MorphoAccess® VP Series - User Guide
Section 7:
Access control by Authentication
SSE-0000082427-01
M
ORPHO DOCUMENT
.
R
EPRODUCTION AND
D
ISCLOSURE
P
ROHIBITED
56
January 2011
Section 7: Access control by Authentication
Page 1: ...MorphoAccess VP Series User Guide January 2011 SSE 0000082427 01 Copyright 2011 Morpho Osny France MorphoAccess VP Series User Guide...
Page 2: ...ent a commitment on the part of Morpho No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical including photocopying or recording for any purpos...
Page 3: ...MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Revision History The table below contains the history of changes made to the present document Version Date Descri...
Page 4: ...h a LAN 31 Setting up IP parameters with a USB Mass Storage Key 33 Wi Fi Network configuration 35 Section 4 MorphoAccess Terminal Configuration 36 MorphoAccess configuration parameters 37 Configuring...
Page 5: ...System 91 Internal Relay activation on Access Granted result 92 Internal Relay activation by external button 94 Access request result log file 95 Sending the access control result to a distant system...
Page 6: ...guration of a MorphoAccess terminal by a Host System 38 Figure 18 MorphoAccess configuration tool main window 39 Figure 19 Typical access control system architecture 46 Figure 20 Recognition mode synt...
Page 7: ...MorphoAccess VP Series User Guide Section 1 Introduction 7 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Section 1 Introduction...
Page 8: ...allows a high security level without affecting comfort of use an enhanced resistance to spoofing by combining the protection mechanisms intrinsic to each technology and also by making the most of the...
Page 9: ...SSE 0000082427 01 January 2011 Scope of the document This guide deals with the use of the MorphoAccess VP Series which is made up of following list of products MorphoAccess VP Series Multimodal Biome...
Page 10: ...on Morpho hereby declares that the MorphoAccess VP Series terminal has been tested and found compliant with following listed standards EN302 291 2 V 1 1 1 2005 07 recommendation 1999 519 CE with stand...
Page 11: ...paration between the equipment and receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV techn...
Page 12: ...n be divided into major ridge pattern type such as Whorls Loops and Arches etc Unique characteristics known as Minutiae identify those points of a fingerprint where the ridges become bifurcation or en...
Page 13: ...biometric authentication and identification The basic principle for finger vein pattern acquisition is to select an illumination wavelength for which absorption from deoxidized hemoglobin flowing free...
Page 14: ...y themselves and is also processing time consuming In the recent years biometric industry turned to an innovative approach Multimodality which consists in combining one biometrics with another complem...
Page 15: ...swer to comfort and security concerns in any biometric application resistance to spoofing is increased by combining the protection mechanisms intrinsic to each technology and also by making the most o...
Page 16: ...interest is usually located between the first and the third phalanxes Figure 3 areas of interest Ergonomics Image acquisition is performed with CMOS camera The optical imaging method depends on the k...
Page 17: ...designed to hold finger into a flat position in order to avoid any contact inside the vein imaging active area It is highly recommended to wipe the device transparent surface with a dry cloth in case...
Page 18: ...use properly the device according to the rules stated below in order to acquire the best image quality This will result at the end in the best quality of service It is important to notice that it is p...
Page 19: ...Series User Guide Section 2 MorphoAccess VP Series terminal presentation 19 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Section 2 MorphoAccess VP Series termi...
Page 20: ...that all connections of the MorphoAccess VP Series terminal described hereafter are of SELV Safety Electrical Low Voltage type User Interface see figure 6 Figure 6 MorphoAccess VP Series terminal fro...
Page 21: ...power supply over the spare pins When the terminal is connected to the network by the 5 wires block only power supply over the data pins is possible Please contact your network administrator to know...
Page 22: ...es User Guide Section 2 MorphoAccess VP Series terminal presentation SSE 0000082427 01 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 22 January 2011 Figure 7 MorphoAccess VP Series terminal r...
Page 23: ...er Guide Section 2 MorphoAccess VP Series terminal presentation 23 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Figure 8 MorphoAccess VP Series terminal front...
Page 24: ...DP or TCP or SSL protocol A Wi Fi link by connecting a USB Wi Fi adapter in the USB front port using the UDP or TCP or SSL protocol A serial port using the Wiegand or DataClock or RS485 protocol It is...
Page 25: ...t USB port of the MorphoAccess terminal is dedicated to the connection of a USB Mass Storage key to configure the terminal with command scripts This feature is described in the Setting up IP parameter...
Page 26: ...CTION AND DISCLOSURE PROHIBITED 26 January 2011 Plugging a USB Wi Fi adapter The front USB port of the MorphoAccess VP Series terminal is dedicated to the connection of a Wi Fi USB adapter The bottom...
Page 27: ...oAccess VP Series User Guide Section 3 Connecting a MorphoAccess to a PC 27 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Section 3 Connecting a MorphoAccess to...
Page 28: ...et cable either directly or through a LAN The LAN can be reduced to only one Ethernet router Once physically connected the MorphoAccess terminal can be configured using an application such as Configur...
Page 29: ...Auto MDIX feature then a crossover Ethernet cable is mandatory If no crossover Ethernet cable is available then a switch can be used please refer to next section If the PC to be used is already conne...
Page 30: ...one Ethernet switch The MorphoAccess terminal can be connected to a PC through an Ethernet switch This is useful when no crossover cable is available but instead one Ethernet switch and two Ethernet s...
Page 31: ...iguration Please contact network administrator for more information about LAN security strategies Before connecting the terminal to a LAN through Ethernet it is necessary to specify the LAN parameters...
Page 32: ...the IP address of the terminal remains the same after each restart and the Host System need only to know this IP address to establish a connection with the terminal The IP address of the terminal mus...
Page 33: ...and a dedicated PC application USB Network Configuration Tool This procedure is useful for MorphoAccess terminals without keyboard and screen but is applicable also to MorphoAccess terminals with keyb...
Page 34: ...Number value field is used only when SSL protocol is When all fields are filled with the data approved by the network administrator button Then select the root directory of the USB mass storage key Af...
Page 35: ...i license downloading and Wi Fi USB adapter installation make sure to reboot the terminal by pressing the reset button see paragraph Power supply interface for more information on reset button NOTE Bo...
Page 36: ...ccess VP Series User Guide Section 4 MorphoAccess Terminal Configuration SSE 0000082427 01 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 36 January 2011 Section 4 MorphoAccess Terminal Config...
Page 37: ...n bio ctrl contains the parameters related to the biometric control The full name of a configuration key includes the file name and the section name i e file name section name key name Example app bio...
Page 38: ...et Configuration parameter value Modify the value of a configuration parameter Get Access control log file content Change contactless card authentication keys Firmware upgrade Add a license The Morpho...
Page 39: ...iguration tool main window Please refer to MorphoAccess Configuration Tool User Guide document for further information about this PC application MATM PC application The MATM application is another app...
Page 40: ...Configuration SSE 0000082427 01 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 40 January 2011 SSL securing The TCP link used for remote management can be secured using SSL protocol Please re...
Page 41: ...t or Wi Fi or using a USB mass storage key The last MorphoAccess terminal firmware can be obtained on a CD ROM package from the customer service or can be downloaded from Morpho Website dedicated to b...
Page 42: ...tric data of two fingers of the user and a unique identifier The MEMS application adds a user to its own database and then it updates the database of all MorphoAccess terminals The MorphoEnroll applic...
Page 43: ...of database with a higher size but it doesn t modify the size of a already created database The existing database must be deleted and then recreated with a higher size MorphoAccess MA_WIFI license Th...
Page 44: ...Guide Section 4 MorphoAccess Terminal Configuration SSE 0000082427 01 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 44 January 2011 Please refer to document MorphoAccess Terminal License Mana...
Page 45: ...MorphoAccess VP Series User Guide Section 5 Access Control 45 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Section 5 Access Control...
Page 46: ...trol system Typical access control system architecture includes one MorphoAccess terminal per area to protect an Enrollment Station dedicated to user enrollment and database synchronization with all M...
Page 47: ...2 When required the Enrolment Station adds new user records into each MorphoAccess terminal and removes obsolete user records 3 When a user request the access to the area protected by the MorphoAcces...
Page 48: ...tandalone mode Identification and or Authentication When in standalone mode the MorphoAccess terminal supports two main different access control processes The identification process which starts when...
Page 49: ...1 January 2011 How to select the standalone access control process The chart below describes the different processes available and the related configuration keys Figure 20 Recognition mode synthesis I...
Page 50: ...vailable and the result of the local access control check This feature is described in the Access request result log file section Integration in an access control system At the end of the access right...
Page 51: ...ection 5 Access Control 51 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Access granted Figure 21 Access control result access granted Access denied Figure 22 A...
Page 52: ...hoAccess VP Series User Guide Section 6 Access Control by Identification SSE 0000082427 01 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 52 January 2011 Section 6 Access Control by Identifica...
Page 53: ...The biometric data of allowed users are acquired by an enrolment station with the same kind of biometric sensor The access control by identification process is started when a finger is detected on the...
Page 54: ...Relay activation on Access Granted result section External activation of the internal relay as described in Internal Relay activation by external button section Send access control result message to...
Page 55: ...e terminal If a match is found then the user is identified and if there is no other access right check the access is granted to the user Otherwise if no match found the user remains unknown the user s...
Page 56: ...hoAccess VP Series User Guide Section 7 Access control by Authentication SSE 0000082427 01 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 56 January 2011 Section 7 Access control by Authentica...
Page 57: ...person It means that at the beginning of the process the person provides his identity and the authentication process verify it At the end of the process the identity is either confirmed authenticated...
Page 58: ...card is encrypted with the contactless authentication keys stored in the terminal The MorphoAccess terminal rejects user s cards without the data required by the authentication process selected All au...
Page 59: ...hoAccess terminal detects a user s card it searches for a specific data which indicates if the biometric check is either mandatory or disabled This authentication mode is described in section Authenti...
Page 60: ...cards only DESFire cards only Configuration key The type of contactless smartcard enabled is defined by the following specific configuration key Type of contactless smartcard enabled app contactless e...
Page 61: ...e disabled as described in the No biometric check no user id check section User s data required in the terminal This authentication mode doesn t use the internal database of the MorphoAccess terminal...
Page 62: ...ard The terminal compares the biometric data of the finger placed on the sensor with the reference biometric data of the two reference fingers read on user s card The authentication process is success...
Page 63: ...e same user s identifier value as the one stored on user s card The biometric data of two user s fingers If the user s identifier read on the user s card is not found in the database then the access d...
Page 64: ...rocess is successful identity confirmed if the captured finger data matches with one of the two references finger data Otherwise no match found the authentication process fails identity not confirmed...
Page 65: ...l is able to read a user s identifier Otherwise the card is ignored and the access denied User s data required in the terminal In this authentication mode the internal database of the MorphoAccess ter...
Page 66: ...uthentication without biometric check and without User ID check The authentication process succeeds if the user s identifier is found Otherwise the authentication process fails The result of the authe...
Page 67: ...d contains The same identifier as the one on the user s card The reference biometric data of two fingers of the user If the terminal doesn t found a record with the user s identifier read on the card...
Page 68: ...biometric check and without User ID check The user s identifier is read on the user s card and searched in the local database The authentication process succeeds if the user s identifier is found in t...
Page 69: ...ally or legally This kind of cards can be realized without user s presence and the same card used for different visitors The internal database of the MorphoAccess terminal is not used User s data requ...
Page 70: ...specified by user s card Biometric check mandatory The terminal requires the user to place a finger on the biometric sensor Then it executes a biometric comparison of the finger placed on the sensor a...
Page 71: ...thin a TLV structure User s identifier stored in TLV format app contactless data format 0 TLV structure app contactless data length 0 0 Automatic size app contactless data offset 0 0 Automatic offset...
Page 72: ...E only support binary user s identifier When the key value is 0 the terminal is able to get the card UID of MIFARE cards and DESFire cards Configuration keys A configuration key specifies on which kin...
Page 73: ...ritten by other systems Card type compatibility This format can be only used only with the MIFARE only default mode Type of contactless smartcard enabled app contactless enabled profiles 0 MIFARE only...
Page 74: ...e card are F4 E1 65 34 then the user identifier value Activation of identification mode app contactless data format 1 Binary format app contactless data type 0 1 Binary MSB format app contactless data...
Page 75: ...Size 4 bytes app contactless data offset 0 4 User s identifier begins at bit 4 of the first byte of the block specified below app contactless B 46 Read at block 46 first block of sector 15 It is poss...
Page 76: ...MorphoAccess VP Series User Guide Section 8 Multi factor mode SSE 0000082427 01 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 76 January 2011 Section 8 Multi factor mode...
Page 77: ...ser presents his contactless card first then it is authentication process which is executed Figure 31 Multi factor mode identification and authentication When there is no database the identification m...
Page 78: ...MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 78 January 2011 Activation of multi factor mode app bio ctrl identification 1 Enabled app bio ctrl authent card mode 1 or app bio ctrl authent ID...
Page 79: ...MorphoAccess VP Series User Guide Section 9 Proxy or slave Mode 79 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Section 9 Proxy or slave Mode...
Page 80: ...n the host system and used MorphoAccess terminal high level functions Identification function Authentication function Read data on a contactless card Access control result signal command Figure 32 Pro...
Page 81: ...means for example that When the Identify command is in progress the terminal displays the same signals as the standalone Identification mode When the terminal receives the access granted command from...
Page 82: ...ivation The proxy mode is automatically enabled when the identification mode and all authentication modes are disabled Proxy mode all local standalone access control application are inhibited app bio...
Page 83: ...cess VP Series User Guide Section 10 MorphoAccess Terminal Customization 83 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Section 10 MorphoAccess Terminal Custo...
Page 84: ...Setting up the number of biometric check attempts app bio ctrl nb attempts 1 Only one no retry allowed app bio ctrl nb attempts 2 Two one 2nd try is allowed default Identification mode If the finger o...
Page 85: ...users divided by the number of access requests Both ratio values are linked Different trade offs are possible between FRR and FAR depending on the security level targeted When convenience is the most...
Page 86: ...r a secure usage It is strongly advised to don t use this value because the terminal becomes too tolerant 1 FAR 1 2 FAR 0 5 3 FAR 0 1 Recommended value for physical access control application 4 FAR 0...
Page 87: ...switches When one of those events is detected the MorphoAccess VP Series terminal acts as required by the related configuration key see section below Ignore the event default useful during normal main...
Page 88: ...level 2 Silent message and local alarm signal in addition to previous level 1 the terminal buzzer emits an audible and visible alarm signal The alarm message is sent through the same channel as the a...
Page 89: ...system app failure ID alarm ID 62221 The identifier of alarm message is 62221 app failure ID enabled 1 Error and alarm messages are allowed while using Wiegand or DataClock protocols app send ID wieg...
Page 90: ...ries terminals allow to select the security level of the multimodal biometrics Configuration key The multimodal biometrics security level is selected by only one configuration key Multimodal biometric...
Page 91: ...Series User Guide Section 11 Compatibility with an Access Control System 91 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Section 11 Compatibility with an Acces...
Page 92: ...n be modified by a specific configuration key Access control installation using internal relay offers a lower security level than an installation with a central access controller which is the only one...
Page 93: ...Access Control System 93 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 The default state of the relay can also be defined Relay default state app relay relay d...
Page 94: ...ternal relay A typical application of this feature is to open the door from inside an area protected by a MorphoAccess terminal as described in figure below To enter in the building the user must be s...
Page 95: ...cord is described in the MorphoAccess Host System Interface Specification document Log File management Three commands are available for log file management A command which return the current status of...
Page 96: ...CUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 96 January 2011 Activation key The creation of a record for each access request is enabled and disabled by only one configuration key Enabling recording o...
Page 97: ...f the distant device in the global access control system Figure 38 Sending access control result message to a distant system Please refer to MorphoAccess Remote Messages Specification for more informa...
Page 98: ...he format of the Wiegand frame is defined by several configuration keys DataClock protocol Same comment as for Wiegand protocol The sending of the message through the serial port using DataClock proto...
Page 99: ...TCP protocol Same comment as for RS485 protocol Send access control result message using TCP protocol on Ethernet port app send ID ethernet mode 0 Disabled app send ID ethernet mode 1 UDP app send ID...
Page 100: ...sage send through IP and RS485 includes the date time of access control result The terminal clock has a 4 sec per day typical time deviation at 25 C At 50 C the time deviation may be up to 8 sec per d...
Page 101: ...ccess controller within the access result message Then the terminal starts to wait during an adjustable timeout for the closure of a switch between LED1 and GND or between LED2 and GND During terminal...
Page 102: ...for each possible answer then The access denied relay contact must be connected to LED1 and GND wires The access granted relay contact must be connected to LED2 and GND wires Activation key This featu...
Page 103: ...e with MEMS and MorphoEnroll applications Please refer to MorphoAccess Host Interface Specification document for mode information Database To use this feature the local database must be created with a...
Page 104: ...de Section 12 MorphoAccess VP Series terminal sound and light Interface SSE 0000082427 01 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 104 January 2011 Section 12 MorphoAccess VP Series term...
Page 105: ...nt Pulse 1 second OFF and 0 5 second ON Sample Intermittent blue Pulse Fast intermittent Pulse 0 5 second OFF and 0 5 second ON Sample Fast Intermittent yellow Pulse Slow intermittent Pulse 1 second O...
Page 106: ...acement OFF Intermittent YELLOW pulse OFF Finger removed too quickly OFF YELLOW OFF Finger acquisition running GREEN OFF OFF No database or empty database OFF Intermittent YELLOW pulse OFF USB mass st...
Page 107: ...entication waiting for user s contactless card One of the authentication modes is activated and the MorphoAccess terminal is waiting for the presentation of a contactless card Biometric Sensor backlig...
Page 108: ...D On permanent blue Buzzer OFF Finger biometric data acquisition in progress The MorphoAccess VP Series terminal emits this signal when the acquisition of the biometric data of the finger placed on th...
Page 109: ...he terminal fails to start the biometric sensor If the trouble persists after several terminal start ups please contact customer service Biometric Sensor backlight OFF Status LED Slow intermittent red...
Page 110: ...LED Slow intermittent magenta Pulse Buzzer OFF Maintenance USB mass storage key can be removed This signal Is emitted when the USB Mass Storage key used to configure the terminal can be removed from...
Page 111: ...reen 1s flash Buzzer 1 second high pitched note Identification or Authentication Access denied The user is not recognized or the access is not allowed to this user by Time Mask feature or by the Centr...
Page 112: ...000082427 01 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 112 January 2011 Finger removed too earlier The terminal emits this signal if the finger is removed too earlier while the finger bio...
Page 113: ...n 13 Compatible Accessories Software Licenses and Software Applications 113 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Section 13 Compatible Accessories Soft...
Page 114: ...owing items can be ordered directly toMorpho or official distributor so as to enjoy all the features of your MorphoAccess VP Series terminal Power supply units Contactless smartcards MIFARE 1K or 4K D...
Page 115: ...HO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Compatible software applications MorphoAccess VP Series terminals are fully compatible with MorphoAccess Enrolment Man...
Page 116: ...MorphoAccess VP Series User Guide Appendix 1 Finger placement rules SSE 0000082427 01 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 116 January 2011 Appendix 1 Finger placement rules...
Page 117: ...MorphoAccess VP Series User Guide Appendix 1 Finger placement rules 117 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Finger placement recommendations...
Page 118: ...ty please leave the finger on the biometric sensor until the backlight is turned off Finger condition The following recommendations regarding finger condition will also help to get optimal quality at...
Page 119: ...MorphoAccess VP Series User Guide Appendix 2 Bibliography 119 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED SSE 0000082427 01 January 2011 Appendix 2 Bibliography...
Page 120: ...s and connection procedures Administrator Information MorphoAccess Parameters Guide ref SSE 0000062458 This document describes all configuration keys of MorphoAccess terminal SSL Solution for MorphoAc...
Page 121: ...ocument describes the Configuration Tool application which enables to configure a MorphoAccess terminal through a IP link Ethernet or Wi Fi MorphoAccess Terminal Management User Guide ref SSE 00000688...
Page 122: ...MorphoAccess VP Series User Guide Appendix 3 Support SSE 0000082427 01 MORPHO DOCUMENT REPRODUCTION AND DISCLOSURE PROHIBITED 122 January 2011 Appendix 3 Support...
Page 123: ...SB Network Tool to set a valid network address in your terminal Refer to USB Network Tool User Guide Biometric Sensor backlight is off Verify that the base contents at least one record Check that iden...
Page 124: ...05 Saint Etienne du Rouvray FRANCE Phone 33 2 35 64 53 52 Hotline and customer assistance Morpho Support Terminaux Biom triques 18 Chauss e Jules C sar 95520 OSNY FRANCE hotline biometrics t my techni...
Page 125: ...Copyright 2011 Morpho Head office Le Ponant de Paris 27 rue Leblanc 75512 PARIS CEDEX 15 France www morpho com...
Page 126: ...Head office Le Ponant de Paris 27 rue Leblanc 75512 PARIS CEDEX 15 France www morpho com...