename to infra/matching/src/test/java/com/simprints/infra/matching/usecase/FaceMatcherUseCaseTest.kt
index aaae5e3212..941c902404 100644
--- a/feature/matcher/src/test/java/com/simprints/matcher/usecases/FaceMatcherUseCaseTest.kt
+++ b/infra/matching/src/test/java/com/simprints/infra/matching/usecase/FaceMatcherUseCaseTest.kt
@@ -1,4 +1,4 @@
-package com.simprints.matcher.usecases
+package com.simprints.infra.matching.usecase
 
 import androidx.arch.core.executor.testing.InstantTaskExecutorRule
 import com.google.common.truth.Truth.*
@@ -13,8 +13,8 @@ import com.simprints.infra.enrolment.records.repository.EnrolmentRecordRepositor
 import com.simprints.infra.enrolment.records.repository.domain.models.BiometricDataSource
 import com.simprints.infra.enrolment.records.repository.domain.models.FaceIdentity
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.MatchParams
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.MatchParams
 import com.simprints.testtools.common.coroutines.TestCoroutineRule
 import io.mockk.*
 import io.mockk.impl.annotations.MockK
diff --git a/feature/matcher/src/test/java/com/simprints/matcher/usecases/FingerprintMatcherUseCaseTest.kt b/infra/matching/src/test/java/com/simprints/infra/matching/usecase/FingerprintMatcherUseCaseTest.kt
similarity index 98%
rename from feature/matcher/src/test/java/com/simprints/matcher/usecases/FingerprintMatcherUseCaseTest.kt
rename to infra/matching/src/test/java/com/simprints/infra/matching/usecase/FingerprintMatcherUseCaseTest.kt
index f59f4a05a9..f11bfacf83 100644
--- a/feature/matcher/src/test/java/com/simprints/matcher/usecases/FingerprintMatcherUseCaseTest.kt
+++ b/infra/matching/src/test/java/com/simprints/infra/matching/usecase/FingerprintMatcherUseCaseTest.kt
@@ -1,4 +1,4 @@
-package com.simprints.matcher.usecases
+package com.simprints.infra.matching.usecase
 
 import androidx.arch.core.executor.testing.InstantTaskExecutorRule
 import com.google.common.truth.Truth.*
@@ -17,7 +17,7 @@ import com.simprints.infra.enrolment.records.repository.domain.models.BiometricD
 import com.simprints.infra.enrolment.records.repository.domain.models.FingerprintIdentity
 import com.simprints.infra.enrolment.records.repository.domain.models.IdentityBatch
 import com.simprints.infra.enrolment.records.repository.domain.models.SubjectQuery
-import com.simprints.matcher.MatchParams
+import com.simprints.infra.matching.MatchParams
 import com.simprints.testtools.common.coroutines.TestCoroutineRule
 import io.mockk.*
 import io.mockk.impl.annotations.MockK
diff --git a/feature/matcher/src/test/java/com/simprints/matcher/usecases/MatchResultSetTest.kt b/infra/matching/src/test/java/com/simprints/infra/matching/usecase/MatchResultSetTest.kt
similarity index 97%
rename from feature/matcher/src/test/java/com/simprints/matcher/usecases/MatchResultSetTest.kt
rename to infra/matching/src/test/java/com/simprints/infra/matching/usecase/MatchResultSetTest.kt
index ef37f711e7..3a89c730b3 100644
--- a/feature/matcher/src/test/java/com/simprints/matcher/usecases/MatchResultSetTest.kt
+++ b/infra/matching/src/test/java/com/simprints/infra/matching/usecase/MatchResultSetTest.kt
@@ -1,7 +1,7 @@
-package com.simprints.matcher.usecases
+package com.simprints.infra.matching.usecase
 
-import com.google.common.truth.Truth.assertThat
-import com.simprints.matcher.FingerprintMatchResult
+import com.google.common.truth.Truth.*
+import com.simprints.infra.matching.FingerprintMatchResult
 import org.junit.Test
 import java.util.concurrent.CountDownLatch
 import java.util.concurrent.Executors
diff --git a/feature/matcher/src/test/java/com/simprints/matcher/usecases/SaveMatchEventUseCaseTest.kt b/infra/matching/src/test/java/com/simprints/infra/matching/usecase/SaveMatchEventUseCaseTest.kt
similarity index 97%
rename from feature/matcher/src/test/java/com/simprints/matcher/usecases/SaveMatchEventUseCaseTest.kt
rename to infra/matching/src/test/java/com/simprints/infra/matching/usecase/SaveMatchEventUseCaseTest.kt
index dd27c90068..ae84096e7c 100644
--- a/feature/matcher/src/test/java/com/simprints/matcher/usecases/SaveMatchEventUseCaseTest.kt
+++ b/infra/matching/src/test/java/com/simprints/infra/matching/usecase/SaveMatchEventUseCaseTest.kt
@@ -1,6 +1,6 @@
-package com.simprints.matcher.usecases
+package com.simprints.infra.matching.usecase
 
-import com.google.common.truth.Truth.assertThat
+import com.google.common.truth.Truth.*
 import com.simprints.core.domain.common.FlowType
 import com.simprints.core.domain.fingerprint.IFingerIdentifier
 import com.simprints.core.domain.tokenization.asTokenizableEncrypted
@@ -15,16 +15,12 @@ import com.simprints.infra.events.event.domain.models.OneToManyMatchEvent.OneToM
 import com.simprints.infra.events.event.domain.models.OneToOneMatchEvent
 import com.simprints.infra.events.event.domain.models.OneToOneMatchEvent.OneToOneMatchPayload.OneToOneMatchPayloadV4
 import com.simprints.infra.events.session.SessionEventRepository
-import com.simprints.matcher.FaceMatchResult
-import com.simprints.matcher.MatchParams
-import com.simprints.matcher.MatchBatchInfo
+import com.simprints.infra.matching.FaceMatchResult
+import com.simprints.infra.matching.MatchBatchInfo
+import com.simprints.infra.matching.MatchParams
 import com.simprints.testtools.common.coroutines.TestCoroutineRule
-import io.mockk.MockKAnnotations
-import io.mockk.Runs
-import io.mockk.coEvery
-import io.mockk.coVerify
+import io.mockk.*
 import io.mockk.impl.annotations.MockK
-import io.mockk.just
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.test.runTest
 import org.junit.Before
diff --git a/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/ActionResponse.kt b/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/ActionResponse.kt
index 3d386746f5..cbb24033ad 100644
--- a/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/ActionResponse.kt
+++ b/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/ActionResponse.kt
@@ -2,6 +2,7 @@ package com.simprints.infra.orchestration.data
 
 import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
 import com.simprints.core.domain.response.AppErrorReason
+import com.simprints.infra.orchestration.data.responses.AppExternalCredential
 import com.simprints.infra.orchestration.data.responses.AppMatchResult
 
 @ExcludedFromGeneratedTestCoverageReports("Data struct")
@@ -15,6 +16,7 @@ sealed class ActionResponse(
         override val sessionId: String,
         val enrolledGuid: String,
         val subjectActions: String?,
+        val externalCredential: AppExternalCredential?,
     ) : ActionResponse(actionIdentifier, sessionId)
 
     @ExcludedFromGeneratedTestCoverageReports("Data struct")
@@ -22,6 +24,7 @@ sealed class ActionResponse(
         override val actionIdentifier: ActionRequestIdentifier,
         override val sessionId: String,
         val identifications: List<AppMatchResult>,
+        val isMultiFactorIdEnabled: Boolean,
     ) : ActionResponse(actionIdentifier, sessionId)
 
     @ExcludedFromGeneratedTestCoverageReports("Data struct")
@@ -29,6 +32,7 @@ sealed class ActionResponse(
         override val actionIdentifier: ActionRequestIdentifier,
         override val sessionId: String,
         val confirmed: Boolean,
+        val externalCredential: AppExternalCredential?,
     ) : ActionResponse(actionIdentifier, sessionId)
 
     @ExcludedFromGeneratedTestCoverageReports("Data struct")
diff --git a/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppConfirmationResponse.kt b/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppConfirmationResponse.kt
index 7391f2ad9d..19617e57cc 100644
--- a/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppConfirmationResponse.kt
+++ b/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppConfirmationResponse.kt
@@ -2,6 +2,7 @@ package com.simprints.infra.orchestration.data.responses
 
 import androidx.annotation.Keep
 import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import kotlinx.parcelize.Parcelize
 
 @Keep
@@ -9,4 +10,5 @@ import kotlinx.parcelize.Parcelize
 @ExcludedFromGeneratedTestCoverageReports("Data struct")
 data class AppConfirmationResponse(
     val identificationOutcome: Boolean,
+    val externalCredential: ExternalCredential?,
 ) : AppResponse()
diff --git a/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppEnrolResponse.kt b/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppEnrolResponse.kt
index 2c1d01f877..66b04f4032 100644
--- a/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppEnrolResponse.kt
+++ b/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppEnrolResponse.kt
@@ -2,6 +2,7 @@ package com.simprints.infra.orchestration.data.responses
 
 import androidx.annotation.Keep
 import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.externalcredential.ExternalCredential
 import kotlinx.parcelize.Parcelize
 
 @Keep
@@ -9,4 +10,5 @@ import kotlinx.parcelize.Parcelize
 @ExcludedFromGeneratedTestCoverageReports("Data struct")
 data class AppEnrolResponse(
     val guid: String,
+    val externalCredential: ExternalCredential?,
 ) : AppResponse()
diff --git a/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppExternalCredential.kt b/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppExternalCredential.kt
new file mode 100644
index 0000000000..532a536dd4
--- /dev/null
+++ b/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppExternalCredential.kt
@@ -0,0 +1,15 @@
+package com.simprints.infra.orchestration.data.responses
+
+import androidx.annotation.Keep
+import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
+import com.simprints.core.domain.tokenization.TokenizableString
+import java.io.Serializable
+
+@Keep
+@ExcludedFromGeneratedTestCoverageReports("Data class")
+data class AppExternalCredential(
+    val id: String,
+    val value: TokenizableString.Raw,
+    val type: ExternalCredentialType,
+) : Serializable
diff --git a/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppIdentifyResponse.kt b/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppIdentifyResponse.kt
index a9f348697e..6b22f9f81a 100644
--- a/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppIdentifyResponse.kt
+++ b/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppIdentifyResponse.kt
@@ -10,4 +10,5 @@ import kotlinx.parcelize.Parcelize
 data class AppIdentifyResponse(
     val identifications: List<AppMatchResult>,
     val sessionId: String,
+    val isMultiFactorIdEnabled: Boolean,
 ) : AppResponse()
diff --git a/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppMatchResult.kt b/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppMatchResult.kt
index f88f5bc87f..76fade9547 100644
--- a/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppMatchResult.kt
+++ b/infra/orchestrator-data/src/main/java/com/simprints/infra/orchestration/data/responses/AppMatchResult.kt
@@ -14,6 +14,8 @@ data class AppMatchResult(
     val confidenceScore: Int,
     val matchConfidence: AppMatchConfidence,
     val verificationSuccess: Boolean? = null,
+    val isLinkedToScannedCredential: Boolean? = null,
+    val isCredentialVerified: Boolean? = null,
 ) : Parcelable {
     // Temporarily using match confidence as a proxy for tiers.
     val tier: AppResponseTier
@@ -28,12 +30,19 @@ data class AppMatchResult(
         guid: String,
         confidenceScore: Float,
         decisionPolicy: DecisionPolicy,
+        isCredentialMatch: Boolean,
         verificationMatchThreshold: Float? = null,
     ) : this(
         guid = guid,
         confidenceScore = confidenceScore.toInt(),
         matchConfidence = computeMatchConfidence(confidenceScore.toInt(), decisionPolicy),
         verificationSuccess = computeVerificationSuccess(confidenceScore.toInt(), verificationMatchThreshold),
+        isLinkedToScannedCredential = isCredentialMatch,
+        isCredentialVerified = if (isCredentialMatch) {
+            computeVerificationSuccess(confidenceScore.toInt(), verificationMatchThreshold)
+        } else {
+            null
+        },
     )
 
     companion object {
diff --git a/infra/orchestrator-data/src/test/java/com/simprints/infra/orchestration/data/responses/AppMatchResultTest.kt b/infra/orchestrator-data/src/test/java/com/simprints/infra/orchestration/data/responses/AppMatchResultTest.kt
index 3e59185383..12bf961d1e 100644
--- a/infra/orchestrator-data/src/test/java/com/simprints/infra/orchestration/data/responses/AppMatchResultTest.kt
+++ b/infra/orchestrator-data/src/test/java/com/simprints/infra/orchestration/data/responses/AppMatchResultTest.kt
@@ -14,12 +14,14 @@ class AppMatchResultTest {
                 guid = "guid",
                 confidenceScore = 25.0f,
                 decisionPolicy = DecisionPolicy(low = 10, medium = 20, high = 30),
+                isCredentialMatch = false,
             ),
         ).isEqualTo(
             AppMatchResult(
                 guid = "guid",
                 confidenceScore = 25,
                 matchConfidence = AppMatchConfidence.MEDIUM,
+                isLinkedToScannedCredential = false,
             ),
         )
     }
@@ -44,6 +46,7 @@ class AppMatchResultTest {
                     guid = "guid",
                     confidenceScore = score,
                     decisionPolicy = DecisionPolicy(low = 20, medium = 40, high = 60),
+                    isCredentialMatch = false,
                 ).tier,
             ).isEqualTo(expected)
         }
diff --git a/infra/resources/src/main/res/values/styles-text.xml b/infra/resources/src/main/res/values/styles-text.xml
index 464442290d..8376de22f0 100644
--- a/infra/resources/src/main/res/values/styles-text.xml
+++ b/infra/resources/src/main/res/values/styles-text.xml
@@ -128,6 +128,10 @@
         <item name="android:textAppearance">@style/TextAppearance.Simprints.Headline4</item>
     </style>
 
+    <style name="Text.Headline4.Bold">
+        <item name="android:textStyle">bold</item>
+    </style>
+
     <!-- H5 variants -->
 
     <style name="Text.Headline5" parent="Widget.MaterialComponents.TextView">
@@ -146,6 +150,15 @@
         <item name="android:textStyle">bold</item>
     </style>
 
+
+    <style name="Text.Headline5.Blue">
+        <item name="android:textColor">@color/simprints_blue</item>
+    </style>
+
+    <style name="Text.Headline5.Blue.Bold">
+        <item name="android:textStyle">bold</item>
+    </style>
+
     <!-- H6 variants -->
 
     <style name="Text.Headline6" parent="Widget.MaterialComponents.TextView">
diff --git a/infra/sync/src/test/java/com/simprints/infra/sync/config/testtools/Models.kt b/infra/sync/src/test/java/com/simprints/infra/sync/config/testtools/Models.kt
index 1fa14c7fc3..c02ebe005a 100644
--- a/infra/sync/src/test/java/com/simprints/infra/sync/config/testtools/Models.kt
+++ b/infra/sync/src/test/java/com/simprints/infra/sync/config/testtools/Models.kt
@@ -1,5 +1,6 @@
 package com.simprints.infra.sync.config.testtools
 
+import com.simprints.core.domain.externalcredential.ExternalCredentialType
 import com.simprints.core.domain.tokenization.asTokenizableEncrypted
 import com.simprints.infra.config.store.models.AgeGroup
 import com.simprints.infra.config.store.models.ConsentConfiguration
@@ -12,6 +13,7 @@ import com.simprints.infra.config.store.models.Frequency
 import com.simprints.infra.config.store.models.GeneralConfiguration
 import com.simprints.infra.config.store.models.IdentificationConfiguration
 import com.simprints.infra.config.store.models.MaxCaptureAttempts
+import com.simprints.infra.config.store.models.MultiFactorIdConfiguration
 import com.simprints.infra.config.store.models.Project
 import com.simprints.infra.config.store.models.ProjectConfiguration
 import com.simprints.infra.config.store.models.ProjectState
@@ -114,6 +116,12 @@ internal val simprintsDownSyncConfigurationConfiguration = DownSynchronizationCo
     frequency = Frequency.PERIODICALLY,
 )
 
+internal val allowedExternalCredential = ExternalCredentialType.NHISCard
+
+internal val multiFactorIdConfiguration = MultiFactorIdConfiguration(
+    allowedExternalCredentials = listOf(allowedExternalCredential)
+)
+
 internal val synchronizationConfiguration = SynchronizationConfiguration(
     up = UpSynchronizationConfiguration(
         simprints = simprintsUpSyncConfigurationConfiguration,
@@ -132,16 +140,17 @@ internal val identificationConfiguration =
     IdentificationConfiguration(4, IdentificationConfiguration.PoolType.PROJECT)
 
 internal val projectConfiguration = ProjectConfiguration(
-    "id",
-    "projectId",
-    "updatedAt",
-    generalConfiguration,
-    faceConfiguration,
-    fingerprintConfiguration,
-    consentConfiguration,
-    identificationConfiguration,
-    synchronizationConfiguration,
-    null,
+    id = "id",
+    projectId = "projectId",
+    updatedAt = "updatedAt",
+    general = generalConfiguration,
+    face = faceConfiguration,
+    fingerprint = fingerprintConfiguration,
+    consent = consentConfiguration,
+    identification = identificationConfiguration,
+    synchronization = synchronizationConfiguration,
+    multifactorId = multiFactorIdConfiguration,
+    custom = null
 )
 
 internal const val TOKENIZATION_JSON =
diff --git a/infra/ui-base/build.gradle.kts b/infra/ui-base/build.gradle.kts
index 7053015455..a9ccecb631 100644
--- a/infra/ui-base/build.gradle.kts
+++ b/infra/ui-base/build.gradle.kts
@@ -1,4 +1,5 @@
 plugins {
+    id("simprints.infra")
     id("simprints.android.library")
 }
 
@@ -34,5 +35,11 @@ dependencies {
 
     api(libs.androidX.navigation.fragment)
 
+    api(libs.androidX.cameraX.core)
+    api(libs.androidX.cameraX.lifecycle)
+    api(libs.androidX.cameraX.view)
+    api(libs.jackson.core)
+    api(libs.playServices.barcode)
+
     testImplementation(project(":infra:test-tools"))
 }
diff --git a/feature/login/src/main/java/com/simprints/feature/login/tools/camera/CameraFocusManager.kt b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/CameraFocusManager.kt
similarity index 86%
rename from feature/login/src/main/java/com/simprints/feature/login/tools/camera/CameraFocusManager.kt
rename to infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/CameraFocusManager.kt
index bc669fe497..302984baaa 100644
--- a/feature/login/src/main/java/com/simprints/feature/login/tools/camera/CameraFocusManager.kt
+++ b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/CameraFocusManager.kt
@@ -1,4 +1,4 @@
-package com.simprints.feature.login.tools.camera
+package com.simprints.infra.uibase.camera.qrscan
 
 import android.annotation.SuppressLint
 import android.view.MotionEvent
@@ -14,15 +14,26 @@ import androidx.camera.core.MeteringPointFactory
 import androidx.camera.core.SurfaceOrientedMeteringPointFactory
 import androidx.camera.view.PreviewView
 import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
+import com.simprints.infra.logging.LoggingConstants
 import com.simprints.infra.logging.LoggingConstants.CrashReportTag.LOGIN
 import com.simprints.infra.logging.Simber
+import dagger.assisted.Assisted
+import dagger.assisted.AssistedFactory
+import dagger.assisted.AssistedInject
 import java.util.concurrent.TimeUnit
 import javax.inject.Inject
 
 @ExcludedFromGeneratedTestCoverageReports(
     reason = "These are UI utilities for focus controls in the camera preview",
 )
-internal class CameraFocusManager @Inject constructor() {
+class CameraFocusManager @AssistedInject constructor(
+    @Assisted private val crashReportTag: LoggingConstants.CrashReportTag,
+) {
+    @AssistedFactory
+    interface Factory {
+        fun create(crashReportTag: LoggingConstants.CrashReportTag): CameraFocusManager
+    }
+
     @SuppressLint("ClickableViewAccessibility")
     fun setUpFocusOnTap(
         cameraPreview: PreviewView,
@@ -52,7 +63,7 @@ internal class CameraFocusManager @Inject constructor() {
                 try {
                     cameraControl.startFocusAndMetering(focusAction)
                 } catch (e: CameraInfoUnavailableException) {
-                    Simber.e("Cannot access camera", e, tag = LOGIN)
+                    Simber.e("Cannot access camera", e, tag = crashReportTag)
                 }
                 true
             }
@@ -78,7 +89,7 @@ internal class CameraFocusManager @Inject constructor() {
             try {
                 camera.cameraControl.startFocusAndMetering(focusAction)
             } catch (e: CameraInfoUnavailableException) {
-                Simber.e("Cannot access camera", e, tag = LOGIN)
+                Simber.e("Cannot access camera", e, tag = crashReportTag)
             }
         }
     }
diff --git a/feature/login/src/main/java/com/simprints/feature/login/tools/camera/CameraHelper.kt b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/CameraHelper.kt
similarity index 82%
rename from feature/login/src/main/java/com/simprints/feature/login/tools/camera/CameraHelper.kt
rename to infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/CameraHelper.kt
index bdc7f2430f..aeedfb8e94 100644
--- a/feature/login/src/main/java/com/simprints/feature/login/tools/camera/CameraHelper.kt
+++ b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/CameraHelper.kt
@@ -1,4 +1,4 @@
-package com.simprints.feature.login.tools.camera
+package com.simprints.infra.uibase.camera.qrscan
 
 import android.content.Context
 import androidx.camera.core.AspectRatio
@@ -10,8 +10,11 @@ import androidx.camera.view.PreviewView
 import androidx.core.content.ContextCompat
 import androidx.lifecycle.LifecycleOwner
 import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
-import com.simprints.infra.logging.LoggingConstants.CrashReportTag.LOGIN
+import com.simprints.infra.logging.LoggingConstants
 import com.simprints.infra.logging.Simber
+import dagger.assisted.Assisted
+import dagger.assisted.AssistedFactory
+import dagger.assisted.AssistedInject
 import dagger.hilt.android.qualifiers.ApplicationContext
 import java.util.concurrent.Executors
 import javax.inject.Inject
@@ -19,10 +22,18 @@ import javax.inject.Inject
 @ExcludedFromGeneratedTestCoverageReports(
     reason = "This is an injectable wrapper around cameraX and ML kit APIs. There is no business logic.",
 )
-internal class CameraHelper @Inject constructor(
+class CameraHelper @AssistedInject constructor(
     @ApplicationContext private val context: Context,
-    private val cameraFocusManager: CameraFocusManager,
+    @Assisted private val crashReportTag: LoggingConstants.CrashReportTag,
+    private val cameraFocusManagerFactory: CameraFocusManager.Factory,
 ) {
+    private val cameraFocusManager by lazy { cameraFocusManagerFactory.create(crashReportTag) }
+
+    @AssistedFactory
+    interface Factory {
+        fun create(crashReportTag: LoggingConstants.CrashReportTag): CameraHelper
+    }
+
     fun startCamera(
         lifecycleOwner: LifecycleOwner,
         cameraPreview: PreviewView,
@@ -56,7 +67,7 @@ internal class CameraHelper @Inject constructor(
                             }
                         }
                 } catch (e: Exception) {
-                    Simber.i("Camera is already in use by another process", e, tag = LOGIN)
+                    Simber.i("Camera is already in use by another process", e, tag = crashReportTag)
                     initializationErrorListener.onCameraError()
                 }
             },
diff --git a/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/QrCodeAnalyzer.kt b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/QrCodeAnalyzer.kt
new file mode 100644
index 0000000000..45a20534e2
--- /dev/null
+++ b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/QrCodeAnalyzer.kt
@@ -0,0 +1,88 @@
+package com.simprints.infra.uibase.camera.qrscan
+
+import android.graphics.Rect
+import androidx.camera.core.ExperimentalGetImage
+import androidx.camera.core.ImageAnalysis
+import androidx.camera.core.ImageProxy
+import com.google.mlkit.vision.common.InputImage
+import com.simprints.core.DispatcherBG
+import com.simprints.infra.logging.LoggingConstants
+import com.simprints.infra.logging.Simber
+import com.simprints.infra.uibase.camera.qrscan.usecase.CropBitmapAreaForDetectionUseCase
+import dagger.assisted.Assisted
+import dagger.assisted.AssistedFactory
+import dagger.assisted.AssistedInject
+import kotlinx.coroutines.CoroutineDispatcher
+import kotlinx.coroutines.channels.BufferOverflow
+import kotlinx.coroutines.flow.Flow
+import kotlinx.coroutines.flow.MutableStateFlow
+import kotlinx.coroutines.flow.buffer
+import kotlinx.coroutines.flow.filterNotNull
+import kotlinx.coroutines.runBlocking
+
+
+class QrCodeAnalyzer @AssistedInject constructor(
+    private val qrCodeDetectorFactory: QrCodeDetector.Factory,
+    @DispatcherBG private val bgDispatcher: CoroutineDispatcher,
+    @Assisted private val cropConfig: CropConfig?,
+    @Assisted private val crashReportTag: LoggingConstants.CrashReportTag,
+    private val cropBitmapAreaForDetectionUseCase: CropBitmapAreaForDetectionUseCase
+) : ImageAnalysis.Analyzer {
+
+
+    @AssistedFactory
+    interface Factory {
+        fun create(cropConfig: CropConfig?, crashReportTag: LoggingConstants.CrashReportTag): QrCodeAnalyzer
+    }
+
+    /**
+     * Specifies what rectangle to crop from the image. This configuration is used in the image analysis - instead of analyzing the entire
+     * image, we are limiting the detection area to [rect]. The coordinates in [rect] are relative to the full image size, whose dimensions
+     * are given by [rootViewWidth] and [rootViewHeight]. Orientation of the image should be provided from the configuration constants.
+     *
+     * @param rect area to crop and analyze relative to the full image
+     * @param orientation orientation of the parent image. Should be provided from the configuration constants
+     * @param rootViewWidth width of the parent image
+     * @param rootViewHeight height of the parent image
+     */
+    data class CropConfig(
+        val rect: Rect,
+        val orientation: Int,
+        val rootViewWidth: Int,
+        val rootViewHeight: Int,
+    )
+
+    private val qrCodeDetector by lazy { qrCodeDetectorFactory.create(crashReportTag) }
+    private val _scannedCode = MutableStateFlow<String?>(null)
+    val scannedCode: Flow<String> = _scannedCode
+        .filterNotNull()
+        .buffer(1, onBufferOverflow = BufferOverflow.DROP_OLDEST)
+
+    @ExperimentalGetImage
+    override fun analyze(imageProxy: ImageProxy) {
+        imageProxy.use {
+            it.image?.let { mediaImage ->
+                runBlocking(bgDispatcher) {
+                    try {
+                        val rotationDegrees = imageProxy.imageInfo.rotationDegrees
+                        when (cropConfig) {
+                            null -> {
+                                val image = RawImage(mediaImage, rotationDegrees)
+                                qrCodeDetector.detectInImage(image)?.let(_scannedCode::tryEmit)
+                            }
+
+                            else -> {
+                                val bitmap = cropBitmapAreaForDetectionUseCase(imageProxy.toBitmap(), cropConfig)
+                                val image = InputImage.fromBitmap(bitmap, 0)
+                                qrCodeDetector.detectInImage(image)?.let(_scannedCode::tryEmit)
+                            }
+                        }
+
+                    } catch (t: Throwable) {
+                        Simber.e("QR code detection failed", t, tag = crashReportTag)
+                    }
+                }
+            }
+        }
+    }
+}
diff --git a/feature/login/src/main/java/com/simprints/feature/login/tools/camera/QrCodeDetector.kt b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/QrCodeDetector.kt
similarity index 63%
rename from feature/login/src/main/java/com/simprints/feature/login/tools/camera/QrCodeDetector.kt
rename to infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/QrCodeDetector.kt
index d02a084f6c..1489d2fdad 100644
--- a/feature/login/src/main/java/com/simprints/feature/login/tools/camera/QrCodeDetector.kt
+++ b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/QrCodeDetector.kt
@@ -1,4 +1,4 @@
-package com.simprints.feature.login.tools.camera
+package com.simprints.infra.uibase.camera.qrscan
 
 import com.google.android.gms.tasks.Task
 import com.google.mlkit.vision.barcode.BarcodeScannerOptions
@@ -8,15 +8,24 @@ import com.google.mlkit.vision.common.InputImage
 import com.simprints.core.ExcludedFromGeneratedTestCoverageReports
 import com.simprints.core.tools.extentions.resumeSafely
 import com.simprints.core.tools.extentions.resumeWithExceptionSafely
-import com.simprints.infra.logging.LoggingConstants.CrashReportTag.LOGIN
+import com.simprints.infra.logging.LoggingConstants
 import com.simprints.infra.logging.Simber
+import dagger.assisted.Assisted
+import dagger.assisted.AssistedFactory
+import dagger.assisted.AssistedInject
 import kotlinx.coroutines.suspendCancellableCoroutine
-import javax.inject.Inject
 
 @ExcludedFromGeneratedTestCoverageReports(
     reason = "This is just an injectable wrapper around MLKit barcode analyzer",
 )
-internal class QrCodeDetector @Inject constructor() {
+class QrCodeDetector @AssistedInject constructor(
+    @Assisted private val crashReportTag: LoggingConstants.CrashReportTag,
+) {
+    @AssistedFactory
+    interface Factory {
+        fun create(crashReportTag: LoggingConstants.CrashReportTag): QrCodeDetector
+    }
+
     private val scanner = BarcodeScanning.getClient(
         BarcodeScannerOptions
             .Builder()
@@ -24,14 +33,17 @@ internal class QrCodeDetector @Inject constructor() {
             .build(),
     )
 
-    suspend fun detectInImage(rawImage: RawImage): String? = try {
+    suspend fun detectInImage(rawImage: RawImage): String? =
+        detectInImage(InputImage.fromMediaImage(rawImage.image, rawImage.rotationDegrees))
+
+    suspend fun detectInImage(image: InputImage): String? = try {
         scanner
-            .process(InputImage.fromMediaImage(rawImage.image, rawImage.rotationDegrees))
+            .process(image)
             .awaitTask()
             ?.firstOrNull { !it.rawValue.isNullOrEmpty() }
             ?.rawValue
     } catch (t: Throwable) {
-        Simber.e("QR code processing failed", t, tag = LOGIN)
+        Simber.e("QR code processing failed", t, tag = crashReportTag)
         null
     }
 
diff --git a/feature/login/src/main/java/com/simprints/feature/login/tools/camera/RawImage.kt b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/RawImage.kt
similarity index 51%
rename from feature/login/src/main/java/com/simprints/feature/login/tools/camera/RawImage.kt
rename to infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/RawImage.kt
index 4e4d3dfb30..a72956ab04 100644
--- a/feature/login/src/main/java/com/simprints/feature/login/tools/camera/RawImage.kt
+++ b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/RawImage.kt
@@ -1,8 +1,8 @@
-package com.simprints.feature.login.tools.camera
+package com.simprints.infra.uibase.camera.qrscan
 
 import android.media.Image
 
-internal data class RawImage(
+data class RawImage(
     val image: Image,
     val rotationDegrees: Int,
 )
diff --git a/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/usecase/CropBitmapAreaForDetectionUseCase.kt b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/usecase/CropBitmapAreaForDetectionUseCase.kt
new file mode 100644
index 0000000000..bc556b6604
--- /dev/null
+++ b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/usecase/CropBitmapAreaForDetectionUseCase.kt
@@ -0,0 +1,37 @@
+package com.simprints.infra.uibase.camera.qrscan.usecase
+
+import android.graphics.Bitmap
+import android.graphics.Rect
+import com.simprints.infra.uibase.camera.qrscan.QrCodeAnalyzer
+import javax.inject.Inject
+
+class CropBitmapAreaForDetectionUseCase @Inject constructor(
+    private val rotateToPortraitIfNeededUseCase: RotateToPortraitIfNeededUseCase,
+    private val mapCropRectToImageSpaceUseCase: MapCropRectToImageSpaceUseCase,
+    private val cropBitmapToRectUseCase: CropBitmapToRectUseCase
+) {
+    /**
+     * Takes a [bitmap] image, and crops it to the area specified in [cropConfig]
+     */
+    operator fun invoke(bitmap: Bitmap, cropConfig: QrCodeAnalyzer.CropConfig): Bitmap {
+        val rotatedBitmap: Bitmap = rotateToPortraitIfNeededUseCase(bitmap, cropConfig.orientation)
+        val crop: Rect = mapCropRectToImageSpaceUseCase(
+            cropRectInRoot = cropConfig.rect,
+            rootWidth = cropConfig.rootViewWidth,
+            rootHeight = cropConfig.rootViewHeight,
+            imageWidth = rotatedBitmap.width,
+            imageHeight = rotatedBitmap.height
+        )
+        val isLeftOutOfBounds = crop.left < 0
+        val isTopOutOfBounds = crop.top < 0
+        val isRightOutOfBounds = crop.right > rotatedBitmap.width
+        val isBottomOutOfBounds = crop.bottom > rotatedBitmap.height
+
+        // a safety check to ensure that crop area is fully inside the rotated bitmap bounds
+        return if (isLeftOutOfBounds || isTopOutOfBounds || isRightOutOfBounds || isBottomOutOfBounds) {
+            bitmap
+        } else {
+            cropBitmapToRectUseCase(rotatedBitmap, crop)
+        }
+    }
+}
diff --git a/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/usecase/CropBitmapToRectUseCase.kt b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/usecase/CropBitmapToRectUseCase.kt
new file mode 100644
index 0000000000..56a51a17a7
--- /dev/null
+++ b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/usecase/CropBitmapToRectUseCase.kt
@@ -0,0 +1,23 @@
+package com.simprints.infra.uibase.camera.qrscan.usecase
+
+import android.graphics.Bitmap
+import android.graphics.Rect
+import javax.inject.Inject
+
+class CropBitmapToRectUseCase @Inject constructor() {
+    /**
+     * Crops given [source] bitmap to the specified [cropRect]
+     *
+     * @param source bitmap to crop
+     * @param cropRect target crop rectangle
+     * @return a new [Bitmap] representing the cropped region
+     */
+    operator fun invoke(source: Bitmap, cropRect: Rect): Bitmap {
+        val left = cropRect.left.coerceIn(0, source.width)
+        val top = cropRect.top.coerceIn(0, source.height)
+        val width = cropRect.width().coerceAtMost(source.width - left)
+        val height = cropRect.height().coerceAtMost(source.height - top)
+
+        return Bitmap.createBitmap(source, left, top, width, height)
+    }
+}
diff --git a/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/usecase/MapCropRectToImageSpaceUseCase.kt b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/usecase/MapCropRectToImageSpaceUseCase.kt
new file mode 100644
index 0000000000..7180118613
--- /dev/null
+++ b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/usecase/MapCropRectToImageSpaceUseCase.kt
@@ -0,0 +1,35 @@
+package com.simprints.infra.uibase.camera.qrscan.usecase
+
+import android.graphics.Rect
+import javax.inject.Inject
+
+class MapCropRectToImageSpaceUseCase @Inject constructor() {
+    /**
+     * Maps a crop rectangle defined in the root view's coordinate space into the corresponding rectangle in the image's coordinate space.
+     * This is required when the crop area is selected on a view (UI) with different dimensions than the underlying image being processed.
+     *
+     * @param cropRectInRoot the crop rectangle coordinates in the root view space
+     * @param rootWidth the width of the root view
+     * @param rootHeight the height of the root view
+     * @param imageWidth the width of the image
+     * @param imageHeight the height of the image
+     * @return a [Rect] representing the crop area in the image's coordinate space
+     */
+    operator fun invoke(
+        cropRectInRoot: Rect,
+        rootWidth: Int,
+        rootHeight: Int,
+        imageWidth: Int,
+        imageHeight: Int,
+    ): Rect {
+        val scaleX = imageWidth.toFloat() / rootWidth
+        val scaleY = imageHeight.toFloat() / rootHeight
+
+        return Rect(
+            (cropRectInRoot.left * scaleX).toInt(),
+            (cropRectInRoot.top * scaleY).toInt(),
+            (cropRectInRoot.right * scaleX).toInt(),
+            (cropRectInRoot.bottom * scaleY).toInt()
+        )
+    }
+}
diff --git a/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/usecase/RotateToPortraitIfNeededUseCase.kt b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/usecase/RotateToPortraitIfNeededUseCase.kt
new file mode 100644
index 0000000000..88c5605179
--- /dev/null
+++ b/infra/ui-base/src/main/java/com/simprints/infra/uibase/camera/qrscan/usecase/RotateToPortraitIfNeededUseCase.kt
@@ -0,0 +1,29 @@
+package com.simprints.infra.uibase.camera.qrscan.usecase
+
+import android.content.res.Configuration
+import android.graphics.Bitmap
+import android.graphics.Matrix
+import javax.inject.Inject
+
+class RotateToPortraitIfNeededUseCase @Inject constructor() {
+    /**
+     * Rotates given [bitmap] by 90 degrees if it is in landscape mode. Otherwise, returns the original [bitmap] without modification.
+     * Images from video feed are usually in landscape mode, and we want to be sure that the calculation are always happening in the same
+     * space.
+     *
+     * @param bitmap image to potentially rotate
+     * @param orientation the current device orientation from [Configuration] (portrait/landscape)
+     * @return a rotated bitmap if rotation was needed, otherwise the original bitmap
+     */
+    operator fun invoke(bitmap: Bitmap, orientation: Int): Bitmap {
+        val isLandscape = bitmap.width > bitmap.height
+        val isPortraitOrientation = orientation == Configuration.ORIENTATION_PORTRAIT
+
+        return if (isLandscape && isPortraitOrientation) {
+            val matrix = Matrix().apply { postRotate(90f) }
+            Bitmap.createBitmap(bitmap, 0, 0, bitmap.width, bitmap.height, matrix, true)
+        } else {
+            bitmap
+        }
+    }
+}
diff --git a/infra/ui-base/src/main/java/com/simprints/infra/uibase/view/View.ext.kt b/infra/ui-base/src/main/java/com/simprints/infra/uibase/view/View.ext.kt
index b5944a4b27..3cda7178ea 100644
--- a/infra/ui-base/src/main/java/com/simprints/infra/uibase/view/View.ext.kt
+++ b/infra/ui-base/src/main/java/com/simprints/infra/uibase/view/View.ext.kt
@@ -2,8 +2,15 @@ package com.simprints.infra.uibase.view
 
 import android.animation.ObjectAnimator
 import android.view.View
+import android.view.ViewPropertyAnimator
 import android.view.animation.AccelerateDecelerateInterpolator
+import android.view.animation.AccelerateInterpolator
+import android.view.animation.DecelerateInterpolator
+import androidx.core.view.isVisible
+import androidx.fragment.app.Fragment
+import com.simprints.infra.uibase.annotations.ExcludedFromGeneratedTestCoverageReports
 
+@ExcludedFromGeneratedTestCoverageReports("View animation")
 fun View.setPulseAnimation(isEnabled: Boolean) {
     (tag as? ObjectAnimator?)?.run {
         cancel()
@@ -27,6 +34,42 @@ fun View.setPulseAnimation(isEnabled: Boolean) {
     tag = progressBarPulseAnimator
 }
 
+@ExcludedFromGeneratedTestCoverageReports("View animation")
+fun View.fadeOut(
+    duration: Long,
+    scaleX: Boolean,
+    fragment: Fragment,
+) = animate()
+    .alpha(0f)
+    .setDuration(duration)
+    .setInterpolator(DecelerateInterpolator())
+    .withEndAction {
+        if (fragment.isAdded) {
+            this.isVisible = false
+        }
+    }.also {
+        if (scaleX) {
+            it.scaleX(0f)
+        }
+        it.start()
+    }
+
+@ExcludedFromGeneratedTestCoverageReports("View animation")
+fun View.fadeIn(
+    duration: Long,
+    fragment: Fragment,
+    onComplete: (() -> Unit)?,
+) = animate()
+    .alpha(1f)
+    .setInterpolator(AccelerateInterpolator())
+    .setDuration(duration)
+    .withEndAction {
+        if (fragment.isAdded) {
+            this.isVisible = true
+            onComplete?.invoke()
+        }
+    }.also { it.start() }
+
 private const val PULSE_ANIMATION_ALPHA_FULL = 1.0f
 private const val PULSE_ANIMATION_ALPHA_INTERMEDIATE = 0.9f
 private const val PULSE_ANIMATION_ALPHA_MIN = 0.6f
diff --git a/infra/ui-base/src/main/java/com/simprints/infra/view/PermissionRequestView.kt b/infra/ui-base/src/main/java/com/simprints/infra/view/PermissionRequestView.kt
new file mode 100644
index 0000000000..fc00ca0fe7
--- /dev/null
+++ b/infra/ui-base/src/main/java/com/simprints/infra/view/PermissionRequestView.kt
@@ -0,0 +1,53 @@
+package com.simprints.infra.view
+
+import android.content.Context
+import android.util.AttributeSet
+import android.view.LayoutInflater
+import android.widget.Button
+import android.widget.LinearLayout
+import android.widget.TextView
+import androidx.annotation.StringRes
+import com.simprints.infra.uibase.R
+import com.simprints.infra.uibase.annotations.ExcludedFromGeneratedTestCoverageReports
+
+@ExcludedFromGeneratedTestCoverageReports("UI Code")
+class PermissionRequestView @JvmOverloads constructor(
+    context: Context,
+    attrs: AttributeSet? = null,
+    defStyle: Int = 0
+) : LinearLayout(context, attrs, defStyle) {
+
+    private val title: TextView
+    private val body: TextView
+    private val actionButton: Button
+
+    init {
+        orientation = VERTICAL
+        LayoutInflater.from(context).inflate(R.layout.view_camera_permission_request, this, true)
+
+        title = findViewById(R.id.permissionTitle)
+        body = findViewById(R.id.permissionBody)
+        actionButton = findViewById(R.id.permissionAction)
+    }
+
+    fun init(title: String, body: String, buttonText: String, onClickListener: OnClickListener) {
+        this.title.text = title
+        this.body.text = body
+        this.actionButton.text = buttonText
+        this.actionButton.setOnClickListener(onClickListener)
+    }
+
+    fun init(@StringRes title: Int, @StringRes body: Int, @StringRes buttonText: Int, onClickListener: OnClickListener) {
+        this.title.setText(title)
+        this.body.setText(body)
+        this.actionButton.setText(buttonText)
+        this.actionButton.setOnClickListener(onClickListener)
+    }
+
+    fun init(@StringRes title: Int, body: String, @StringRes buttonText: Int, onClickListener: OnClickListener) {
+        this.title.setText(title)
+        this.body.setText(body)
+        this.actionButton.setText(buttonText)
+        this.actionButton.setOnClickListener(onClickListener)
+    }
+}
diff --git a/infra/ui-base/src/main/res/layout/view_camera_permission_request.xml b/infra/ui-base/src/main/res/layout/view_camera_permission_request.xml
new file mode 100644
index 0000000000..f0fda4a5e6
--- /dev/null
+++ b/infra/ui-base/src/main/res/layout/view_camera_permission_request.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="utf-8"?>
+<merge xmlns:android="http://schemas.android.com/apk/res/android"
+    xmlns:app="http://schemas.android.com/apk/res-auto"
+    xmlns:tools="http://schemas.android.com/tools">
+
+    <com.google.android.material.card.MaterialCardView
+        android:id="@+id/permissionCard"
+        android:layout_width="match_parent"
+        android:layout_height="wrap_content"
+        android:padding="@dimen/margin_large"
+        app:cardElevation="2dp"
+        app:cardUseCompatPadding="true">
+
+        <LinearLayout
+            android:layout_width="match_parent"
+            android:layout_height="wrap_content"
+            android:orientation="vertical"
+            android:padding="@dimen/padding_large">
+
+            <TextView
+                android:id="@+id/permissionTitle"
+                style="@style/Text.Headline5"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                tools:text="Camera Permission Required" />
+
+            <View
+                android:layout_width="match_parent"
+                android:layout_height="1dp"
+                android:layout_marginVertical="@dimen/margin_large"
+                android:background="@color/simprints_grey_light" />
+
+            <TextView
+                android:id="@+id/permissionBody"
+                style="@style/Text.Body1"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                tools:text="This app requires access to your camera to scan documents." />
+
+            <Button
+                android:id="@+id/permissionAction"
+                style="@style/Widget.Simprints.Button"
+                android:layout_width="match_parent"
+                android:layout_height="wrap_content"
+                android:layout_marginTop="@dimen/margin_large"
+                tools:text="Grant Permission" />
+
+        </LinearLayout>
+    </com.google.android.material.card.MaterialCardView>
+</merge>
diff --git a/infra/ui-base/src/test/java/com/simprints/infra/uibase/camera/qrscan/QrCodeAnalyzerTest.kt b/infra/ui-base/src/test/java/com/simprints/infra/uibase/camera/qrscan/QrCodeAnalyzerTest.kt
new file mode 100644
index 0000000000..051659bfc9
--- /dev/null
+++ b/infra/ui-base/src/test/java/com/simprints/infra/uibase/camera/qrscan/QrCodeAnalyzerTest.kt
@@ -0,0 +1,100 @@
+package com.simprints.infra.uibase.camera.qrscan
+
+import android.graphics.Bitmap
+import androidx.camera.core.ImageProxy
+import com.google.common.truth.*
+import com.google.mlkit.vision.common.InputImage
+import com.simprints.infra.logging.LoggingConstants
+import com.simprints.infra.uibase.camera.qrscan.usecase.CropBitmapAreaForDetectionUseCase
+import com.simprints.testtools.common.coroutines.TestCoroutineRule
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import kotlinx.coroutines.flow.first
+import kotlinx.coroutines.test.runTest
+import org.junit.Before
+import org.junit.Rule
+import org.junit.Test
+
+internal class QrCodeAnalyzerTest {
+    @get:Rule
+    val testCoroutineRule = TestCoroutineRule()
+
+    @MockK
+    lateinit var qrCodeDetector: QrCodeDetector
+
+    @MockK
+    lateinit var imageProxy: ImageProxy
+
+    private lateinit var qrCodeProducer: QrCodeAnalyzer
+    private lateinit var cropUseCase: CropBitmapAreaForDetectionUseCase
+    private lateinit var bitmap: Bitmap
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+        bitmap = mockk<Bitmap>()
+        cropUseCase = mockk<CropBitmapAreaForDetectionUseCase>(relaxed = true)
+    }
+
+    private fun initQrCodeProducer(cropConfig: QrCodeAnalyzer.CropConfig?) {
+        qrCodeProducer = QrCodeAnalyzer(
+            qrCodeDetectorFactory = mockk<QrCodeDetector.Factory> {
+                every { create(any()) } returns qrCodeDetector
+            },
+            bgDispatcher = testCoroutineRule.testCoroutineDispatcher,
+            cropConfig = cropConfig,
+            crashReportTag = LoggingConstants.CrashReportTag.LOGIN,
+            cropBitmapAreaForDetectionUseCase = cropUseCase
+        )
+    }
+
+    @Test
+    fun `should not trigger detector when no images obtained`() {
+        initQrCodeProducer(cropConfig = null)
+        every { imageProxy.image } returns null
+        qrCodeProducer.analyze(imageProxy)
+
+        coVerify(exactly = 0) { qrCodeDetector.detectInImage(any<RawImage>()) }
+    }
+
+    @Test
+    fun `should send RQ code value to flow`() = runTest {
+        initQrCodeProducer(cropConfig = null)
+        every { imageProxy.image } returns mockk()
+        coEvery { qrCodeDetector.detectInImage(any<RawImage>()) } returns "mock_value"
+
+        qrCodeProducer.analyze(imageProxy)
+        val code = qrCodeProducer.scannedCode.first()
+
+        Truth.assertThat(code).isEqualTo("mock_value")
+    }
+
+    @Test
+    fun `should close image proxy with unsuccessful scan`() {
+        initQrCodeProducer(cropConfig = null)
+        coEvery { qrCodeDetector.detectInImage(any<RawImage>()) } throws Throwable()
+
+        qrCodeProducer.analyze(imageProxy)
+
+        verify { imageProxy.close() }
+    }
+
+    @Test
+    fun `should emit code when cropConfig is provided`() = runTest {
+        val cropConfig = mockk<QrCodeAnalyzer.CropConfig>()
+        val expectedQrValue = "expectedQrValue"
+        initQrCodeProducer(cropConfig)
+
+        mockkStatic(InputImage::class)
+        every { InputImage.fromBitmap(any(), any()) } returns mockk(relaxed = true)
+        every { imageProxy.image } returns mockk(relaxed = true)
+        every { imageProxy.toBitmap() } returns bitmap
+        every { cropUseCase.invoke(bitmap, cropConfig) } returns bitmap
+        coEvery { qrCodeDetector.detectInImage(any<InputImage>()) } returns expectedQrValue
+
+        qrCodeProducer.analyze(imageProxy)
+        val scannedCode = qrCodeProducer.scannedCode.first()
+        Truth.assertThat(scannedCode).isEqualTo(expectedQrValue)
+    }
+
+}
diff --git a/infra/ui-base/src/test/java/com/simprints/infra/uibase/camera/qrscan/usecase/CropBitmapAreaForDetectionUseCaseTest.kt b/infra/ui-base/src/test/java/com/simprints/infra/uibase/camera/qrscan/usecase/CropBitmapAreaForDetectionUseCaseTest.kt
new file mode 100644
index 0000000000..c7e8168bb9
--- /dev/null
+++ b/infra/ui-base/src/test/java/com/simprints/infra/uibase/camera/qrscan/usecase/CropBitmapAreaForDetectionUseCaseTest.kt
@@ -0,0 +1,104 @@
+package com.simprints.infra.uibase.camera.qrscan.usecase
+
+import android.graphics.Bitmap
+import android.graphics.Rect
+import androidx.test.ext.junit.runners.AndroidJUnit4
+import com.google.common.truth.Truth.*
+import com.simprints.infra.uibase.camera.qrscan.QrCodeAnalyzer
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+@RunWith(AndroidJUnit4::class)
+internal class CropBitmapAreaForDetectionUseCaseTest {
+
+    @MockK
+    lateinit var rotateIfNeeded: RotateToPortraitIfNeededUseCase
+
+    @MockK
+    lateinit var mapCropRectToImageSpace: MapCropRectToImageSpaceUseCase
+
+    @MockK
+    lateinit var cropBitmapToRect: CropBitmapToRectUseCase
+
+    @MockK
+    lateinit var originalBitmap: Bitmap
+
+    @MockK
+    lateinit var rotatedBitmap: Bitmap
+
+    @MockK
+    lateinit var croppedBitmap: Bitmap
+
+    private lateinit var useCase: CropBitmapAreaForDetectionUseCase
+
+    private val cropConfig = QrCodeAnalyzer.CropConfig(
+        rect = Rect(0, 0, 10, 10),
+        orientation = 0,
+        rootViewWidth = 100,
+        rootViewHeight = 100
+    )
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+
+        every { rotatedBitmap.width } returns 50
+        every { rotatedBitmap.height } returns 50
+
+        useCase = CropBitmapAreaForDetectionUseCase(
+            rotateIfNeeded,
+            mapCropRectToImageSpace,
+            cropBitmapToRect
+        )
+    }
+
+    @Test
+    fun `returns cropped bitmap when rect is inside bounds`() {
+        val mappedRect = Rect(5, 5, 15, 15)
+
+        every { rotateIfNeeded(originalBitmap, 0) } returns rotatedBitmap
+        every { mapCropRectToImageSpace(any(), any(), any(), any(), any()) } returns mappedRect
+        every { cropBitmapToRect(rotatedBitmap, mappedRect) } returns croppedBitmap
+
+        val result = useCase(originalBitmap, cropConfig)
+
+        assertThat(result).isEqualTo(croppedBitmap)
+        verify { rotateIfNeeded(bitmap = originalBitmap, orientation = 0) }
+        verify {
+            mapCropRectToImageSpace(
+                cropRectInRoot = cropConfig.rect,
+                rootWidth = 100,
+                rootHeight = 100,
+                imageWidth = 50,
+                imageHeight = 50
+            )
+        }
+        verify { cropBitmapToRect(source = rotatedBitmap, cropRect = mappedRect) }
+    }
+
+    @Test
+    fun `returns original bitmap when rect is out of bounds`() {
+        val mappedRect = Rect(-5, 5, 15, 15)
+
+        every { rotateIfNeeded(originalBitmap, 0) } returns rotatedBitmap
+        every { mapCropRectToImageSpace(any(), any(), any(), any(), any()) } returns mappedRect
+
+        val result = useCase(originalBitmap, cropConfig)
+
+        assertThat(result).isEqualTo(originalBitmap)
+        verify { rotateIfNeeded(bitmap = originalBitmap, orientation = 0) }
+        verify {
+            mapCropRectToImageSpace(
+                cropRectInRoot = cropConfig.rect,
+                rootWidth = 100,
+                rootHeight = 100,
+                imageWidth = 50,
+                imageHeight = 50
+            )
+        }
+        verify(exactly = 0) { cropBitmapToRect(any(), any()) }
+    }
+}
diff --git a/infra/ui-base/src/test/java/com/simprints/infra/uibase/camera/qrscan/usecase/CropBitmapToRectUseCaseTest.kt b/infra/ui-base/src/test/java/com/simprints/infra/uibase/camera/qrscan/usecase/CropBitmapToRectUseCaseTest.kt
new file mode 100644
index 0000000000..b731e61304
--- /dev/null
+++ b/infra/ui-base/src/test/java/com/simprints/infra/uibase/camera/qrscan/usecase/CropBitmapToRectUseCaseTest.kt
@@ -0,0 +1,140 @@
+package com.simprints.infra.uibase.camera.qrscan.usecase
+
+import android.graphics.Bitmap
+import android.graphics.Rect
+import androidx.test.ext.junit.runners.AndroidJUnit4
+import com.google.common.truth.Truth.*
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+@RunWith(AndroidJUnit4::class)
+internal class CropBitmapToRectUseCaseTest {
+
+    @MockK
+    lateinit var sourceBitmap: Bitmap
+
+    @MockK
+    lateinit var croppedBitmap: Bitmap
+
+    private lateinit var useCase: CropBitmapToRectUseCase
+
+    private val w800 = 800
+    private val h600 = 600
+    private val x100 = 100
+    private val y100 = 100
+    private val w200 = 200
+    private val h150 = 150
+    private val x0 = 0
+    private val y0 = 0
+    private val x50 = 50
+    private val y50 = 50
+    private val w100 = 100
+    private val h100 = 100
+    private val x900 = 900
+    private val y700 = 700
+    private val x750 = 750
+    private val y550 = 550
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+
+        every { sourceBitmap.width } returns w800
+        every { sourceBitmap.height } returns h600
+
+        useCase = CropBitmapToRectUseCase()
+    }
+
+    @Test
+    fun `crops bitmap with rect inside bounds`() {
+        val cropRect = Rect(x100, y100, x100 + w200, y100 + h150)
+        runUseCaseTest(cropRect, x100, y100, w200, h150)
+    }
+
+    @Test
+    fun `crops bitmap with rect at origin`() {
+        val cropRect = Rect(x0, y0, w100, h100)
+        runUseCaseTest(cropRect, x0, y0, w100, h100)
+    }
+
+    @Test
+    fun `coerces negative left coordinate to zero`() {
+        val cropRect = Rect(-x50, y100, -x50 + w100, y100 + h100)
+        runUseCaseTest(cropRect, x0, y100, w100, h100)
+    }
+
+    @Test
+    fun `coerces negative top coordinate to zero`() {
+        val cropRect = Rect(x100, -y50, x100 + w100, -y50 + h100)
+        runUseCaseTest(cropRect, x100, x0, w100, h100)
+    }
+
+    @Test
+    fun `coerces left coordinate exceeding bitmap width`() {
+        val cropRect = Rect(x900, y100, x900 + w100, y100 + h100)
+        runUseCaseTest(cropRect, w800, y100, x0, h100)
+    }
+
+    @Test
+    fun `coerces top coordinate exceeding bitmap height`() {
+        val cropRect = Rect(x100, y700, x100 + w100, y700 + h100)
+        runUseCaseTest(cropRect, x100, h600, w100, x0)
+    }
+
+    @Test
+    fun `limits width when crop extends beyond bitmap width`() {
+        val cropRect = Rect(x750, y100, x750 + w200, y100 + h100)
+        val expectedWidth = w800 - x750
+        runUseCaseTest(cropRect, x750, y100, expectedWidth, h100)
+    }
+
+    @Test
+    fun `limits height when crop extends beyond bitmap height`() {
+        val cropRect = Rect(x100, y550, x100 + w100, y550 + h150)
+        val expectedHeight = h600 - y550
+        runUseCaseTest(cropRect, x100, y550, w100, expectedHeight)
+    }
+
+    @Test
+    fun `handles rect completely outside bounds with adjusted coordinates`() {
+        val cropRect = Rect(x900, y700, x900 + w100, y700 + h100)
+        runUseCaseTest(cropRect, w800, h600, x0, x0)
+    }
+
+    private fun runUseCaseTest(
+        cropRect: Rect,
+        expectedLeft: Int,
+        expectedTop: Int,
+        expectedWidth: Int,
+        expectedHeight: Int
+    ) {
+        mockkStatic(Bitmap::class)
+
+        every {
+            Bitmap.createBitmap(
+                sourceBitmap,
+                expectedLeft,
+                expectedTop,
+                expectedWidth,
+                expectedHeight
+            )
+        } returns croppedBitmap
+
+        val result = useCase(sourceBitmap, cropRect)
+
+        assertThat(result).isEqualTo(croppedBitmap)
+        verify {
+            Bitmap.createBitmap(
+                sourceBitmap,
+                expectedLeft,
+                expectedTop,
+                expectedWidth,
+                expectedHeight
+            )
+        }
+        unmockkStatic(Bitmap::class)
+    }
+}
diff --git a/infra/ui-base/src/test/java/com/simprints/infra/uibase/camera/qrscan/usecase/RotateToPortraitIfNeededUseCaseTest.kt b/infra/ui-base/src/test/java/com/simprints/infra/uibase/camera/qrscan/usecase/RotateToPortraitIfNeededUseCaseTest.kt
new file mode 100644
index 0000000000..8a73f0c77c
--- /dev/null
+++ b/infra/ui-base/src/test/java/com/simprints/infra/uibase/camera/qrscan/usecase/RotateToPortraitIfNeededUseCaseTest.kt
@@ -0,0 +1,110 @@
+package com.simprints.infra.uibase.camera.qrscan.usecase
+
+import android.content.res.Configuration
+import android.graphics.Bitmap
+import android.graphics.Matrix
+import androidx.test.ext.junit.runners.*
+import com.google.common.truth.Truth.*
+import io.mockk.*
+import io.mockk.impl.annotations.MockK
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+
+@RunWith(AndroidJUnit4::class)
+internal class RotateToPortraitIfNeededUseCaseTest {
+
+    @MockK
+    lateinit var landscapeBitmap: Bitmap
+
+    @MockK
+    lateinit var portraitBitmap: Bitmap
+
+    @MockK
+    lateinit var rotatedBitmap: Bitmap
+
+    private lateinit var useCase: RotateToPortraitIfNeededUseCase
+
+    private val w800 = 800
+    private val h600 = 600
+    private val w600 = 600
+    private val h800 = 800
+
+    @Before
+    fun setUp() {
+        MockKAnnotations.init(this, relaxed = true)
+
+        every { landscapeBitmap.width } returns w800
+        every { landscapeBitmap.height } returns h600
+        every { portraitBitmap.width } returns w600
+        every { portraitBitmap.height } returns h800
+
+        useCase = RotateToPortraitIfNeededUseCase()
+    }
+
+    @Test
+    fun `rotates landscape bitmap when device is in portrait orientation`() {
+        mockkStatic(Bitmap::class)
+        every {
+            Bitmap.createBitmap(
+                landscapeBitmap,
+                0,
+                0,
+                w800,
+                h600,
+                any<Matrix>(),
+                true
+            )
+        } returns rotatedBitmap
+
+        val result = useCase(landscapeBitmap, Configuration.ORIENTATION_PORTRAIT)
+
+        assertThat(result).isEqualTo(rotatedBitmap)
+        verify {
+            Bitmap.createBitmap(
+                landscapeBitmap,
+                0,
+                0,
+                w800,
+                h600,
+                any<Matrix>(),
+                true
+            )
+        }
+        unmockkStatic(Bitmap::class)
+    }
+
+    @Test
+    fun `returns original bitmap when landscape bitmap and device is in landscape orientation`() {
+        runUseCaseTest(source = landscapeBitmap, orientation = Configuration.ORIENTATION_LANDSCAPE, expected = landscapeBitmap)
+    }
+
+    @Test
+    fun `returns original bitmap when portrait bitmap and device is in portrait orientation`() {
+        runUseCaseTest(source = portraitBitmap, orientation = Configuration.ORIENTATION_PORTRAIT, expected = portraitBitmap)
+    }
+
+    @Test
+    fun `returns original bitmap when portrait bitmap and device is in landscape orientation`() {
+        runUseCaseTest(source = portraitBitmap, orientation = Configuration.ORIENTATION_LANDSCAPE, expected = portraitBitmap)
+    }
+
+    @Test
+    fun `returns original bitmap when device orientation is undefined`() {
+        runUseCaseTest(source = landscapeBitmap, orientation = Configuration.ORIENTATION_UNDEFINED, expected = landscapeBitmap)
+    }
+
+    @Test
+    fun `returns original bitmap when bitmap is square and device is in portrait orientation`() {
+        val squareBitmap = mockk<Bitmap>()
+        every { squareBitmap.width } returns w600
+        every { squareBitmap.height } returns w600
+
+        runUseCaseTest(source = squareBitmap, orientation = Configuration.ORIENTATION_PORTRAIT, expected = squareBitmap)
+    }
+
+    private fun runUseCaseTest(source: Bitmap, orientation: Int, expected: Bitmap) {
+        val result = useCase(source, orientation)
+        assertThat(result).isEqualTo(expected)
+    }
+}
diff --git a/settings.gradle.kts b/settings.gradle.kts
index 8d15045037..42af0edad5 100644
--- a/settings.gradle.kts
+++ b/settings.gradle.kts
@@ -114,6 +114,7 @@ include(
     ":feature:fetch-subject",
     ":feature:select-subject",
     ":feature:enrol-last-biometric",
+    ":feature:external-credential",
     ":feature:dashboard",
     ":feature:troubleshooting",
     ":feature:alert",
@@ -132,6 +133,7 @@ include(
     ":infra:events",
     ":infra:config-store",
     ":infra:config-sync",
+    ":infra:credential-store",
     ":infra:enrolment-records:repository",
     ":infra:enrolment-records:realm-store",
     ":infra:enrolment-records:room-store",
@@ -139,6 +141,7 @@ include(
     ":infra:license",
     ":infra:logging",
     ":infra:logging-persistent",
+    ":infra:matching",
     ":infra:auth-store",
     ":infra:auth-logic",
     ":infra:network",