The external authenticator should not commence external authentication until the internal verification process is complete. An internal verification report must be available to the external authenticator.