MorphoAccess 500 Series User Guide

Produced by Sagem Scurit Copyright 2009 Sagem Scurit www.sagem-securite.com

MorphoAccess 500 Series User Guide

SSE-0000060806-05

October 2009

MorphoAccess 500 Series

User Guide

MA 500+ Series

OMA 500 Series

MA 500 Series

2 Sagem Scurit document. Reproduction and disclosure forbidden SSE-0000060806-05

Table of Contents

REVISIONS HISTORY 5

INTRODUCTION 6

SCOPE OF THE DOCUMENT 7 SAFETY INSTRUCTIONS 8

MORPHOACCESS PRESENTATION 10

INTERFACES PRESENTATION 11 SYSTEM SYNOPTIC 13 TERMINAL PRESENTATION 15 ACCESS CONTROL PRESENTATION 17 RESULT OF THE ACCESS CONTROL 20

TERMINAL CONFIGURATION 23

EASY SETUP ASSISTANT 24 ADMINISTRATION MENU 39 UNDERSTANDING MORPHOACCESS CONFIGURATION 42 MODIFYING A PARAMETER USING THE CONFIGURATION APPLICATION 44 CONFIGURING A NETWORKED MORPHOACCESS 47 DOWNLOADING A LICENCE 50 UPGRADING THE FIRMWARE 51 SCREEN CONTRAST 52 STARTING UP APPLICATION 53

STAND ALONE MODES (NETWORKED OR NOT) 54

PRELIMINARY: ADDING A BIOMETRIC TEMPLATE IN LOCAL DATABASE 55 MACCESS APPLICATION: ACCESS CONTROL OR TIME & ATTENDANCE 57 ACCESS CONTROL BY IDENTIFICATION 61 ACCESS CONTROL BY IDENTIFICATION (MA-XTENDED LICENCE LOADED) 63 INTRODUCTION TO CONTACTLESS AUTHENTICATION 66 AUTHENTICATION WITH BIOMETRIC TEMPLATES ON CARD 68 PIN VERIFICATION PIN STORED ON CARD 69 BIOPIN VERIFICATION - BIOPIN STORED ON CARD 70 AUTHENTICATION WITH BIOMETRIC TEMPLATES IN LOCAL DATABASE 71 AUTHENTICATION BASED ON CARD MODE 74 MULTI-FACTOR (MERGED) MODE 76 AUTHENTICATION WITH LOCAL DATABASE: ID ENTERED FROM KEYBOARD 78 AUTHENTICATION WITH LOCAL DATABASE: ID INPUT FROM WIEGAND OR DATACLOCK 80

SSE-0000060806-05 Sagem Scurit document. Reproduction and disclosure forbidden. 3

BYPASSING THE BIOMETRIC CONTROL IN AUTHENTICATION 83 RECOGNITION MODE SYNTHESIS 86 SETTING UP RECOGNITION STRATEGY 87 SETTING UP MATCHING PARAMETERS 88 FAKE FINGER DETECTION (OPTION) 89

IDLE MODE 91

IDLE MODE PRESENTATION 92 IDLE MODE ACTIVATION 93

PROXY MODE 94

PROXY MODE (OR SLAVE) PRESENTATION 95 PROXY MODE ACTIVATION 96

APPLICATION CUSTOMIZATION 97

SETTING UP TIME MASK 98 MULTILINGUAL APPLICATION 99 DISPLAY HOUR 100

RESULT EXPORTATION 101

REMOTE MESSAGES: SENDING THE ID TO THE CENTRAL SECURITY CONTROLLER 102 RELAY ACTIVATION 103 LOG FILE 105 LED IN ACTIVATION 106

SECURITY FEATURES 107

SECURITY SWITCH MANAGEMENT 108 PASSWORDS 110

MESSAGES SENDING 111

PRINCIPLE 112 EVENTS 113 SENDING INTERFACES 114

APPENDIX 115

ENROLMENT ON TERMINAL WITH SYNCHRONIZATION 116 MORPHOACCESS 220 / 320 COMPATIBILITY 118


CONTACTLESS MODES TABLE 120 REQUIRED TAGS ON CONTACTLESS CARD 121 FAQ 122 RELATED DOCUMENTS 123

CONTACTS 125

SUPPORT 126


RREEVVIISSIIOONNSS HHIISSTTOORRYY

Date Firmware Description

July 08 2.07 Add a Date/Time settings description

2.09 Add juvenile option feature of MA2XX and MA3XX devices.

Add extended Time & Attendance new feature

Add Wi-Fi connection for terminal administration and for access control result message send.

Add MIFARE key update inquiry in easy setup (configuration assistant).

Add Card UID contactless card reader mode (ISO/IEC 14443)

June 09 2.10 Add MA 500+ Series and DESFire terminals

October 09

2.11 Add Wi-Fi static IP and WPA-PSK configuration

Add new languages (Arabic and Turkish)

Add specific messages sending

Add start up application

Add logs full features description

WI-FI is a registered mark of the WI-FI Alliance


IINNTTRROODDUUCCTTIIOONN

Congratulations for choosing the MorphoAccess 500 Series Automatic Fingerprint Recognition Terminal.

MorphoAccess 500 Series provides an innovative and effective solution for access control applications using Fingerprint Verification or/ and Identification.

Among a range of alternative biometric techniques, the use of finger imaging has

significant advantages: each finger constitutes an unalterable physical signature, which develops before birth and is preserved until death. Unlike DNA, a finger image is unique to each individual - even identical twins.

The MorphoAccess integrates Sagem Scurit image processing and feature matching algorithms. This technology is based on acquired knowledge during 20 years of experience in the field of biometric identification and the creation of literally

millions of individual fingerprint identification records.

We believe you will find the MorphoAccess fast, accurate, easy to use and suitable for physical access control or time and attendance.

To ensure the most effective use of your MorphoAccess, we recommend that you read this User Guide entirely.


SSCCOOPPEE OOFF TTHHEE DDOOCCUUMMEENNTT

This guide relates to the use of MorphoAccess 500 Series terminals. MorphoAccess 500 Series is a generic appellation which gathers MorphoAccess terminals belonging to MA 500+ Series, OMA 500 Series and MA 500 Series. Corresponding list of products is depicted in the table below.

Biometrics

Contactless Smartcard

Reader False Finger

Detection Outdoor

MIFARE DESFire

MA 500+

Series

MA 500+

MA 520+ D

MA 521+ D

OMA 500

Series

OMA 520 D

OMA 521 D

OMA 520

OMA 521

MA 500

Series

MA 500

MA 520

MA 521


SSAAFFEETTYY IINNSSTTRRUUCCTTIIOONNSS

EEuurrooppee iinnffoorrmmaattiioonn

Sagem Scurit hereby declares that the MorphoAccess has been tested and found compliant with the following listed standards as required by the EMC Directive 89/336/EEC: EN55022 (1994) / EN55024 (1998), EN300-330 (1999) and by the low voltage Directive 73/23/EEC amended by 93/68/EEC: EN60950 (2000).

These terminals are Class A devices. In a residential environment, these devices may cause interference. In this case, the user is encouraged to try to correct the interference with appropriated measures such as:

reorient or relocate the receiving antenna,

increase the separation between the equipment and receiver,

connect the equipment into an outlet on a circuit different from that to which the receiver is connected,

consult the dealer or an experienced radio/TV technician for help.

UUSSAA iinnffoorrmmaattiioonn

Responsible Party: Sagem Scurit , Le Ponant de Paris, 27, rue Leblanc F 75512 PARIS CEDEX 15 FRANCE

Changes or modifications not expressly approved by the party responsible for compliance could void the users authority to operate the equipment.

This device complies with part 15 Class A of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.

NOTE: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a commercial installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at their own expense.


CCaannaaddiiaann iinnffoorrmmaattiioonn

This Class A digital apparatus complies with Canadian ICES-003.

Cet appareil numrique de Classe A est conforme la norme NMB-003 du Canada.


MMOORRPPHHOOAACCCCEESSSS PPRREESSEENNTTAATTIIOONN

MorphoAccess is a fingerprint identification device for physical access control, time and attendance offering both multi-factor verification and identification capabilities

with unequalled level of performance.


IINNTTEERRFFAACCEESS PPRREESSEENNTTAATTIIOONN

MMaann--mmaacchhiinnee iinntteerrffaaccee

The MorphoAccess 500 Series offers a simple and ergonomic man-machine interface dedicated to access control based on fingerprint recognition:

a high quality optical scanner to capture fingerprints (1),

a bicolour led (2),

a multi-toned buzzer,

an optional contactless smart card reader (see details in section Scope of the document), to read data such as the reference templates from a contactless card (3),

a keyboard for time and attendance functions, local administration, User ID seizure, PIN code seizure (4),

a 128x64 display screen (5).


EElleeccttrriiccaall iinntteerrffaacceess

The terminal offers multiple interfaces dedicated to administration and control information:

a multiplexed Wiegand / Dataclock output to export the user identifier to a controller (1),

a RS422 or RS485 output (2),

a LED OUT signal output (3),

two LED IN inputs to improve integration with a Central Security Controller (4),

a relay to directly command an access (door lock) (5),

a opto-sensor to detect that the back cover has been removed (6),

a multiplexed Wiegand / Dataclock input to receive the user identifier from an external badge reader (7),

an Ethernet interface (LAN 10/100 Mbps) allowing remote communications using IP protocol for example (8),

a Power Over Ethernet Interface (LAN 10/100 Mbps) allowing remote management and supplying power (9).

The MorphoAccess 500 Series Installation Guide describes precisely each interface and connection procedure.


SSYYSSTTEEMM SSYYNNOOPPTTIICC

TTyyppiiccaall aarrcchhiitteeccttuurree iinncclluuddiinngg aa MMoorrpphhooAAcccceessss,, aa HHoosstt SSyysstteemm aanndd aa CCeennttrraall SSeeccuurriittyy CCoonnttrroolllleerr

MMoorrpphhooAAcccceessss bbiioommeettrriicc ddaattaabbaassee mmaannaaggeemmeenntt

The management of the MorphoAccess internal biometric database can be done either locally (through the enrolment application), or remotely by a Host System (typically MEMS). Those two exclusive management modes are defined as the:

Local management mode,

Remote management mode.


MMoorrpphhooAAcccceessss ooppeerraattiinngg mmooddee

The MorphoAccess works according to two exclusive operating modes.

In Stand Alone Mode (terminal networked or not), the terminal can operate two applications: Access Control or Time & Attendance. When the terminal is networked, the biometric database can be managed by a Host System and downloaded to the MorphoAccess. When the terminal is not networked the database is managed locally.

In Proxy Mode, the terminal is remotely operated by a host application that sends individual commands to the MorphoAccess.

MMoorrpphhooAAcccceessss rreessuulltt sseennddiinngg

When the biometric identification is positive, the person ID can be sent to a Central Security Controller, for further action such as opening doors.


TTEERRMMIINNAALL PPRREESSEENNTTAATTIIOONN

A MorphoAccess 500 Series terminal is running with 4 applications dedicated to a given need.

MMAACCCCEESSSS

This is the main application, dedicated to access control including biometric control.

It is possible to leave this application to launch another application.

The current User Guide details this application features.

EENNRROOLLMMEENNTT

This application allows enrolling users in the terminal when the database of the MorphoAccess is not managed by an external system (Local management mode).

The created database can be saved ciphered on a USB flash drive and exported to other stand alone MorphoAccess 500 Series.

This application can also encode some MIFARE and/or DESFire contactless cards with users finger templates (depending on terminal see section Scope of the document).

A synchronisation message can be sent to a distant host to inform it about changes on biometric databases. Refer to Enrolment on terminal with synchronization section.

The User Management Password protects the execution of this application.

Please refer to Enrolment Application User Guide for more information about this application.

CCOONNFFIIGGUURRAATTIIOONN

This application allows modifying the main application parameters.

Parameters are divided into files, sections and keys.

The Terminal Configuration Password protects the execution of this

application.

Please refer to Configuration Application User Guide for more information about this application.


LLOOGGSS VVIIEEWWEERR

This application allows consulting the local event diary stored by the MorphoAccess: there is one record for each access request. It is also possible to export this file on a standard USB flash drive.

The User Management Password protects the execution of this application.

Please refer to Logs Viewer Application User Guide for more information about this application.

MMuullttii--aapppplliiccaattiivvee aarrcchhiitteeccttuurree ssyynntthheessiiss


AACCCCEESSSS CCOONNTTRROOLL PPRREESSEENNTTAATTIIOONN

The MorphoAccess works according to two biometric recognition modes: identification or authentication. Identification and authentication can be activated at the same time (multi-factor mode).

IIddeennttiiffiiccaattiioonn ((11 vveerrssuuss NN))

The user provides one of his fingerprints and the terminal is in charge to find the users identifier.

In identification mode, the access request starts with a finger on the

sensor.

The reference biometric templates of each allowed users are stored in the local database. The captured fingerprint is compared to all reference templates to search for a match (1 versus N matching mode). If a match is found, the users identifier is retrieved.

Depending on the installed licence, the terminal can store up to 3000 users (2 fingers per user) in its local database or up to 50 000 users divided in 5 bases of 10 000 users each.

In this mode the sensor is always switched on, waiting for a finger.

If the user is matched, the ID can be returned to the Central Security Controller.

If the user is not recognized, a no-match message can be sent to the Central Security Controller.

See section Access Control by Identification.


AAuutthheennttiiccaattiioonn ((11 vveerrssuuss 11))

The user provides his identifier, and the terminal is in charge to check it by comparing a capture fingerprint with one or two references templates.

In authentication mode, the access request starts when the users identifier is provided.

AAuutthheennttiiccaattiioonn wwiitthh rreeffeerreennccee tteemmppllaatteess iinn ccaarrdd ((11 vveerrssuuss 11))

User biometric templates are stored (and read) on users contactless MIFARE or DESFire card.

If the user is matched, the ID can be returned to the Central Security Controller.

If the user is not recognized, a no-match message can be sent to the Central Security Controller.

See section Access Control by Authentication.

AAuutthheennttiiccaattiioonn wwiitthh rreeffeerreennccee tteemmppllaatteess iinn tteerrmmiinnaall ((11 vveerrssuuss 11))

The reference templates of the user are stored in the local database.

In that case, the users identifier is used as a search key to find the users templates in the local database.

The user identifier can be received in a Wiegand or a Dataclock frame, or typed on the keyboard, or read on a contactless MIFARE or DESFire card.

MMuullttii--FFaaccttoorr rreeccooggnniittiioonn

It is possible to combine several factors such as, what I have (a contactless smart card), what I know (PIN code), and what I am (biometric templates).


PPrrooxxyy mmooddee

Proxy Mode is not strictly speaking a recognition mode. In this mode, the MorphoAccess works as a slave waiting for external commands such as:

identification,

verification,

relay activation,

read data on a contactless card,

Chapter Proxy mode gives more information about remote management.

Please refer to MorphoAccess Host System Interface Specification for a complete description of commands.

Proxy commands:

Identification

Verification

Relay activation

Read card


RREESSUULLTT OOFF TTHHEE AACCCCEESSSS CCOONNTTRROOLL

SSccooppee

The result of the access request is signified to the user by a specific message displayed in the screen, by a light signal, and by a sound signal.

Welcome John Doe

IDENTIFIED

or

NOT IDENTIFIED

In addition to user information, the terminal is able:

to activate an internal relay (to open a door),

to register the access request result in an internal log file,

and to send an access control result message to a distant system (usually a Central Security Controller) through several kind of communication links.

RReellaayy

If enabled, the MorphoAccess internal relay is activated, during the specified period, in case of successful control result (access is granted).

Control result message:

RS485 or RS422

Wiegand or Dataclock

Ethernet or Wi-Fi (UDP / TCP / SSL)


WWiieeggaanndd//DDaattaacclloocckk sseerriiaall ppoorrtt

The access request result message can be sent through a dedicated serial port using either the Wiegand or the Dataclock protocol.

The message format includes only the user identifier (which must be a numeric value). By default, the message is sent only when the access control result is positive, but as an option this message can be sent when the result is negative, with an error code instead of the user identifier.

EEtthheerrnneett ppoorrtt

The access request result message can be sent through an IP connection using either the UDP, the TCP, or the SSL protocol.

Please refer to MorphoAccess Remote Messages Specification to know the information sent by the terminal.

For IP, the administrator can set the port and define the protocol.

Please refer to SSL Solution for MorphoAccess documentation, for further details about the SSL on the MorphoAccess.

WWII--FFII ccoonnnneeccttiioonn

Instead of Ethernet connection, the terminal can be connected using a wireless b/g connection. Please refer to paragraphs Network WI-FI configuration and WI-FI configuration

The message format and the protocols supported are the same: UDP, TCP or SSL.

It is not possible for a terminal to be connected through Ethernet and through WI-FI at the same time.

RRSS448855//442222 sseerriiaall ppoorrtt

The access request result message (in ASCII format) can be sent through a dedicated serial port using either the RS485 or the RS422 protocol.

Please refer to MorphoAccess Remote Messages Specification to know the information sent by the terminal.

When the serial port is used for terminal management, it is not possible to send the access request result message through this port.

AAcccceessss rreeqquueesstt llooggggiinngg

When enabled, the terminal creates a record for each access request in a local file. Each record includes: the date/hour of the access request, the user identifier (if available) and the result of the access rights local check.

The content of this file can be downloaded by the Host System, or displayed on the terminal, or exported to a USB flash drive.

The capacity of the file is 8 000 records: when the file is full, the recording of access request result automatically stops.


The record file can be erased using the Logs Viewer embedded application. Please refer to MorphoAccess 500 Series Logs Viewer User Guide for further details.


TTEERRMMIINNAALL CCOONNFFIIGGUURRAATTIIOONN

This chapter details how to configure the MorphoAccess. A parameter can be changed directly on the terminal or remotely through a network.

A first start assistant named Easy Setup helps the administrator to define quickly a plug and play configuration with an existing physical Access Control System.


EEAASSYY SSEETTUUPP AASSSSIISSTTAANNTT

AAssssiissttaanntt iinniittiiaalliizzaattiioonn

When the MorphoAccess starts for the first time an assistant helps the administrator to configure easily the main functions.

EASY SETUP

GREEN: VALID

YELLOW: CORR., NEXT

RED: ABORT, PREVIOUS

NEXT

Key validates the choice.

Key corrects or goes to next step.

Key aborts operation and returns to previous step.

LLaanngguuaaggee sseelleeccttiioonn

It is possible to choose the language of the application among installed languages.

Refer to Multilingual application section for further details.

APPLICATION LANGUAGE

1 ENGLISH

2 SPANISH

3 FRENCH

4 GERMAN


DDaattee aanndd ttiimmee ccoonnffiigguurraattiioonn

Date and time can be configured.

Date format is MM/DD/YYYY (month/day/year).

Key deletes a character.

Key validates the selection.

ENTER DATE

08/25/200_

MM/DD/YYYY

VALID


EEtthheerrnneett iinntteerrffaaccee sseettttiinnggss

SSttaattiicc oorr ddyynnaammiicc ccoonnffiigguurraattiioonn

It is possible to choose between static or dynamic network configurations.

DHCP

1 Enable []

2 Disable [ ]

DDHHCCPP ddiissaabblleedd

If DHCP is disabled following parameters must be set:

IP address,

Network mask,

Default gateway.

ENTER IP ADDRESS

10.10.161.3_

VALID

DDHHCCPP eennaabblleedd

With DHCP only the terminal hostname on the network is required.

The DNS server must be updated so that users can communicate with the MorphoAccess using the terminal hostname. Please contact your network administrator.

ENTER HOSTNAME

MA0789652_

VALID


RReeccooggnniittiioonn mmooddee

Once IP parameters are defined next step is to define the recognition mode.

Recognition mode selection screen(s) depends on the type of terminal (see section Scope of the document).

On terminals that do not have any contactless smartcard reader:

RECOGNITION MODE

1 Identification []

Only identification mode can be selected.

On terminals equipped with a MIFARE only contactless smartcard reader:

RECOGNITION MODE

1 Identification []

2 Contactless [ ]

3 Multifactor [ ]

Terminal can be configured in Identification mode, Contactless authentication or Multi-factor mode (where Identification and Contactless authentication modes are merged).


On terminals equipped with a MIFARE and DESFire contactless smartcard reader:

First, enable or not identification mode:

RECOGNITION MODE

Do you want

? to use Identification ?

YES NO

Then, enable or not DESFire cards reading:

RECOGNITION MODE

Do you want

? to use DESFire cards ?

YES NO

Finally, enable or not MIFARE cards reading:

RECOGNITION MODE

Do you want

? to use MIFARE cards ?

YES NO

For example, if YES is answered to all the questions, the terminal will be in Multifactor mode (Identification + DESFire cards + MIFARE cards).


OOuuttppuutt iinntteerrffaaccee

Last step allows defining the interface required to export the control result.

INTERFACE PARAMETERS

1 Wiegand [OFF]

2 Dataclock [OFF]

3 ID on UDP [OFF]

4 Next

Each interface can be configured and activated independently.

Select 4 Next to go to next step.

WWiieeggaanndd ccoonnffiigguurraattiioonn

Three protocols are available 26, 34 and 37 bits.

For other Wiegand configurations, please refer to chapter Authentication: ID input from Wiegand.

WIEGAND

1 26 bits []

2 34 bits [ ]

3 37 bits [ ]

4 OFF [ ]

DDaattaacclloocckk ccoonnffiigguurraattiioonn

Dataclock interface can be activated but is multiplexed with Wiegand output.

UUDDPP aaccttiivvaattiioonn

UDP remote messages can also be activated. The server IP address must be specified.

SERVER IP ADDRESS

10.10.161.7_

VALID


PPaasssswwoorrdd ccoonnffiigguurraattiioonn

This step consists in changing the passwords.

PASSWORDS

1 Terminal Config.

2 User Management

3 Reset User Mgt.

4 Next

Select 4 Next to leave the assistant.

The terminal must reboot to apply the changes.

EASY SETUP END

REBOOT

THE TERMINAL?

NEXT ABORT

Press NEXT to reboot the terminal.

Press ABORT to return to password management.


CChhaannggee ooff MMIIFFAARREE kkeeyyss

This section only concerns MorphoAccess equipped with a MIFARE contactless smart card reader (see section Scope of the document).

This step is available since 2.09 firmware release.

The assistant proposes to replace default MIFARE keys by custom MIFARE keys using an Administrator card (card that contains the new MIFARE keys).

The following screen is displayed:

Terminal config.

Do you want

? to change MIFARE keys?

YES LATER

If the answer is YES (change keys is selected), the screen below is displayed and an administrator card must be presented:

Terminal config.

Present an Admin

! Card, please.

ABORT

As soon as the Administrator card is detected, the MIFARE keys are automatically updated in the terminal (the update progress is signalled by successive beeps).

See MorphoAccess 500 Series Enrolment application User guide for details about Administrator card encoding.


CChhaannggee ooff DDEESSFFiirree kkeeyyss

This section only concerns MorphoAccess equipped with a DESFire contactless smartcard reader (see section Scope of the document).

The assistant proposes to replace default DESFire keys by custom DESFire keys using an Administrator card (card that contains the new DESFire keys).

The following screen is displayed:

Terminal config.

Do you want

? to change DESFIRE keys?

YES LATER

If the answer is YES (change keys is selected), the screen below is displayed and a DESFire administrator card must be presented:

Terminal config.

Present an Admin

! Card, please.

ABORT

As soon as the Administrator card is detected, the DESFire keys are automatically updated in the terminal (the update progress is signalled by successive beeps).

See MorphoAccess 500 Series Enrolment application User guide for details about Administrator card encoding.


WWII--FFII ccoonnffiigguurraattiioonn ((ssiinnccee 22..0099 ffiirrmmwwaarree rreevviissiioonn))

This step consists in configuring wireless communications in WLAN mode if a WI-FI USB adapter is plugged and a Wi-Fi licence is loaded in the MorphoAccess (please refer to paragraph Network WI-FI configuration ).

The WI-FI Wizard allows the followings operations:

WIFI CONFIGURATION

1 Active profile

2 New profile 3 Activate profile

4 Get profile info

WIFI CONFIGURATION

4 Get profile info

5 Modify profile

6 Remove profile

7 Next

DDiissppllaayy tthhee aaccttiivvee pprrooffiillee

The choice 1 Active profile allows displaying the active profile (if any).

ACTIVE PROFILE

1 TEST_MA []

CCrreeaattee aanndd aaccttiivvaattee aa nneeww pprrooffiillee

The choice 2 New profile allows creating and activating a new profile. This is the first action to perform on a new terminal.

During the first step, the system searches for available WI-FI access points. This screen is temporary displayed:

NEW PROFILE

Scanning


Then the list of access points is displayed:

CHOOSE ACCES POINT

1 TEST_MA []

2 WIFI_1 [..]

3 other access point [..]

At the second step, an access point must be chosen, existing or not, to create the new profile.

The following menu is displayed and allows setting each parameter of the new profile:

NEW PROFILE

1 SSID

2 MAC address 3 authentication

4 algorithm

NEW PROFILE

4 algorithm

5 key

6 channel

7 valid

Several parameters are automatically initialized by the first step: SSID, MAC address, channel. Other parameters are to be initialized by the network administrator:

SSID (Service Set IDentifier) is the name of the profile,

MAC address is the access point MAC address,

the authentication can be: open or shared (only for WEP protection),

the algorithm can be: None , WEP64 , WEP128 or WPA-PSK (since 2.11 firmware revision),

the key to enter is an hexadecimal key with size of 10 for WEP64, 26 for WEP128, and an ASCII string of 8 up to 63 characters for WPA-PSK

the channel can be changed to avoid interferences.


If an existing access point is used, parameters have initially the values of access point parameters; for an other access point, parameters have default values.

If WEP or WPA algorithm is chosen, the key must be entered (the key is not retrieved from access point).

The profile must have the same value parameters as its access point.

For the selection of one of the six first choices, data capturing screens or menu screens are displayed. The choice 7 valid allows creating and activating the profile with its parameters.

AAccttiivvaattee aa eexxiissttiinngg pprrooffiillee

The choice 3 Activate profile allows activating an existing profile.

A screen showing the profiles saved in the MorphoAccess is displayed and the profile to activate can be selected.

The parameters are activated after terminal restart.

The success of the WI-FI configuration can be checked by reading the IP address assigned by the WLAN network to the terminal: IP address must be different from 0.0.0.0., if the profile s network configuration is DHCP.

DDiissppllaayy aann eexxiissttiinngg pprrooffiillee iinnffoorrmmaattiioonn

The choice 4 Get profile info allows retrieving information about a profile.

A screen showing the profiles saved in the MorphoAccess is displayed and the profile can be selected.

Once a profile is selected, the following screen is displayed:

NEW PROFILE

1 SSID

2 MAC address 3 authentication

4 algorithm

NEW PROFILE

4 algorithm

5 channel

It enables to display the value of each parameter.


MMooddiiffyy aann eexxiissttiinngg pprrooffiillee

The choice 5 Modify profile allows modifying some parameters of a profile.

A screen showing the profiles saved in the MorphoAccess is displayed and the profile can be selected.

Once a profile is selected, the following screen is displayed:

If WEP or WPA algorithm is chosen, the key must be entered (the key is not retrieved from access point).

The profile must have the same value parameters as its access point.

For the selection of one of the three first choices, data capturing screens or menu screens are displayed. The choice 4 valid allows creating and activating the profile with its parameters.

RReemmoovvee aann eexxiissttiinngg pprrooffiillee

The choice 6 Remove allows removing a profile.

A screen showing the profiles saved in the MorphoAccess is displayed and the profile to remove can be selected.

CCoonnffiigguurree aaccttiivvee pprrooffiilleess nneettwwoorrkk sseettttiinnggss ((ssiinnccee 22..1111 ffiirrmmwwaarree rreevviissiioonn))

The choice 7 Next allows choosing between static or dynamic network configurations.

DHCP

1 Enable []

2 Disable [..]

PROFILE TEST_MA

1 authentication

2 algorithm 3 key

4 valid


DHCP disabled

If DHCP is disabled following parameters must be set:

IP address,

Network mask,

Default gateway.

ENTER IP ADDRESS

10.10.161.3_

VALID

DHCP enabled

When choosing the DHCP mode, the assistant asks for the terminal hostname.

ENTER HOSTNAME

MA0789652_

VALID

The DNS server must be updated so that users can communicate with the MorphoAccess using the terminal hostname. Please contact your network administrator.

The terminal has to be restarted to take changes in account.

Note 1: If this step is never performed, the MorphoAccess configures the Wi-Fi active profile in DHCP mode.

Note 2: The network configuration is only for the active profile, not for the others profiles.

RReessttaarrttiinngg WWII--FFII ccoonnffiigguurraattiioonn

Wi-Fi configuration wizard can be restarted

By escape sequence

selecting Wi-Fi setup in Settings menu (available only when a WI-Fi USB adapter is plugged in).


RReessttaarrttiinngg EEaassyy SSeettuupp

MorphoAccess Easy Setup can be restarted

By escape sequence

selecting Settings in main application MACCESS,

selecting Easysetup in Settings menu.


AADDMMIINNIISSTTRRAATTIIOONN MMEENNUU

AAcccceessss ttoo AAddmmiinniissttrraattiioonn MMeennuu

Place your finger for Identification

Please

The main application can be interrupted using the escape sequence. Hit the following keys in sequence:

, then . If the biometric database is not empty, the terminal accepts a finger registered as administrator instead of the valid User Management Password Code.

By default User Management Password is 12345.

USER MANAGEMENT CODE

Present your finger please

Or enter password:

***|

If the Administrator uses the default password, it is possible to change it immediately.

USER MANAGEMENT CODE

Default password!

? Do you want to change it?

YES LATER

For security, Sagem Scurit strongly recommends you change the terminal default password.


AAddmmiinniissttrraattiioonn MMeennuu ffeeaattuurreess

MA5XX APPLICATION

1 Information

2 Settings

3 Enrolment

4 More functions

IInnffoorrmmaattiioonn MMeennuu

MA5XX APPLICATION

1 Information

2 Settings

3 Enrolment

4 More functions

Select Information to access the terminal and sensor information:

INFORMATION

1 Terminal Info

2 Sensor Info

TTeerrmmiinnaall iinnffoorrmmaattiioonn

Select Terminal Info to access to the following information:

Terminal information Description Example

1 Type Terminal type 520

2 Serial Number Terminal serial number 073035353A

3 Soft. Version Terminal main software version (MACCESS)

V02.00.02

4 IP Address Terminal IP address 134.1.32.214

5 MAC Address Terminal MAC address 00:60:4C:69:53:53


SSeennssoorr iinnffoorrmmaattiioonn

Select Sensor Info to access the following information:

Sensor information Description Example

1 Licence Info Licence information (licence name, Licence ID)

MSO_MA_IDENTLITE Device Licence ID: 251946640 0728EC51008

2 Sensor Info Sensor information (type, flash size, serial number, sensor ID)

MSO300

Flash: 32768 Ko SN: 0730A010026

ID: 25115841-4

3 Soft. Info Sensor software version. After a software upgrade, a reboot is necessary to get the current version.

MSO V08.02.d-C

SSeettttiinnggss mmeennuu

SETTINGS

1 Factory Settings

2 Easy Setup

3 Change Passwords

4 Wifi Setup

Factory Settings resets MorphoAccess parameters to their default value. IP parameters are preserved.

On MorphoAccess equipped with a MIFARE contactless smartcard reader (see section Scope of the document), the terminal will ask for MIFARE keys reset.

On MorphoAccess equipped with a MIFARE and DESFire contactless smartcard reader (see section Scope of the document), the terminal will ask for MIFARE keys reset, and then will ask for DESFire keys reset.

Please refer to MorphoAccess 500 Series Parameters Guide to know parameters default values.

Easy Setup launches Easy Setup.

Change Passwords allows changing system passwords.

WiFi Setup allows configuring the WI-FI interface. This item appears only when a WI-FI USB adapter is plugged in the MorphoAccess.


UUNNDDEERRSSTTAANNDDIINNGG MMOORRPPHHOOAACCCCEESSSS CCOONNFFIIGGUURRAATTIIOONN

PPrreesseennttaattiioonn

MorphoAccess parameters are stored into files organized in sections and values.

For example a file named app.cfg contains all the parameters defining the main application settings.

[bio ctrl]

identification=1

nb attempts=2

[log file]

enabled=1

CCoonnffiigguurraattiioonn oorrggaanniizzaattiioonn

The application creates several files:

app.cfg,

adm.cfg,

bio.cfg,

net.cfg,

fac.cfg,

Please refer to MorphoAccess Parameters Guide for further details on those files.


MMooddiiffyyiinngg aa ppaarraammeetteerr

There are two ways to modify a parameter:

directly on the terminal using the Configuration Application,

remotely through IP or Serial link with a client application running on the Host System.

NNoottaattiioonn

In this manual a parameter is presented using this format:

Short parameter description

file/section/parameter Value

For example to activate recognition mode based on identification, this key must be set to 1 (enabled, true, or yes when using the configuration application):

Access control by identification

app/bio ctrl/identification 1


MMOODDIIFFYYIINNGG AA PPAARRAAMMEETTEERR UUSSIINNGG TTHHEE CCOONNFFIIGGUURRAATTIIOONN

AAPPPPLLIICCAATTIIOONN

The Configuration application allows changing a parameter directly on the terminal.

You must exit a possible running application to display the application selection menu.

If the main application is running, it must be quit using the escape sequence:

, then .

Then enter the User Management Password to access to the Administration menu.

Select More functions to exit the Access Control application.

Press to display the functions menu.

Select 3 CONFIGURATION to launch the Configuration application.

The Configuration application is fully detailed in the Configuration Application User Guide. This chapter only offers a brief description.

FUNCTIONS

0 TELIUM MANAGER

1 MACCESS

2 ENROLMENT

3 CONFIGURATION

KKeeyyss rroollee

Keys and change the current selection (up and down selection)

Key deletes a character or goes to previous screen

Key confirms the change

Key quits the application


CChhaannggiinngg aa ppaarraammeetteerr

To change a parameter, select the Configuration item.

MAIN MENU

1 Configuration

2 More

3 Quit

A menu allows selecting the file to modify. Note that the order of the menu may change.

FILE SELECTION

1 bio

2 app

3 adm

4 net

When a file has been selected it is possible to choose a section.

[APP]

1 bio ctrl

2 contactless

3 relay

4 send ID UDP

The parameter list contains all parameters available in a section.

[APP]/BIO CTRL

1 authent ID keyboard

2 identification

3 authent card mode

4 nb attempts

It is possible to display parameters one by one in a given section.

[app]/bio ctrl

authent ID keyboard

Enabled

EDIT > EXIT

The edition menu depends on the parameter type.


NOTE: The values Enabled, True, Yes in the configuration application is equivalent to the value 1 when using the Configuration Tool for example (Refer to the Configuration Tool user guide).

BBiinnaarryy cchhooiiccee

[app]/bio ctrl

authent ID keyboard

True []

False [ ]

IIPP aaddddrreessss

[app]/send ID udp

host address

134. .1 .32 .214


CCOONNFFIIGGUURRIINNGG AA NNEETTWWOORRKKEEDD MMOORRPPHHOOAACCCCEESSSS

IInnttrroodduuccttiioonn

A PC (running with MEMS for example) connected to a MorphoAccess can manage the terminal. Some available remote operations are:

Biometric record addition,

Control settings modification,

Configuration reading,

Local database deletion,

Biometric record deletion,

Control diary ( log file ) downloading,

Firmware upgrade.

The PC acts as a TCP/IP client for the MorphoAccess.

The MorphoAccess works as a TCP/IP server waiting for request from a client.

The client can send biometric templates to the terminal and manage the local database.

Please refer to MorphoAccess Host System Interface Specification for a complete description of remote administration command set. This document also explains how to create a database and store biometric records in this base.

Remote management:

Change mode

Add template

Get configuration


NNeettwwoorrkk ffaaccttoorryy sseettttiinnggss

By default the terminal IP address is 134.1.32.214. This address can be changed through IP (Configuration Tool) or with a USB flash drive (USB Network Tool).

The default server port is 11010.

DDaattee//TTiimmee sseettttiinnggss

The date/time of the terminal can be initialized with the configuration assistant (Easy setup) or by a distant host system using an application such as the Configuration Tool (More button) described below.

The terminal start-up process searches for date modification and does not accept a date older than the firmware generation date. In that case, the current will be the firmware generation date.

SSSSLL sseeccuurriinngg ((ssiinnccee 22..0077 ffiirrmmwwaarree rreevviissiioonn))

This remote management TCP link can be secured using SSL. Please refer to SSL Solution for MorphoAccess document for further details.

MMooddiiffyyiinngg aa kkeeyy uussiinngg ccoonnffiigguurraattiioonn ttooooll

Configuration Tool can modify MorphoAccess parameters. This program is an illustration of use of the TCP API. Please refer to Configuration Tool User Guide for further information about this program.


NNeettwwoorrkk WWII--FFII ccoonnffiigguurraattiioonn ((ssiinnccee 22..0099 ffiirrmmwwaarree rreevviissiioonn))

WI-FI connection is available under the following conditions:

a Sagem Scurit WI-FI USB adapter, ref. 189930722, must be plugged in the upper USB port of the terminal. Installation procedure is described in the MorphoAccess 500 Series Installation Guide,

a MorphoAccess WI-FI Licence is loaded in the terminal ( cf. paragraph Downloading a licence),

the terminal must not be connected to a network with an Ethernet cable: WI-FI connection and Ethernet cable connection are mutually exclusive.

Note 1: A DHCP server and a DNS server are mandatory when the Wi-Fi interface is configured in DHCP mode.

The DHCP server automatically attributes an IP address to the MorphoAccess.

The DNS server links the MorphoAccess hostname to its real IP address.

It is also important that the DNS server is updated each time the DHCP server attributes another IP address to a MorphoAccess.

Note 2: A MorphoAccess WI-FI Licence is mandatory.

If WI-FI USB adapter is plugged in and if there is no licence present, the MorphoAccess will display the following screen before restarting:

SETTINGS

No valid licence for

WIFI

Terminal will restart

To solve this issue, unplug the WI-FI USB adapter and restart the terminal and load a Wi-Fi licence.

See WI-FI parameters description in paragraph WI-FI configuration


DDOOWWNNLLOOAADDIINNGG AA LLIICCEENNCCEE

By default the MorphoAccess can match a fingerprint against a database of 3 000 users. This database configuration corresponds to a basic licence (MSO_MA_IDENTLITE).

MA-Xtended licence (MSO_MA_IDENTPLUS) extends MorphoAccess recognition capabilities to 5 databases of 10 000 users (2 fingers per user) or 16 databases of 3 000 users.

WI-FI network (WLAN) use is enabled with another licence.

Licence number depends on the Device Licence ID. This unique identifier is checked by the Licence Manager tool. It can be displayed on the information menu.

The Licence Manager tool allows downloading a licence in the MorphoAccess as explained in Terminal Licence Management documentation.


UUPPGGRRAADDIINNGG TTHHEE FFIIRRMMWWAARREE

It is possible to upgrade your MorphoAccess firmware through IP.

The firmware is available on the CDROM or on Sagem Scurit Website.

Use the MorphoAccess Quickloader to upgrade terminal system.

Please refer to the MorphoAccess Upgrade Tools User Guide for more information about upgrade procedures.


SSCCRREEEENN CCOONNTTRRAASSTT

A keyboard shortcut controls the screen contrast.

Key and increase the screen contrast

Key and reduce the screen contrast


SSTTAARRTTIINNGG UUPP AAPPPPLLIICCAATTIIOONN

By default, the MorphoAccess 500 Series terminal starts on the access control application (MACCESS). But it can also start on another application:

Starting up application

exe/init state/startup 1

(MACCESS application)

The following choices are allowed:

Start on MACCESS application

Start on ENROLMENT application

Start on applications list.

Please refer to MorphoAccess Parameters Guide.


SSTTAANNDD AALLOONNEE MMOODDEESS ((NNEETTWWOORRKKEEDD OORR NNOOTT))

The MorphoAccess works according to two biometric recognition modes: identification or authentication. Identification and authentication can be activated at

the same time (multi-factor mode).

In Stand Alone Mode, the terminal can operate two applications: Access Control or Time & Attendance.


PPRREELLIIMMIINNAARRYY:: AADDDDIINNGG AA BBIIOOMMEETTRRIICC TTEEMMPPLLAATTEE IINN LLOOCCAALL

DDAATTAABBAASSEE

The management of the MorphoAccess internal biometric database can be done either locally (through the enrolment application), or remotely by a Host System. Those two exclusive management modes are defined as following:

Local management mode,

Remote management mode.

LLooccaall eennrroollmmeenntt

The Enrolment Application is dedicated to this function.

The local database can be exported ciphered to other MorphoAccess

500 Series devices using a USB flash drive.

Contactless cards containing user templates can be generated using this application.

A message can be sent to a distant host to inform that changes were made on the MorphoAccess internal biometric database. Then changes can be exported to the host centralized database. (cf. Enrolment on terminal with synchronization)

Please refer to Enrolment Application User Guide for a complete description of local enrolment features.


RReemmoottee mmaannaaggeemmeenntt

The user is enrolled on an Enrolment Station (typically a PC station with MEMS) and biometric templates are exported to the MorphoAccess via a communication link.

This architecture allows managing many MorphoAccess databases from one PC client station.


MMAACCCCEESSSS AAPPPPLLIICCAATTIIOONN:: AACCCCEESSSS CCOONNTTRROOLL OORR TTIIMMEE &&

AATTTTEENNDDAANNCCEE

MorphoAccess application can be configured to work in physical access control mode or in time and attendance mode. In this configuration, each MorphoAccess event logged includes some attendance information (entry, exit...).

When the time and attendance feature is activated, the main screen may display 2 or 4 functions or a bitmap file.

TTwwoo ffuunnccttiioonnss mmooddee::

Time and Attendance (2 functions)

app/modes/time and attendance 1

TIME ATTENDANCE

15:27

OCT 08 2006

Green key: IN selection

Yellow key: OUT selection


FFoouurr ffuunnccttiioonnss mmooddee::

Time and Attendance (4 functions)


TIME ATTENDANCE

15:26

OCT 08 2006

Green key: IN selection

up key: Temporary IN selection (come back)

down key: Temporary OUT selection

Yellow key: OUT selection

When entering, the user has to press key to log his entry time.

When exiting, the user has to press key to log his exit time.

For particular uses such as temporary absences, two additional functions corresponding to function keys 2 and 3 can be displayed.


EExxtteennddeedd mmooddee::

Extended Time and Attendance


In this mode each numeric key of the keyboard can be associated with one of the time and attendance functions, and a bitmap image (which usually specifies the keyboard mapping) is displayed on the screen. A specific text message can be displayed on the screen, when an assigned key is pressed. (Refer to MorphoAccess Series Parameters Guide for further details). The key assignation and the bitmap picture are selected by configuration keys.

To load the bitmap file in the MorphoAccess, use the program file BMP2REQ_Generator.exe and MATM tool to load the REQ file. The bitmap must be encoded as a MS Paint monochrome bitmap only and the bitmap size must be less or equal to 128 x 50 pixels.

The following screen is an example of what can be made:

In this example, IN function is associated to the key 1, OUT to the key 3, temporary IN to the 7, and temporary OUT to the key 9; the key 5 is associated to the pressed key function.

The selected function is written in the access request record, stored in the log file, and included in the "User Identifier" message sent to the host. For extended time and attendance the ASCII code of the pressed key is logged (i.e. 0x31 for key 1, 0x32 for key 2, ).

After selection, the MorphoAccess switches in biometric mode (identification or authentication).

The selected function is written in the log file and sent to the host. For

extended time attendance, the code of the pressed key is logged.

If the user has selected the wrong operation (IN/OUT...), key can be pressed at any moment during biometric invitation to abort the verification. In this case, nothing is logged or sent to the controller.

After 20 seconds of inactivity on identification mode (no finger detected on the sensor), the terminal switches back to the selection screen. In this case the operation result is logged and/or sent to the controller (time-out).


To disable Time Attendance mode set app/modes/time and attendance to 0.

NOTE: The icon set used for the time and attendance mode is customizable. Icons from old MorphoAccess 200 and 300 Series can be displayed instead of the new ones (Refer to MorphoAccess Series Parameters Guide for further details).

NNoottee aabboouutt tteerrmmiinnaall cclloocckk ddeevviiaattiioonn

The terminal clock has a +/- 4 sec per day typical time deviation at +25C. At 50C, the time deviation may be up to -8 sec per day.

For application requiring time precision (such as SSL, DESFire), MorphoAccess clock must be synchronized regularly with an external clock.


AACCCCEESSSS CCOONNTTRROOLL BBYY IIDDEENNTTIIFFIICCAATTIIOONN

Access control by identification


To configure the MorphoAccess in this mode, set the parameter app/bio ctrl/identification to 1.

After starting, the MorphoAccess waits for fingerprint detection in identification mode. The sensor is lighted on.


Please

The user presents a finger to start identification process.

Remove finger Analyzing

If the identification is successful, the terminal triggers the access or returns the corresponding ID to central security controller.

The ID can be sent through various interfaces. Please refer to MorphoAccess Remote Messages Specification for a complete description of hit and no hit messages.

Result is displayed on terminal screen.

Welcome John Doe

Identified.

Once the user identification is done, the terminal automatically loops back and waits for a new finger.

At least one user (biometric template) must be stored in the local database.


If the terminal is running in identification mode with an empty database, the sensor is off and the following screen is displayed.

Empty Database Please contact

Administrator

DDiissaabblliinngg iiddeennttiiffiiccaattiioonn

Set app/bio ctrl/identification to 0 to disable identification.


AACCCCEESSSS CCOONNTTRROOLL BBYY IIDDEENNTTIIFFIICCAATTIIOONN ((MMAA--XXTTEENNDDEEDD LLIICCEENNCCEE

LLOOAADDEEDD))

It is possible to increase MorphoAccess 500 Series biometric database size thanks to a licence (MA-Xtended licence): the MorphoAccess then manages 5 bases of 10 000 users or 16 databases of 3 000 users.

Access control by identification with MA-Xtended licence


To configure the MorphoAccess in this mode, set the parameter app/bio ctrl/identification to 1 (Enabled, True, Yes when using the configuration application) and verify that MA-Xtended licence has been loaded.

Please refer to chapter Downloading a licence to know how to upgrade the MorphoAccess with MA-Xtended licence.

After starting, the MorphoAccess waits for fingerprint detection in identification mode. The sensor is lighted on.

If an MA-Xtended licence is loaded it is possible to choose the active database.

To select a user database, press a key number to toggle the database number. By default, databases 0 to 4 can be selected and used.

Database 0 is the default database.


Please

4 14:25

The user can present a finger to launch identification process.

If the identification is successful, the terminal triggers the access or returns the corresponding ID to Central Security Controller.

Once the user identification is done, the terminal automatically loops back to database 0 and waits for a new finger.

At least one fingerprint must be stored in the local database.


If the selected database is empty or does not exist, the sensor is off and the following screen is displayed, before returning to the database 0.

Empty Database Please contact

Administrator

2

Set app/bio ctrl/identification to 0 to disable identification.

DDaattaabbaassee nnuummeerraattiioonn

MA-Xtended licence extends biometric database capacity from 1 base of 3 000 users to 5 bases of 10 000 users. In this configuration the user must select his database number (from 0 to 4) before presenting a finger to launch identification process.

For MorphoAccess 300 Series user convenience, it is also possible to activate a 16 databases mode. In this mode the user selects a database number between 0 and 15, and presents a finger to launch identification process.

The base identification is a two-digit number, with a leading zero when required. The default-selected base is the base with identification 00.

Numeric keys allow selecting a database from 0 to 9. To select

database 3, press .

Key allows selecting a database from 10 to 15. To select database

13, press then .

Valid base numbers are from 0 to 15. If the selected base number is higher than 15, the number of the default base (0) is automatically forced.

Database numeration

app/G.U.I/database conversion 500 for 5 databases mode

300 for 16 databases mode


NNoottee aabboouutt 1166 ddaattaabbaasseess mmooddee

From the terminal point of view, there are still 5 biometric databases.


Or



(MA-Xtended licence)

Database

0,1,2 0

3,4,5 1

6,7,8 2

9,10,11 3

12,13,14,15 4

MEMS will automatically associate the user to the right base. For example a user stored into database 4 on a MorphoAccess 300 Series will be stored into database 1 on a MorphoAccess 500 Series.


IINNTTRROODDUUCCTTIIOONN TTOO CCOONNTTAACCTTLLEESSSS AAUUTTHHEENNTTIICCAATTIIOONN

EEnnaabblliinngg ccoonnttaaccttlleessss ssmmaarrttccaarrdd rreeaaddiinngg

On terminals equipped with a MIFARE and/or DESFire contactless smartcard reader (see section Scope of the document), MIFARE and/or DESFire card reading capability can be configured using the following specific configuration key:

Enabled profiles

app/contactless/enabled profiles 0-3

- 0 means no card profile

- 1 means Activation of DESFire card profile only

- 2 means Activation of MIFARE card profile only

- 3 means Activation of both DESFire and MIFARE card profiles

It is then necessary to configure the parameters listed in the next sections so as to set the wished recognition mode using contactless smart card. Note that when app/contactless/enabled profiles key is set to 0 and the parameters listed in the following sections are configured so as to set a recognition mode using contactless smartcard, MIFARE card reading is automatically enabled.

On terminals equipped with a MIFARE only contactless smart card reader (see section Scope of the document), it is only necessary to configure the parameters listed in the next sections so as to set the wished recognition mode and enable MIFARE card reading at the same time (i.e. set that key to 0).


RReeccooggnniittiioonn mmooddeess

Various recognition modes using contactless card can be applied depending on the templates location (card or terminal database) and the required security level.

Recognition with DESFire cards supposes that the user swipes a DESFire (depending on configuration) card containing some structured data (identifier, biometric templates, PIN code...).

Recognition with MIFARE cards supposes that the user swipes a MIFARE card containing some structured data (identifier, biometric templates, PIN code...). Data are localized on the card by a block (B parameter) and are protected by a key (defined by C parameter). The C parameter defines which key is used during the authentication with the card.

For a complete description of card structure and access mode, please refer to MorphoAccess Contactless Card Specification.

The following recognition modes are available:

AAuutthheennttiiccaattiioonn wwiitthh bbiioommeettrriicc tteemmppllaatteess oonn ccaarrdd

Captured fingerprints are matched against templates read on the card (PK). User identifier and user biometric templates must be stored on the card.

In this mode it is also possible to check a PIN code before the authentication and to replace the biometric authentication by a BIOPIN code check. The BIOPIN code is used when user biometric templates are not available (a visitor for example).

AAuutthheennttiiccaattiioonn wwiitthh bbiioommeettrriicc tteemmppllaatteess oonn llooccaall ddaattaabbaassee

Captured fingerprints are matched against templates read from the local database. Only the user identifier is required on the card.

AAuutthheennttiiccaattiioonn bbaasseedd oonn ttaagg ccaarrdd mmooddee

Depending on the card mode, either templates are read on the card or

the control can be bypassed (visitor mode). The card mode tag must be stored on the card.

It is possible to check PIN code before the authentication and to replace the biometric authentication by a BIOPIN check.

It is also possible to skip the biometric control: in this case the terminal acts as a contactless card reader.

Contactless authentication can be combined with a local identification (multi-factor mode).


AAUUTTHHEENNTTIICCAATTIIOONN WWIITTHH BBIIOOMMEETTRRIICC TTEEMMPPLLAATTEESS OONN CCAARRDD

Authentication with biometric templates on contactless card

app/bio ctrl/authent PK contactless 1 (Enabled)

Terminals equipped with a contactless smartcard reader (see section Scope of the document) can work in contactless authentication mode: the user presents his card, the terminal reads the reference biometric templates on the card and launches a biometric control based on the read

templates.

In that case, the card must contain the user identifier and biometric templates: no local database is required.

To trigger authentication, the user presents his card to the terminal.

Please Present Contactless

Smart Card

If the card contains user templates, the user is invited to present his finger for biometric authentication.

Place your finger

For Authentication

Please

If the authentication is successful, the terminal triggers the access or returns the corresponding ID to the Central Security Controller.

Once the user authentication is finished, the terminal automatically loops back and waits for a new card presentation.

RReeqquuiirreedd ttaaggss oonn ccaarrdd

ID CARD MODE

PK1 PK2 PIN BIOPIN

Contactless authentication Yes No Yes Yes No No

Card structure is described in MorphoAccess Contactless Card Specification.


PPIINN VVEERRIIFFIICCAATTIIOONN PPIINN SSTTOORREEDD OONN CCAARRDD

If a reference PIN code is stored on the card, it is possible to check this code before controlling the fingerprints.

PIN code verification

app/bio ctrl/control PIN 1 (Yes)



Smart Card

If card contains a PIN code, the user is invited to enter his PIN code.

Please enter PIN

***

VAL COR

If the PIN code is correct, the user is invited to present his finger for biometric authentication.

Place your finger

For Authentication

Please


It is also possible to activate this mode independently of biometric authentication. In this case, only the PIN code is checked.


ID CARD MODE

PK1 PK2 PIN BIOPIN

PIN code verification Yes No No No Yes No

PIN then authentication Yes No Yes Yes Yes No


BBIIOOPPIINN VVEERRIIFFIICCAATTIIOONN -- BBIIOOPPIINN SSTTOORREEDD OONN CCAARRDD

In this mode the card should contain a BIOPIN code. The goal of this code is to replace fingerprints authentication by BIOPIN code verification.

BIOPIN code verification

app/bio ctrl/BIOPIN enabled 1 (Yes)

This mode must be activated with the authentication that uses fingerprints from contactless card (authent PK Contactless to 1). The terminal looks for finger templates stored on the card. If there arent any, it looks for a BIOPIN code.

To trigger the BIOPIN code verification, the user presents his card to the terminal.

If the card contains a user BIOPIN, the user is invited to enter it.

Please enter biometric PIN

***

VAL COR

If the BIOPIN is correct, the terminal triggers the access or returns the user ID to the Central Security Controller.

This mode can be combined with a preliminary PIN code verification.


ID CARD MODE

PK1 PK2 PIN BIOPIN

BIOPIN code verification Yes No No No No Yes


AAUUTTHHEENNTTIICCAATTIIOONN WWIITTHH BBIIOOMMEETTRRIICC TTEEMMPPLLAATTEESS IINN LLOOCCAALL

DDAATTAABBAASSEE

In this mode, only the ID (Identifier) is read on the card. If the ID exists in the biometric database, the MorphoAccess performs an authentication using the biometric templates associated to this ID.

The ID can be stored into a TLV structure (typically a card encoded by MEMS) or directly read at a given offset of the card (binary ID).

AASSCCIIII IIDD,, ssttrruuccttuurreedd ddaattaa

Contactless authentication with templates on local database

app/bio ctrl/authent ID contactless 1 (Enabled)

The identifier must be stored into a TLV structure.

ASCII identifier in tagged structure.

app/contactless/data format

app/contactless/data length

app/contactless/data offset

0 (structured data)

0

0

The user identifier is used as an index in the local database of the MorphoAccess: reference biometric templates are stored in the local database.



Smart Card

If the corresponding ID exists in the terminal database, the user is invited to place his finger for biometric authentication.

Place your finger For Authentication

Please



Once the user authentication is done, the terminal automatically loops back and waits for a new card presentation.


ID CARD MODE

PK1 PK2 PIN BIOPIN

authent ID contactless Yes No No No No No

Note: a non-empty database must exist in the terminal.

BBiinnaarryy iiddeennttiiffiieerr,, nnoonn--ssttrruuccttuurreedd ddaattaa

This mode can not be used when card profile reading is configured (cf. Enabling contactless smartcard reading).

Contactless authentication with templates on local database

app/bio ctrl/authent ID contactless 1 (Enabled)

In this mode the identifier is read at a given offset on the card and is supposed to be binary. No TLV structure is required on the card.

It is possible to read non-byte aligned data. It is useful to read a user ID included in a Wiegand data or to use the card serial number as an identifier.

Binary identifier, non-structured data

app/contactless/data format 1 (binary data)

Binary data are defined by their position from the first read block.

ID length is limited to 8 bytes (app/contactless/data length 8.0).

ID offset is limited to 15 bytes (app/contactless/data offset 15.0).

Data localization

app/contactless/B

app/contactless/data length

app/contactless/data offset

[1-215]: read block

[number of bytes].[additional bits]

[number of bytes].[additional bits]

The interpretation of the data can be defined.

Data interpretation

app/contactless/data type

0.1 (binary data, MSB first)

0.0 (binary data, LSB first RFU)


The user identifier is used as an index in the local database of the MorphoAccess: in this case reference biometric templates are stored in the local database.

Authentication process is exactly the same as the one presented above.

Example 4 bytes identifier.

The terminal is configured to read 4 bytes.

Read bytes are F4 E1 65 34.

Corresponding user identifier in the local database is 4108412212 (ASCII).

Example reading a MIFARE smartcard Serial Number (big endian format).

app/contactless/data format = 1

app/contactless/data type = 0.1

app/contactless/data length = 4.0

app/contactless/data offset = 0.0

app/contactless/B = 1

Example reading 32-bits identifier in a complete Wiegand frame.

The card contains at sector 15 a complete 37 bits Wiegand frame (including parity bits, site code).

On this example a 32 bits identifier begins at bit four, parity bits are noted P.

Sector 15

Byte 0

Byte 4

0 1 2 3 4 5 6 7 8 9 10 30 31 32 33 34 35 36 37 38 39

P Site 32 bits ID ID P

The corresponding configuration will read only the 32 bits ID on the card.

app/contactless/data format = 1

app/contactless/data type = 0.1

app/contactless/data length = 4.0

app/contactless/data offset = 0.4

app/contactless/B = 46

Binary identifier

Binary identifier read in MSB

4 bytes length

ID begins bit 4 of sector 15

Read at sector 15

It is possible to configure the MorphoAccess Wiegand output to add parity bits.


AAUUTTHHEENNTTIICCAATTIIOONN BBAASSEEDD OONN CCAARRDD MMOODDEE

Contactless authentication with card mode

app/bio ctrl/authent card mode 1 (Enabled)

In this mode the card decides on the control progress.

The CARD MODE tag is required. This tag can take several values.

PKS [0x02]: the user identifier, template 1 and template 2 are required on the card. Biometric authentication is triggered with biometric templates. If a BIOPIN is present instead of templates, BIOPIN is controlled.

ID_ONLY [0x01]: only the user identifier is required. There is no biometric control, the control is immediately positive. This feature is useful for visitor requiring an access without enrolment. But it is still possible to store templates on the card.

PIN_CODE [0x10]: only PIN code is controlled.

PIN_THEN_PKS [0x12]: PIN code is controlled then templates or BIOPIN.

To enable this mode set app/bio ctrl/authent card mode to 1.

To disable this mode set app/bio ctrl/authent card mode to 0.

RReeqquuiirreedd ttaaggss oonn ccaarrdd iiff CCAARRDD MMOODDEE ttaagg vvaalluuee iiss PPKKSS..

ID CARD MODE

PK1 PK2 PIN BIOPIN

authent card mode (PKS) Yes Yes Yes Yes No No

authent card mode (PKS) (BIOPIN)

Yes Yes No No No Yes

RReeqquuiirreedd ttaaggss oonn ccaarrdd iiff CCAARRDD MMOODDEE ttaagg vvaalluuee iiss IIDD__OONNLLYY..

ID CARD MODE

PK1 PK2 PIN BIOPIN

authent card mode (ID_ONLY) Yes Yes No No No No


RReeqquuiirreedd ttaaggss oonn ccaarrdd iiff CCAARRDD MMOODDEE ttaagg vvaalluuee iiss PPIINN__CCOODDEE..

ID CARD MODE

PK1 PK2 PIN BIOPIN

authent card mode (PIN_CODE)

Yes Yes No No Yes No

RReeqquuiirreedd ttaaggss oonn ccaarrdd iiff CCAARRDD MMOODDEE ttaagg vvaalluuee iiss PPIINN__TTHHEENN__PPKKSS..

ID CARD MODE

PK1 PK2 PIN BIOPIN

authent card mode (PIN_THEN_PKS)

Yes Yes Yes Yes Yes No

authent card mode (PIN_THEN_PKS) (BIOPIN)

Yes Yes No No Yes Yes

Card structure is described in MorphoAccess Contactless Card Specification.

NNoottee aabboouutt bbyyppaassss ooppttiioonn ccoommbbiinneedd wwiitthh ccaarrdd mmooddee

When the bypass authentication configuration key is activated (see Bypassing the biometric control in authentication), the global control is bypassed and card mode is ignored.

RReemmaarrkk aabboouutt MMoorrpphhooAAcccceessss wwiitthh MMAA--XXtteennddeedd lliicceennccee llooaaddeedd

A MorphoAccess with MA-Xtended licence loaded scans the five biometric databases to find the biometric templates associated to the ID.


MMUULLTTII--FFAACCTTOORR ((MMEERRGGEEDD)) MMOODDEE

This mode is a merge of identification mode and contactless authentication mode.

This mode allows:

performing identification when the user places his finger (operation identical to identification mode),

performing a contactless authentication when the user swipes his contactless card (operation identical to contactless authentication without database mode).

To trigger authentication, the user presents his card to the terminal or places his finger on the sensor.

Please place your finger or

Present card

If the authentication or the identification is successful, the terminal triggers the access or returns the corresponding ID to the Central Security Controller.

If there is no database, contactless card presentation is still possible.

Enabling one contactless mode and identification activate this mode.

Merged mode

app/bio ctrl/identification 1 (Enabled)

And

app/bio ctrl/authent PK contactless

app/bio ctrl/authent card mode

app/bio ctrl/authent ID contactless

app/bio ctrl/control PIN

0 (Disabled) or 1 (Enabled)






Required tag on card depends on the authentication mode, but at least an ID is necessary.

ID CARD MODE

PK1 PK2 PIN BIOPIN

bypass authentication Yes No No No No No


AAUUTTHHEENNTTIICCAATTIIOONN WWIITTHH LLOOCCAALL DDAATTAABBAASSEE:: IIDD EENNTTEERREEDD FFRROOMM

KKEEYYBBOOAARRDD

Biometric authentication with ID entered from keyboard

app/bio ctrl/authent ID keyboard 1 (Enabled)

In this mode, the ID of the user is entered using the MorphoAccess keyboard. If the ID exists in the database (or in one of the five databases), the MorphoAccess performs an authentication using the biometric templates associated to this ID.

ID entered using the keypad and the authentication starts

The default screen invites the user to enter his numerical identifier.

Please enter ID

3563_

VAL COR

NOTE: ID length is limited to 24 characters.

Key deletes the last character.

Once the ID is entered, the user confirms with green key .


If the corresponding ID exists in the terminal database, the user is invited to place his finger for biometric authentication.


Please


If the identifier is not present in the local database, authentication is not launched.

User not found in current database

35639

Once the user identification is done, the MorphoAccess automatically loops back and waits for a new ID.


A MorphoAccess with MA-Xtended licence loaded will scan the five biometric databases to find the biometric templates associated to the ID.

NNoottee aabboouutt bbyyppaassss ooppttiioonn

When the bypass authentication configuration key is activated (see Bypassing the biometric control in authentication), the MorphoAccess checks that the ID is present in the local database (or databases for MA-Xtended licence) before granting the access.


AAUUTTHHEENNTTIICCAATTIIOONN WWIITTHH LLOOCCAALL DDAATTAABBAASSEE:: IIDD IINNPPUUTT FFRROOMM

WWIIEEGGAANNDD OORR DDAATTAACCLLOOCCKK

Biometric authentication: ID input from Wiegand or Dataclock

app/bio ctrl/authent remote ID source 1 for Wiegand

2 for Dataclock

This mode requires an external card reader that will send the users ID to authenticate to the MorphoAccess Wiegand or Dataclock input.

The default screen invites the user to pass his badge so the external reader sends the user ID to the MorphoAccess Wiegand or Dataclock input.

Pass your badge For Authentication

Please

If the ID exists in the database, the MorphoAccess performs an authentication using the biometric templates associated to this ID.


Please

If the authentication is successful, the terminal triggers the access or returns the user ID to the Central Security Controller.

Once the user authentication is done, the MorphoAccess automatically loops back and waits for a new input ID.

Wiegand or Dataclock input


If the identifier sent by the reader is not present in the local database, authentication is not launched.

User not found in current database

64235


A MorphoAccess with MA-Xtended licence loaded will scan the five biometric databases to find the biometric templates associated to the ID.

NNoottee aabboouutt bbyyppaassss ooppttiioonn

When the bypass authentication configuration key is activated (see Bypassing the biometric control in authentication), the MorphoAccess checks that the ID sent to the Wiegand or Dataclock input is present in the local database (or databases) before granting the access.

WWiieeggaanndd ffrraammee ccoonnffiigguurraattiioonn

When set up to communicate with Wiegand protocol, the MorphoAccess can handle multiple data format.

Default format is 26 bits.

The Wiegand frame format is defined using six configuration keys. A different protocol can be defined for input.

Wiegand frame timings are not customizable. Additional security (ciphering) is not handled. All Wiegand protocols are reverse.

Here after are listed the customizable parameters of a Wiegand frame.

- Length

A Wiegand frame can contain up to 128 bits.

- Control bits

In a Wiegand frame, start and stop bits are used as control bits. They can be fixed to 0 or 1 or be used as parity (odd or even) bits calculated over

bits of the frame.

- Data

In the Wiegand protocol, three data are handled: the Site code (also called Facility Code or Comparison Number), the ID (also called Badge Number or Sequence Number) and a custom data. Data can have a variable bit size and can be located anywhere in the frame. Data are inserted in the frame MSB first.


NOTE: Since the software version 2.00 configuration key name has been modified. The previous set key value is preserved.

Wiegand input parameters

app/wiegand in/

frame length (before v2.00: length)

1-128 Defines the number of bits of the frame.

start format (before v2.00: start)

0.0 1.0 2.n 3.n 4.0

Defines the start control bit: Reset to 0. Set to 1. Even parity calculated over the n first bits. Odd parity calculated over the n first bits. No start bit.

stop format (before v2.00: stop)

0.0 1.0 2.n 3.n 4.0

Defines the stop control bit: Reset to 0. Set to 1. Even parity calculated over the n last bits. Odd parity calculated over the n last bits. No stop bit.

site format (before v2.00: site)

n.m Insert m bits of site value at offset n.

ID format (before v2.00: ID)

n.m Insert m bits of ID value at offset n.

custom format (before v2.00: custom)

n.m RFU.

WWiieeggaanndd ffrraammee eexxaammppllee ((2266 bbiittss))

0 1 2 3 8 9 10 11 12 23 24 25

START SITE ID STOP

1 8 bits 16 bits 1

START bit calculation range STOP bit calculation range


BBYYPPAASSSSIINNGG TTHHEE BBIIOOMMEETTRRIICC CCOONNTTRROOLL IINN AAUUTTHHEENNTTIICCAATTIIOONN

This mode requires only a user ID. This ID can be read on a smartcard, entered on the keyboard or received on the Wiegand or Dataclock input.

The bypass authentication configuration key must be combined with an authentication mode. Activating this flag means that the biometric verification is bypassed.

TThhee tteerrmmiinnaall ccoonnttrroollss tthhaatt tt

MorphoAccess 500 Series User Guide

Documents

Transcript of MorphoAccess 500 Series User Guide