MorphoAccess 500 Series User Guide

MorphoAccess 500 Series
User Guide
MA 500+ Series
OMA 500 Series
MA 500 Series
Produced by Sagem Scurit

Copyright 2009 Sagem Scurit
www.sagem-securite.com
MorphoAccess 500 Series User Guide

SSE-0000060806-05
October 2009
Table of Contents
REVISIONS HISTORY
INTRODUCTION
SCOPE OF THE DOCUMENT

SAFETY INSTRUCTIONS
7
8
MORPHOACCESS PRESENTATION
10
INTERFACES PRESENTATION
SYSTEM SYNOPTIC
TERMINAL PRESENTATION
ACCESS CONTROL PRESENTATION
RESULT OF THE ACCESS CONTROL
11
13
15
17
20
TERMINAL CONFIGURATION
23
EASY SETUP ASSISTANT

ADMINISTRATION MENU
UNDERSTANDING MORPHOACCESS CONFIGURATION
MODIFYING A PARAMETER USING THE CONFIGURATION APPLICATION
CONFIGURING A NETWORKED MORPHOACCESS
DOWNLOADING A LICENCE
UPGRADING THE FIRMWARE
SCREEN CONTRAST
STARTING UP APPLICATION
24
39
42
44
47
50
51
52
53
STAND ALONE MODES (NETWORKED OR NOT)
54
PRELIMINARY: ADDING A BIOMETRIC TEMPLATE IN LOCAL DATABASE

MACCESS APPLICATION: ACCESS CONTROL OR TIME & ATTENDANCE
ACCESS CONTROL BY IDENTIFICATION
ACCESS CONTROL BY IDENTIFICATION (MA-XTENDED LICENCE LOADED)
INTRODUCTION TO CONTACTLESS AUTHENTICATION
AUTHENTICATION WITH BIOMETRIC TEMPLATES ON CARD
PIN VERIFICATION PIN STORED ON CARD
BIOPIN VERIFICATION - BIOPIN STORED ON CARD
AUTHENTICATION WITH BIOMETRIC TEMPLATES IN LOCAL DATABASE
AUTHENTICATION BASED ON CARD MODE
MULTI-FACTOR (MERGED) MODE
AUTHENTICATION WITH LOCAL DATABASE: ID ENTERED FROM KEYBOARD
AUTHENTICATION WITH LOCAL DATABASE: ID INPUT FROM W IEGAND OR DATACLOCK
55
57
61
63
66
68
69
70
71
74
76
78
80
Sagem Scurit document. Reproduction and disclosure forbidden
SSE-0000060806-05
BYPASSING THE BIOMETRIC CONTROL IN AUTHENTICATION

RECOGNITION MODE SYNTHESIS
SETTING UP RECOGNITION STRATEGY
SETTING UP MATCHING PARAMETERS
FAKE FINGER DETECTION (OPTION)
83
86
87
88
89
IDLE MODE
91
IDLE MODE PRESENTATION

IDLE MODE ACTIVATION
92
93
PROXY MODE
94
PROXY MODE (OR SLAVE) PRESENTATION

PROXY MODE ACTIVATION
95
96
APPLICATION CUSTOMIZATION
97
SETTING UP TIME MASK

MULTILINGUAL APPLICATION
DISPLAY HOUR
98
99
100
RESULT EXPORTATION
101
REMOTE MESSAGES: SENDING THE ID TO THE CENTRAL SECURITY CONTROLLER

RELAY ACTIVATION
LOG FILE
LED IN ACTIVATION
102
103
105
106
SECURITY FEATURES
107
SECURITY SWITCH MANAGEMENT

PASSWORDS
108
110
MESSAGES SENDING
111
PRINCIPLE
EVENTS
SENDING INTERFACES
112
113
114
APPENDIX
115
ENROLMENT ON TERMINAL WITH SYNCHRONIZATION

MORPHOACCESS 220 / 320 COMPATIBILITY
116
118
SSE-0000060806-05
Sagem Scurit document. Reproduction and disclosure forbidden.
CONTACTLESS MODES TABLE

REQUIRED TAGS ON CONTACTLESS CARD
FAQ
RELATED DOCUMENTS
120
121
122
123
CONTACTS
125
SUPPORT
126
SSE-0000060806-05
REVISIONS HISTORY
Date
July 08
Firmware
Description
2.07
Add a Date/Time settings description
2.09
Add juvenile option feature of MA2XX and MA3XX devices.

Add extended Time & Attendance new feature
Add Wi-Fi connection for terminal administration and for access
control result message send.
Add MIFARE key update inquiry in easy setup (configuration
assistant).
Add Card UID contactless card reader mode (ISO/IEC 14443)
June 09
2.10
Add MA 500+ Series and DESFire terminals
October
09
2.11
Add Wi-Fi static IP and WPA-PSK configuration

Add new languages (Arabic and Turkish)
Add specific messages sending
Add start up application
Add logs full features description
WI-FI is a registered mark of the WI-FI Alliance
SSE-0000060806-05
INTRODUCTION
Congratulations for choosing the MorphoAccess 500 Series Automatic Fingerprint

Recognition Terminal.
MorphoAccess 500 Series provides an innovative and effective solution for access
control applications using Fingerprint Verification or/ and Identification.
Among a range of alternative biometric techniques, the use of finger imaging has
significant advantages: each finger constitutes an unalterable physical signature,
which develops before birth and is preserved until death. Unlike DNA, a finger image
is unique to each individual - even identical twins.
The MorphoAccess integrates Sagem Scurit image processing and feature
matching algorithms. This technology is based on acquired knowledge during 20
years of experience in the field of biometric identification and the creation of literally
millions of individual fingerprint identification records.
We believe you will find the MorphoAccess fast, accurate, easy to use and suitable
for physical access control or time and attendance.
To ensure the most effective use of your MorphoAccess, we recommend that you
read this User Guide entirely.
SSE-0000060806-05
SCOPE OF THE DOCUMENT

This guide relates to the use of MorphoAccess 500 Series terminals.
MorphoAccess 500 Series is a generic appellation which gathers MorphoAccess
terminals belonging to MA 500+ Series, OMA 500 Series and MA 500 Series.
Corresponding list of products is depicted in the table below.
Biometrics
MA 500+
Series
OMA 500
Series
MA 500
Series
Contactless Smartcard
Reader
MIFARE
DESFire
MA 500+
MA 520+ D
MA 521+ D
OMA 520 D
OMA 521 D
OMA 520
OMA 521
MA 500
MA 520
MA 521
SSE-0000060806-05
False Finger
Detection
Outdoor
SAFETY INSTRUCTIONS
Europe information
Sagem Scurit hereby declares that the MorphoAccess has been
tested and found compliant with the following listed standards as required
by the EMC Directive 89/336/EEC: EN55022 (1994) / EN55024 (1998),
EN300-330 (1999) and by the low voltage Directive 73/23/EEC amended
by 93/68/EEC: EN60950 (2000).
These terminals are Class A devices. In a residential environment,
these devices may cause interference. In this case, the user is
encouraged to try to correct the interference with appropriated measures
such as:
reorient or relocate the receiving antenna,
increase the separation between the equipment and receiver,
connect the equipment into an outlet on a circuit different from that

to which the receiver is connected,
consult the dealer or an experienced radio/TV technician for help.
USA information
Responsible Party: Sagem Scurit , Le Ponant de Paris, 27, rue Leblanc
F 75512 PARIS CEDEX 15 FRANCE
Changes or modifications not expressly approved by the party
responsible for compliance could void the users authority to operate the
equipment.
This device complies with part 15 Class A of the FCC Rules. Operation is
subject to the following two conditions: (1) This device may not cause
harmful interference, and (2) this device must accept any interference
received, including interference that may cause undesired operation.
NOTE:
This equipment has been tested and found to comply with the
limits for a Class A digital device, pursuant to part 15 of the FCC
Rules. These limits are designed to provide reasonable
protection against harmful interference in a commercial
installation. This equipment generates, uses and can radiate
radio frequency energy and, if not installed and used in
accordance with the instructions, may cause harmful
interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful
interference in which case the user will be required to correct
the interference at their own expense.
SSE-0000060806-05
Canadian information
This Class A digital apparatus complies with Canadian ICES-003.
Cet appareil numrique de Classe A est conforme la norme NMB-003 du
Canada.
SSE-0000060806-05
MORPHOACCESS PRESENTATION
MorphoAccess is a fingerprint identification device for physical access control, time

and attendance offering both multi-factor verification and identification capabilities
with unequalled level of performance.
10
SSE-0000060806-05
INTERFACES PRESENTATION
Man-machine interface
The MorphoAccess 500 Series offers a simple and ergonomic manmachine interface dedicated to access control based on fingerprint
recognition:
a high quality optical scanner to capture fingerprints (1),
a bicolour led (2),
a multi-toned buzzer,
an optional contactless smart card reader (see details in section

Scope of the document), to read data such as the reference
templates from a contactless card (3),
a keyboard for time and attendance functions, local administration,

User ID seizure, PIN code seizure (4),
a 128x64 display screen (5).
SSE-0000060806-05
11
Electrical interfaces
The terminal offers multiple interfaces dedicated to administration and
control information:
a multiplexed Wiegand / Dataclock output to export the user

identifier to a controller (1),
a RS422 or RS485 output (2),
a LED OUT signal output (3),
two LED IN inputs to improve integration with a Central Security

Controller (4),
a relay to directly command an access (door lock) (5),
a opto-sensor to detect that the back cover has been removed (6),
a multiplexed Wiegand / Dataclock input to receive the user

identifier from an external badge reader (7),
an Ethernet interface (LAN 10/100 Mbps) allowing remote

communications using IP protocol for example (8),
a Power Over Ethernet Interface (LAN 10/100 Mbps) allowing

remote management and supplying power (9).
The MorphoAccess 500 Series Installation Guide describes precisely

each interface and connection procedure.
12
SSE-0000060806-05
SYSTEM SYNOPTIC
Typical architecture including a MorphoAccess, a Host
System and a Central Security Controller
MorphoAccess biometric database management

The management of the MorphoAccess internal biometric database can
be done either locally (through the enrolment application), or remotely by a
Host System (typically MEMS). Those two exclusive management
modes are defined as the:
Local management mode,
Remote management mode.
SSE-0000060806-05
13
MorphoAccess operating mode

The MorphoAccess works according to two exclusive operating modes.
In Stand Alone Mode (terminal networked or not), the terminal can

operate two applications: Access Control or Time & Attendance.
When the terminal is networked, the biometric database can be
managed by a Host System and downloaded to the
MorphoAccess. When the terminal is not networked the database
is managed locally.
In Proxy Mode, the terminal is remotely operated by a host

application
that
sends
individual
commands
to
the
MorphoAccess.
MorphoAccess result sending

When the biometric identification is positive, the person ID can be sent to
a Central Security Controller, for further action such as opening doors.
14
SSE-0000060806-05
TERMINAL PRESENTATION
A MorphoAccess 500 Series terminal is running with 4 applications
dedicated to a given need.
MACCESS
This is the main application, dedicated to access control including
biometric control.
It is possible to leave this application to launch another application.
The current User Guide details this application features.
ENROLMENT
This application allows enrolling users in the terminal when the database
of the MorphoAccess is not managed by an external system (Local
management mode).
The created database can be saved ciphered on a USB flash drive and
exported to other stand alone MorphoAccess 500 Series.
This application can also encode some MIFARE and/or DESFire
contactless cards with users finger templates (depending on terminal
see section Scope of the document).
A synchronisation message can be sent to a distant host to inform it about
changes on biometric databases. Refer to Enrolment on terminal with
synchronization section.
The User Management Password protects the execution of this
application.
Please refer to Enrolment Application User Guide for more information
about this application.
CONFIGURATION
This application allows modifying the main application parameters.
Parameters are divided into files, sections and keys.
The Terminal Configuration Password protects the execution of this
application.
Please refer to Configuration Application User Guide for more information
SSE-0000060806-05
15
LOGS VIEWER
This application allows consulting the local event diary stored by the
MorphoAccess: there is one record for each access request. It is also
possible to export this file on a standard USB flash drive.
The User Management Password protects the execution of this
application.
Please refer to Logs Viewer Application User Guide for more information
Multi-applicative architecture synthesis
16
SSE-0000060806-05
ACCESS CONTROL PRESENTATION

The MorphoAccess works according to two biometric recognition
modes: identification or authentication. Identification and authentication
can be activated at the same time (multi-factor mode).
Identification (1 versus N)
The user provides one of his fingerprints and the terminal is in charge to
find the users identifier.
In identification mode, the access request starts with a finger on the
sensor.
The reference biometric templates of each allowed users are stored in the
local database. The captured fingerprint is compared to all reference
templates to search for a match (1 versus N matching mode). If a match is
found, the users identifier is retrieved.
Depending on the installed licence, the terminal can store up to 3000
users (2 fingers per user) in its local database or up to 50 000 users
divided in 5 bases of 10 000 users each.
In this mode the sensor is always switched on, waiting for a finger.
If the user is matched, the ID can be returned to the Central Security

Controller.
If the user is not recognized, a no-match message can be sent to the
Central Security Controller.
See section Access Control by Identification.
SSE-0000060806-05
17
Authentication (1 versus 1)
The user provides his identifier, and the terminal is in charge to check it by
comparing a capture fingerprint with one or two references templates.
In authentication mode, the access request starts when the users
identifier is provided.
Authentication with reference templates in card (1 versus 1)

User biometric templates are stored (and read) on users contactless
MIFARE or DESFire card.
If the user is matched, the ID can be returned to the Central Security

Controller.
If the user is not recognized, a no-match message can be sent to the
Central Security Controller.
See section Access Control by Authentication.
Authentication with reference templates in terminal (1 versus 1)

The reference templates of the user are stored in the local database.
In that case, the users identifier is used as a search key to find the users
templates in the local database.
The user identifier can be received in a Wiegand or a Dataclock frame, or
typed on the keyboard, or read on a contactless MIFARE or DESFire
card.
Multi-Factor recognition
It is possible to combine several factors such as, what I have (a
contactless smart card), what I know (PIN code), and what I am (biometric
templates).
18
SSE-0000060806-05
Proxy mode
Proxy Mode is not strictly speaking a recognition mode. In this mode, the
MorphoAccess works as a slave waiting for external commands such
as:
identification,
verification,
relay activation,
read data on a contactless card,
Proxy commands:
Identification
Verification
Relay activation
Read card
Chapter Proxy mode gives more information about remote management.

Please refer to MorphoAccess Host System Interface Specification for a
complete description of commands.
SSE-0000060806-05
19
RESULT OF THE ACCESS CONTROL

Scope
The result of the access request is signified to the user by a specific
message displayed in the screen, by a light signal, and by a sound signal.
Welcome
John Doe
IDENTIFIED
or
NOT IDENTIFIED
In addition to user information, the terminal is able:
to activate an internal relay (to open a door),
to register the access request result in an internal log file,
and to send an access control result message to a distant system

(usually a Central Security Controller) through several kind of
communication links.
Control result message:

RS485 or RS422
Wiegand or Dataclock
Ethernet or Wi-Fi (UDP / TCP / SSL)
Relay
If enabled, the MorphoAccess internal relay is activated, during the
specified period, in case of successful control result (access is granted).
20
SSE-0000060806-05
Wiegand/Dataclock serial port

The access request result message can be sent through a dedicated serial
port using either the Wiegand or the Dataclock protocol.
The message format includes only the user identifier (which must be a
numeric value). By default, the message is sent only when the access
control result is positive, but as an option this message can be sent when
the result is negative, with an error code instead of the user identifier.
Ethernet port
The access request result message can be sent through an IP connection
using either the UDP, the TCP, or the SSL protocol.
Please refer to MorphoAccess Remote Messages Specification to know
the information sent by the terminal.
For IP, the administrator can set the port and define the protocol.
Please refer to SSL Solution for MorphoAccess documentation, for
further details about the SSL on the MorphoAccess.
WI-FI connection
Instead of Ethernet connection, the terminal can be connected using a
wireless b/g connection. Please refer to paragraphs Network WI-FI
configuration and WI-FI configuration
The message format and the protocols supported are the same: UDP,
TCP or SSL.
It is not possible for a terminal to be connected through Ethernet and
through WI-FI at the same time.
RS485/422 serial port

The access request result message (in ASCII format) can be sent through
a dedicated serial port using either the RS485 or the RS422 protocol.
Please refer to MorphoAccess Remote Messages Specification to know
the information sent by the terminal.
When the serial port is used for terminal management, it is not possible to
send the access request result message through this port.
Access request logging

When enabled, the terminal creates a record for each access request in a
local file. Each record includes: the date/hour of the access request, the
user identifier (if available) and the result of the access rights local check.
The content of this file can be downloaded by the Host System, or
displayed on the terminal, or exported to a USB flash drive.
The capacity of the file is 8 000 records: when the file is full, the recording
of access request result automatically stops.
SSE-0000060806-05
21
The record file can be erased using the Logs Viewer embedded
application. Please refer to MorphoAccess 500 Series Logs Viewer User
Guide for further details.
22
SSE-0000060806-05
TERMINAL CONFIGURATION
This chapter details how to configure the MorphoAccess. A parameter can be

changed directly on the terminal or remotely through a network.
A first start assistant named Easy Setup helps the administrator to define quickly a
plug and play configuration with an existing physical Access Control System.
SSE-0000060806-05
23
EASY SETUP ASSISTANT

Assistant initialization
When the MorphoAccess starts for the first time an assistant helps the
administrator to configure easily the main functions.
EASY SETUP
GREEN: VALID
YELLOW: CORR., NEXT
RED: ABORT, PREVIOUS
NEXT
Key
validates the choice.
Key
corrects or goes to next step.
Key
aborts operation and returns to previous step.
Language selection
It is possible to choose the language of the application among installed
languages.
APPLICATION LANGUAGE
1 ENGLISH
2 SPANISH
3 FRENCH
4 GERMAN
Refer to Multilingual application section for further details.
24
SSE-0000060806-05
Date and time configuration

Date and time can be configured.
Date format is MM/DD/YYYY (month/day/year).
Key
deletes a character.
Key
validates the selection.

ENTER DATE
08/25/200_
MM/DD/YYYY
VALID
SSE-0000060806-05
25
Ethernet interface settings

Static or dynamic configuration
It is possible to choose between static or dynamic network configurations.
DHCP
1 Enable
[]
2 Disable
[ ]
DHCP disabled
If DHCP is disabled following parameters must be set:
IP address,
Network mask,
Default gateway.
ENTER IP ADDRESS
10.10.161.3_
VALID
DHCP enabled
With DHCP only the terminal hostname on the network is required.
The DNS server must be updated so that users can communicate with the
MorphoAccess using the terminal hostname. Please contact your
network administrator.
ENTER HOSTNAME
MA0789652_
VALID
26
SSE-0000060806-05
Recognition mode
Once IP parameters are defined next step is to define the recognition
mode.
Recognition mode selection screen(s) depends on the type of terminal
(see section Scope of the document).
On terminals that do not have any contactless smartcard reader:
RECOGNITION MODE
1 Identification
[]
Only identification mode can be selected.

On terminals equipped with a MIFARE only contactless smartcard
reader:
RECOGNITION MODE
1 Identification
[]
2 Contactless
[ ]
3 Multifactor
[ ]
Terminal can be configured in Identification mode, Contactless

authentication or Multi-factor mode (where Identification and Contactless
authentication modes are merged).
SSE-0000060806-05
27
On terminals equipped with a MIFARE and DESFire contactless

smartcard reader:
First, enable or not identification mode:
RECOGNITION MODE
Do you want
to use
Identification ?
YES
NO
Then, enable or not DESFire cards reading:

RECOGNITION MODE
Do you want
to use
DESFire cards ?
YES
NO
Finally, enable or not MIFARE cards reading:

RECOGNITION MODE
Do you want
to use
MIFARE cards ?
YES
?
NO
For example, if YES is answered to all the questions, the terminal will be in
Multifactor mode (Identification + DESFire cards + MIFARE cards).
28
SSE-0000060806-05
Output interface
Last step allows defining the interface required to export the control result.
INTERFACE PARAMETERS
1 Wiegand [OFF]
2 Dataclock [OFF]
3 ID on UDP [OFF]
4 Next
Each interface can be configured and activated independently.

Select 4 Next to go to next step.
Wiegand configuration
Three protocols are available 26, 34 and 37 bits.
For other Wiegand configurations, please refer to chapter Authentication:
ID input from Wiegand.
WIEGAND
1 26 bits
[]
2 34 bits
[ ]
3 37 bits
[ ]
4 OFF
[ ]
Dataclock configuration
Dataclock interface can be activated but is multiplexed with Wiegand
output.
UDP activation
UDP remote messages can also be activated. The server IP address must
be specified.
SERVER IP ADDRESS
10.10.161.7_
VALID
SSE-0000060806-05
29
Password configuration
This step consists in changing the passwords.
PASSWORDS
1 Terminal Config.
2 User Management
3 Reset User Mgt.
4 Next
Select 4 Next to leave the assistant.

The terminal must reboot to apply the changes.
EASY SETUP END
REBOOT
THE TERMINAL?
NEXT
ABORT
Press NEXT to reboot the terminal.

Press ABORT to return to password management.
30
SSE-0000060806-05
Change of MIFARE keys

This section only concerns MorphoAccess equipped with a MIFARE
contactless smart card reader (see section Scope of the document).
This step is available since 2.09 firmware release.
The assistant proposes to replace default MIFARE keys by custom
MIFARE keys using an Administrator card (card that contains the new
MIFARE keys).
The following screen is displayed:
Terminal config.
Do you want
to change
MIFARE keys?
YES
?
LATER
If the answer is YES (change keys is selected), the screen below is

displayed and an administrator card must be presented:
Terminal config.
Present an Admin
Card, please.
!
ABORT
As soon as the Administrator card is detected, the MIFARE keys are

automatically updated in the terminal (the update progress is signalled by
successive beeps).
See MorphoAccess 500 Series Enrolment application User guide for
details about Administrator card encoding.
SSE-0000060806-05
31
Change of DESFire keys

This section only concerns MorphoAccess equipped with a DESFire
contactless smartcard reader (see section Scope of the document).
The assistant proposes to replace default DESFire keys by custom
DESFire keys using an Administrator card (card that contains the new
DESFire keys).
The following screen is displayed:
Terminal config.
Do you want
to change
DESFIRE keys?
YES
?
LATER
If the answer is YES (change keys is selected), the screen below is

displayed and a DESFire administrator card must be presented:
Terminal config.
Present an Admin
Card, please.
!
ABORT
As soon as the Administrator card is detected, the DESFire keys are

automatically updated in the terminal (the update progress is signalled by
successive beeps).
See MorphoAccess 500 Series Enrolment application User guide for
details about Administrator card encoding.
32
SSE-0000060806-05
WI-FI configuration (since 2.09 firmware revision)

This step consists in configuring wireless communications in WLAN mode
if a WI-FI USB adapter is plugged and a Wi-Fi licence is loaded in the
MorphoAccess (please refer to paragraph Network WI-FI
configuration ).
The WI-FI Wizard allows the followings operations:
WIFI CONFIGURATION
1 Active profile
2 New profile
3 Activate profile
4 Get profile info
WIFI CONFIGURATION
4 Get profile info
5 Modify profile
6 Remove profile
7 Next
Display the active profile

The choice 1 Active profile allows displaying the active profile (if any).
ACTIVE PROFILE
1 TEST_MA
[]
Create and activate a new profile

The choice 2 New profile allows creating and activating a new profile.
This is the first action to perform on a new terminal.
During the first step, the system searches for available WI-FI access
points. This screen is temporary displayed:
NEW PROFILE
Scanning
SSE-0000060806-05
33
Then the list of access points is displayed:

CHOOSE ACCES POINT
1 TEST_MA
[]
2 WIFI_1
[..]
3 other access point
[..]
At the second step, an access point must be chosen, existing or not, to

create the new profile.
The following menu is displayed and allows setting each parameter of the
new profile:
NEW PROFILE
1 SSID
2 MAC address
3 authentication
4 algorithm
NEW PROFILE
4 algorithm
5 key
6 channel
7 valid
Several parameters are automatically initialized by the first step: SSID,

MAC address, channel. Other parameters are to be initialized by the
network administrator:
SSID (Service Set IDentifier) is the name of the profile,
MAC address is the access point MAC address,
the authentication can be: open or shared (only for WEP

protection),
the algorithm can be: None , WEP64 , WEP128 or WPAPSK (since 2.11 firmware revision),
the key to enter is an hexadecimal key with size of 10 for WEP64,

26 for WEP128, and an ASCII string of 8 up to 63 characters for
WPA-PSK
the channel can be changed to avoid interferences.
34
SSE-0000060806-05
If an existing access point is used, parameters have initially the values of

access point parameters; for an other access point, parameters have
default values.
If WEP or WPA algorithm is chosen, the key must be entered (the key is
not retrieved from access point).
The profile must have the same value parameters as its access point.
For the selection of one of the six first choices, data capturing screens or
menu screens are displayed. The choice 7 valid allows creating and
activating the profile with its parameters.
Activate a existing profile
The choice 3 Activate profile allows activating an existing profile.
A screen showing the profiles saved in the MorphoAccess is displayed
and the profile to activate can be selected.
The parameters are activated after terminal restart.
The success of the WI-FI configuration can be checked by reading the
IP address assigned by the WLAN network to the terminal: IP address
must be different from 0.0.0.0., if the profile s network configuration is
DHCP.
Display an existing profile information
The choice 4 Get profile info allows retrieving information about a
profile.
and the profile can be selected.
Once a profile is selected, the following screen is displayed:
NEW PROFILE
1 SSID
2 MAC address
3 authentication
4 algorithm
NEW PROFILE
4 algorithm
5 channel
It enables to display the value of each parameter.

SSE-0000060806-05
35
Modify an existing profile

The choice 5 Modify profile allows modifying some parameters of a
profile.
and the profile can be selected.
Once a profile is selected, the following screen is displayed:
PROFILE TEST_MA
1 authentication
2 algorithm
3 key
4 valid
If WEP or WPA algorithm is chosen, the key must be entered (the key is
not retrieved from access point).
The profile must have the same value parameters as its access point.
For the selection of one of the three first choices, data capturing screens
or menu screens are displayed. The choice 4 valid allows creating and
activating the profile with its parameters.
Remove an existing profile
The choice 6 Remove allows removing a profile.
and the profile to remove can be selected.
Configure active profiles network settings (since 2.11 firmware
revision)
The choice 7 Next allows choosing between static or dynamic network
configurations.
DHCP
36
1 Enable
[]
2 Disable
[..]
SSE-0000060806-05
DHCP disabled
If DHCP is disabled following parameters must be set:
IP address,
Network mask,
Default gateway.
ENTER IP ADDRESS
10.10.161.3_
VALID
DHCP enabled
When choosing the DHCP mode, the assistant asks for the terminal
hostname.
ENTER HOSTNAME
MA0789652_
VALID
The DNS server must be updated so that users can communicate with the
MorphoAccess using the terminal hostname. Please contact your
network administrator.
The terminal has to be restarted to take changes in account.
Note 1: If this step is never performed, the MorphoAccess configures the
Wi-Fi active profile in DHCP mode.
Note 2: The network configuration is only for the active profile, not for the
others profiles.
Restarting WI-FI configuration

Wi-Fi configuration wizard can be restarted
By escape sequence
selecting Wi-Fi setup in Settings menu (available only when a

WI-Fi USB adapter is plugged in).
SSE-0000060806-05
37
Restarting Easy Setup

MorphoAccess Easy Setup can be restarted
By escape sequence
selecting Settings in main application MACCESS,
selecting Easysetup in Settings menu.
38
SSE-0000060806-05
ADMINISTRATION MENU
Access to Administration Menu
Place your finger
for Identification
Please
The main application can be interrupted using the escape sequence. Hit
the following keys in sequence:
,
then
.
If the biometric database is not empty, the terminal accepts a finger
registered as administrator instead of the valid User Management
Password Code.
By default User Management Password is 12345.
USER MANAGEMENT CODE
Present your finger please
Or enter password:
***|
If the Administrator uses the default password, it is possible to change it

immediately.
USER MANAGEMENT CODE
Default password!
Do you want
to change it?
YES
?
LATER
For security, Sagem Scurit strongly recommends you change the

terminal default password.
SSE-0000060806-05
39
Administration Menu features

MA5XX APPLICATION
1 Information
2 Settings
3 Enrolment
4 More functions
Information Menu
MA5XX APPLICATION
1 Information
2 Settings
3 Enrolment
4 More functions
Select Information to access the terminal and sensor information:

INFORMATION
1 Terminal Info
2 Sensor Info
Terminal information
Select Terminal Info to access to the following information:
40
Terminal information
Description
Example
1 Type
Terminal type
520
2 Serial Number
Terminal serial number 073035353A
3 Soft. Version
Terminal main software V02.00.02

version (MACCESS)
4 IP Address
Terminal IP address
5 MAC Address
Terminal MAC address 00:60:4C:69:53:53
134.1.32.214
SSE-0000060806-05
Sensor information
Select Sensor Info to access the following information:
Sensor information
Description
1 Licence Info
Licence information
MSO_MA_IDENTLITE
(licence name, Licence Device
Licence
ID:
ID)
251946640
0728EC51008
2 Sensor Info
Sensor information
(type, flash size, serial
number, sensor ID)
3 Soft. Info
Example
MSO300
Flash: 32768 Ko
SN: 0730A010026
ID: 25115841-4
Sensor software
MSO V08.02.d-C
version. After a
software upgrade, a
reboot is necessary to
get the current version.
Settings menu
SETTINGS
1 Factory Settings
2 Easy Setup
3 Change Passwords
4 Wifi Setup
Factory Settings resets MorphoAccess parameters to their default

value. IP parameters are preserved.
On MorphoAccess equipped with a MIFARE contactless smartcard
reader (see section Scope of the document), the terminal will ask for
MIFARE keys reset.
On MorphoAccess equipped with a MIFARE and DESFire
contactless smartcard reader (see section Scope of the document), the
terminal will ask for MIFARE keys reset, and then will ask for DESFire
keys reset.
Please refer to MorphoAccess 500 Series Parameters Guide to know
parameters default values.
Easy Setup launches Easy Setup.
Change Passwords allows changing system passwords.
WiFi Setup allows configuring the WI-FI interface. This item appears
only when a WI-FI USB adapter is plugged in the MorphoAccess.
SSE-0000060806-05
41
UNDERSTANDING MORPHOACCESS CONFIGURATION

Presentation
MorphoAccess parameters are stored into files organized in sections
and values.
For example a file named app.cfg contains all the parameters defining
the main application settings.
[bio ctrl]
identification=1
nb attempts=2
[log file]
enabled=1
Configuration organization
The application creates several files:
app.cfg,
adm.cfg,
bio.cfg,
net.cfg,
fac.cfg,

Please refer to MorphoAccess Parameters Guide for further details on
those files.
42
SSE-0000060806-05
Modifying a parameter
There are two ways to modify a parameter:
directly on the terminal using the Configuration Application,
remotely through IP or Serial link with a client application running

on the Host System.
Notation
In this manual a parameter is presented using this format:
Short parameter description
file/section/parameter
Value
For example to activate recognition mode based on identification, this key

must be set to 1 (enabled, true, or yes when using the configuration
application):
Access control by identification
app/bio ctrl/identification
SSE-0000060806-05
43
MODIFYING A PARAMETER USING THE CONFIGURATION

APPLICATION
The Configuration application allows changing a parameter directly on the
terminal.
You must exit a possible running application to display the application
selection menu.
If the main application is running, it must be quit using the escape
sequence:
,
then
Then enter the User Management Password to access to the

Administration menu.
Select More functions to exit the Access Control application.
Press
to display the functions menu.
Select 3 CONFIGURATION to launch the Configuration application.

The Configuration application is fully detailed in the Configuration
Application User Guide. This chapter only offers a brief description.
FUNCTIONS
0 TELIUM MANAGER
1 MACCESS
2 ENROLMENT
3 CONFIGURATION
Keys role
Keys
selection)
change the current selection (up and down
Key
deletes a character or goes to previous screen
Key
confirms the change
Key
44
and
quits the application
SSE-0000060806-05
Changing a parameter
To change a parameter, select the Configuration item.
MAIN MENU
1 Configuration
2 More
3 Quit
A menu allows selecting the file to modify. Note that the order of the menu
may change.
FILE SELECTION
1 bio
2 app
3 adm
4 net
When a file has been selected it is possible to choose a section.

[APP]
1 bio ctrl
2 contactless
3 relay
4 send ID UDP
The parameter list contains all parameters available in a section.

[APP]/BIO CTRL
1 authent ID keyboard
2 identification
3 authent card mode
4 nb attempts
It is possible to display parameters one by one in a given section.

[app]/bio ctrl
authent ID keyboard
Enabled
EDIT
<<
>>
EXIT
The edition menu depends on the parameter type.
SSE-0000060806-05
45
NOTE:
The values Enabled, True, Yes in the configuration application

is equivalent to the value 1 when using the Configuration Tool
for example (Refer to the Configuration Tool user guide).
Binary choice
[app]/bio ctrl
authent ID keyboard
True
[]
False
[ ]
IP address
[app]/send ID udp
host address
134.
46
.1
.32
.214
SSE-0000060806-05
CONFIGURING A NETWORKED MORPHOACCESS

Introduction
A PC (running with MEMS for example) connected to a
MorphoAccess can manage the terminal. Some available remote
operations are:
Biometric record addition,
Control settings modification,
Configuration reading,
Local database deletion,
Biometric record deletion,
Control diary ( log file ) downloading,
Firmware upgrade.
The PC acts as a TCP/IP client for the MorphoAccess.
Remote management:
Change mode
Add template
Get configuration
The MorphoAccess works as a TCP/IP server waiting for request from a

client.
The client can send biometric templates to the terminal and manage the
local database.
Please refer to MorphoAccess Host System Interface Specification for a
complete description of remote administration command set. This
document also explains how to create a database and store biometric
records in this base.
SSE-0000060806-05
47
Network factory settings

By default the terminal IP address is 134.1.32.214. This address can be
changed through IP (Configuration Tool) or with a USB flash drive (USB
Network Tool).
The default server port is 11010.
Date/Time settings
The date/time of the terminal can be initialized with the configuration
assistant (Easy setup) or by a distant host system using an application
such as the Configuration Tool (More button) described below.
The terminal start-up process searches for date modification and does
not accept a date older than the firmware generation date. In that case,
the current will be the firmware generation date.
SSL securing (since 2.07 firmware revision)

This remote management TCP link can be secured using SSL. Please
refer to SSL Solution for MorphoAccess document for further details.
Modifying a key using configuration tool

Configuration Tool can modify MorphoAccess parameters. This program
is an illustration of use of the TCP API. Please refer to Configuration Tool
User Guide for further information about this program.
48
SSE-0000060806-05
Network WI-FI configuration (since 2.09 firmware revision)

WI-FI connection is available under the following conditions:
a Sagem Scurit WI-FI USB adapter, ref. 189930722, must be

plugged in the upper USB port of the terminal. Installation
procedure is described in the MorphoAccess 500 Series
Installation Guide,
a MorphoAccess WI-FI Licence is loaded in the terminal ( cf.

paragraph Downloading a licence),
the terminal must not be connected to a network with an Ethernet

cable: WI-FI connection and Ethernet cable connection are
mutually exclusive.
Note 1: A DHCP server and a DNS server are mandatory when the WiFi interface is configured in DHCP mode.
The DHCP server automatically attributes an IP address to the
MorphoAccess.
The DNS server links the MorphoAccess hostname to its real IP
address.
It is also important that the DNS server is updated each time the
DHCP server attributes another IP address to a MorphoAccess.
Note 2: A MorphoAccess WI-FI Licence is mandatory.
If WI-FI USB adapter is plugged in and if there is no licence
present, the MorphoAccess will display the following screen
before restarting:
SETTINGS
No valid licence for
WIFI
Terminal will restart
To solve this issue, unplug the WI-FI USB adapter and restart
the terminal and load a Wi-Fi licence.
See WI-FI parameters description in paragraph WI-FI configuration
SSE-0000060806-05
49
DOWNLOADING A LICENCE
By default the MorphoAccess can match a fingerprint against a
database of 3 000 users. This database configuration corresponds to a
basic licence (MSO_MA_IDENTLITE).
MA-Xtended
licence
(MSO_MA_IDENTPLUS)
extends
MorphoAccess recognition capabilities to 5 databases of 10 000 users
(2 fingers per user) or 16 databases of 3 000 users.
WI-FI network (WLAN) use is enabled with another licence.
Licence number depends on the Device Licence ID. This unique identifier
is checked by the Licence Manager tool. It can be displayed on the
information menu.
The Licence Manager tool allows downloading a licence in the
MorphoAccess as explained in Terminal Licence Management
documentation.
50
SSE-0000060806-05
UPGRADING THE FIRMWARE

It is possible to upgrade your MorphoAccess firmware through IP.
The firmware is available on the CDROM or on Sagem Scurit Website.
Use the MorphoAccess Quickloader to upgrade terminal system.
Please refer to the MorphoAccess Upgrade Tools User Guide for more
information about upgrade procedures.
SSE-0000060806-05
51
SCREEN CONTRAST
A keyboard shortcut controls the screen contrast.
52
Key
and
increase the screen contrast
Key
and
reduce the screen contrast
SSE-0000060806-05
STARTING UP APPLICATION
By default, the MorphoAccess 500 Series terminal starts on the access
control application (MACCESS). But it can also start on another
application:
Starting up application
exe/init state/startup
1
(MACCESS application)
The following choices are allowed:
Start on MACCESS application
Start on ENROLMENT application
Start on applications list.

Please refer to MorphoAccess Parameters Guide.
SSE-0000060806-05
53
STAND ALONE MODES (NETWORKED OR NOT)
The MorphoAccess works according to two biometric recognition modes:

identification or authentication. Identification and authentication can be activated at
the same time (multi-factor mode).
In Stand Alone Mode, the terminal can operate two applications: Access Control or
Time & Attendance.
54
SSE-0000060806-05
PRELIMINARY: ADDING A BIOMETRIC TEMPLATE IN LOCAL

DATABASE
The management of the MorphoAccess internal biometric database can
be done either locally (through the enrolment application), or remotely by a
Host System. Those two exclusive management modes are defined as
following:
Local management mode,
Remote management mode.
Local enrolment
The Enrolment Application is dedicated to this function.

The local database can be exported ciphered to other MorphoAccess
500 Series devices using a USB flash drive.
Contactless cards containing user templates can be generated using this
application.
A message can be sent to a distant host to inform that changes were
made on the MorphoAccess internal biometric database. Then changes
can be exported to the host centralized database. (cf. Enrolment on
terminal with synchronization)
Please refer to Enrolment Application User Guide for a complete
description of local enrolment features.
SSE-0000060806-05
55
Remote management
The user is enrolled on an Enrolment Station (typically a PC station with
MEMS) and biometric templates are exported to the MorphoAccess
via a communication link.
This architecture allows managing many MorphoAccess databases from

one PC client station.
56
SSE-0000060806-05
MACCESS APPLICATION: ACCESS CONTROL OR TIME &

ATTENDANCE
MorphoAccess application can be configured to work in physical access
control mode or in time and attendance mode. In this configuration, each
MorphoAccess event logged includes some attendance information
(entry, exit...).
When the time and attendance feature is activated, the main screen may
display 2 or 4 functions or a bitmap file.
Two functions mode:

Time and Attendance (2 functions)
app/modes/time and attendance
TIME ATTENDANCE
15:27
OCT 08 2006
Green key: IN selection

Yellow key: OUT selection
SSE-0000060806-05
57
Four functions mode:

Time and Attendance (4 functions)
TIME ATTENDANCE
15:26
OCT 08 2006
Green key: IN selection

up key: Temporary IN selection (come back)
down key: Temporary OUT selection
Yellow key: OUT selection
When entering, the user has to press key
When exiting, the user has to press key
to log his entry time.

to log his exit time.
For particular uses such as temporary absences, two additional functions

corresponding to function keys 2 and 3 can be displayed.
58
SSE-0000060806-05
Extended mode:
Extended Time and Attendance
In this mode each numeric key of the keyboard can be associated with
one of the time and attendance functions, and a bitmap image (which
usually specifies the keyboard mapping) is displayed on the screen. A
specific text message can be displayed on the screen, when an assigned
key is pressed. (Refer to MorphoAccess Series Parameters Guide for
further details). The key assignation and the bitmap picture are selected
by configuration keys.
To load the bitmap file in the MorphoAccess, use the program file
BMP2REQ_Generator.exe and MATM tool to load the REQ file. The
bitmap must be encoded as a MS Paint monochrome bitmap only and
the bitmap size must be less or equal to 128 x 50 pixels.
The following screen is an example of what can be made:
In this example, IN function is associated to the key 1, OUT to the key 3,

temporary IN to the 7, and temporary OUT to the key 9; the key 5 is
associated to the pressed key function.
The selected function is written in the access request record, stored in the
log file, and included in the "User Identifier" message sent to the host. For
extended time and attendance the ASCII code of the pressed key is
logged (i.e. 0x31 for key 1, 0x32 for key 2, ).
After selection, the MorphoAccess switches in biometric mode
(identification or authentication).
The selected function is written in the log file and sent to the host. For
extended time attendance, the code of the pressed key is logged.
If the user has selected the wrong operation (IN/OUT...), key
can
be pressed at any moment during biometric invitation to abort the
verification. In this case, nothing is logged or sent to the controller.
After 20 seconds of inactivity on identification mode (no finger detected on
the sensor), the terminal switches back to the selection screen. In this
case the operation result is logged and/or sent to the controller (time-out).
SSE-0000060806-05
59
To disable Time Attendance mode set app/modes/time and attendance

to 0.
NOTE:
The icon set used for the time and attendance mode is
customizable. Icons from old MorphoAccess 200 and 300
Series can be displayed instead of the new ones (Refer to
MorphoAccess Series Parameters Guide for further details).
Note about terminal clock deviation

The terminal clock has a +/- 4 sec per day typical time deviation at +25C.
At 50C, the time deviation may be up to -8 sec per day.
For application requiring time precision (such as SSL, DESFire),
MorphoAccess clock must be synchronized regularly with an external
clock.
60
SSE-0000060806-05
ACCESS CONTROL BY IDENTIFICATION

Access control by identification
To configure the MorphoAccess in this mode, set the parameter app/bio

ctrl/identification to 1.
After starting, the MorphoAccess waits for fingerprint detection in
identification mode. The sensor is lighted on.
Place your finger
for Identification
Please
The user presents a finger to start identification process.

Remove finger
Analyzing
If the identification is successful, the terminal triggers the access or returns

the corresponding ID to central security controller.
The ID can be sent through various interfaces. Please refer to
MorphoAccess Remote Messages Specification for a complete
description of hit and no hit messages.
Result is displayed on terminal screen.
Welcome
John Doe
Identified.
Once the user identification is done, the terminal automatically loops back
and waits for a new finger.
At least one user (biometric template) must be stored in the local
database.
SSE-0000060806-05
61
If the terminal is running in identification mode with an empty database,

the sensor is off and the following screen is displayed.
Empty Database
Please contact
Administrator
Disabling identification
Set app/bio ctrl/identification to 0 to disable identification.
62
SSE-0000060806-05
ACCESS CONTROL BY IDENTIFICATION (MA-XTENDED LICENCE

LOADED)
It is possible to increase MorphoAccess 500 Series biometric database
size thanks to a licence (MA-Xtended licence): the MorphoAccess then
manages 5 bases of 10 000 users or 16 databases of 3 000 users.
Access control by identification with MA-Xtended licence
To configure the MorphoAccess in this mode, set the parameter app/bio

ctrl/identification to 1 (Enabled, True, Yes when using the configuration
application) and verify that MA-Xtended licence has been loaded.
Please refer to chapter Downloading a licence to know how to upgrade the
MorphoAccess with MA-Xtended licence.
After starting, the MorphoAccess waits for fingerprint detection in
identification mode. The sensor is lighted on.
If an MA-Xtended licence is loaded it is possible to choose the active
database.
To select a user database, press a key number to toggle the database
number. By default, databases 0 to 4 can be selected and used.
Database 0 is the default database.
Place your finger
for Identification
Please
4
14:25
The user can present a finger to launch identification process.

If the identification is successful, the terminal triggers the access or returns
the corresponding ID to Central Security Controller.
Once the user identification is done, the terminal automatically loops back
to database 0 and waits for a new finger.
At least one fingerprint must be stored in the local database.
SSE-0000060806-05
63
If the selected database is empty or does not exist, the sensor is off and
the following screen is displayed, before returning to the database 0.
Empty Database
Please contact
Administrator
2
Set app/bio ctrl/identification to 0 to disable identification.
Database numeration
MA-Xtended licence extends biometric database capacity from 1 base of
3 000 users to 5 bases of 10 000 users. In this configuration the user must
select his database number (from 0 to 4) before presenting a finger to
launch identification process.
For MorphoAccess 300 Series user convenience, it is also possible to
activate a 16 databases mode. In this mode the user selects a database
number between 0 and 15, and presents a finger to launch identification
process.
The base identification is a two-digit number, with a leading zero when
required. The default-selected base is the base with identification 00.
Numeric keys allow selecting a database from 0 to 9. To select
database 3, press
Key
allows selecting a database from 10 to 15. To select database
13, press
then
Valid base numbers are from 0 to 15. If the selected base number is
higher than 15, the number of the default base (0) is automatically
forced.
Database numeration
app/G.U.I/database conversion
500 for 5 databases mode

300 for 16 databases mode
64
SSE-0000060806-05
Note about 16 databases mode

From the terminal point of view, there are still 5 biometric databases.
Or
(MA-Xtended licence)

Database
0,1,2
3,4,5
6,7,8
9,10,11
12,13,14,15
MEMS will automatically associate the user to the right base. For
example a user stored into database 4 on a MorphoAccess 300 Series
will be stored into database 1 on a MorphoAccess 500 Series.
SSE-0000060806-05
65
INTRODUCTION TO CONTACTLESS AUTHENTICATION

Enabling contactless smartcard reading
On terminals equipped with a MIFARE and/or DESFire contactless
smartcard reader (see section Scope of the document), MIFARE
and/or DESFire card reading capability can be configured using the
following specific configuration key:
Enabled profiles
app/contactless/enabled profiles
0-3
0 means no card profile
1 means Activation of DESFire card profile only
2 means Activation of MIFARE card profile only
3 means Activation of both DESFire and MIFARE card profiles
It is then necessary to configure the parameters listed in the next sections

so as to set the wished recognition mode using contactless smart card.
Note that when app/contactless/enabled profiles key is set to 0 and the
parameters listed in the following sections are configured so as to set a
recognition mode using contactless smartcard, MIFARE card reading is
automatically enabled.
On terminals equipped with a MIFARE only contactless smart card
reader (see section Scope of the document), it is only necessary to
configure the parameters listed in the next sections so as to set the wished
recognition mode and enable MIFARE card reading at the same time
(i.e. set that key to 0).
66
SSE-0000060806-05
Recognition modes
Various recognition modes using contactless card can be applied
depending on the templates location (card or terminal database) and the
required security level.
Recognition with DESFire cards supposes that the user swipes a
DESFire (depending on configuration) card containing some structured
data (identifier, biometric templates, PIN code...).
Recognition with MIFARE cards supposes that the user swipes a
MIFARE card containing some structured data (identifier, biometric
templates, PIN code...). Data are localized on the card by a block (B
parameter) and are protected by a key (defined by C parameter). The C
parameter defines which key is used during the authentication with the
card.
For a complete description of card structure and access mode, please
refer to MorphoAccess Contactless Card Specification.
The following recognition modes are available:
Authentication with biometric templates on card
Captured fingerprints are matched against templates read on the card
(PK). User identifier and user biometric templates must be stored on the
card.
In this mode it is also possible to check a PIN code before the
authentication and to replace the biometric authentication by a BIOPIN
code check. The BIOPIN code is used when user biometric templates
are not available (a visitor for example).
Authentication with biometric templates on local database
Captured fingerprints are matched against templates read from the local
database. Only the user identifier is required on the card.
Authentication based on tag card mode
Depending on the card mode, either templates are read on the card or
the control can be bypassed (visitor mode). The card mode tag must be
stored on the card.
It is possible to check PIN code before the authentication and to replace
the biometric authentication by a BIOPIN check.
It is also possible to skip the biometric control: in this case the terminal
acts as a contactless card reader.
Contactless authentication can be combined with a local identification
(multi-factor mode).
SSE-0000060806-05
67
AUTHENTICATION WITH BIOMETRIC TEMPLATES ON CARD
Authentication with biometric templates on contactless card

app/bio ctrl/authent PK contactless
1 (Enabled)
Terminals equipped with a contactless smartcard reader (see section

Scope of the document) can work in contactless authentication mode:
the user presents his card, the terminal reads the reference biometric
templates on the card and launches a biometric control based on the read
templates.
In that case, the card must contain the user identifier and biometric
templates: no local database is required.
To trigger authentication, the user presents his card to the terminal.
Please Present
Contactless
Smart Card
If the card contains user templates, the user is invited to present his finger
for biometric authentication.
Place your finger
For Authentication
Please
If the authentication is successful, the terminal triggers the access or

returns the corresponding ID to the Central Security Controller.
Once the user authentication is finished, the terminal automatically loops
back and waits for a new card presentation.
Required tags on card
ID
CARD
PK1
PK2
PIN
BIOPIN
Yes
Yes
No
No
MODE
Contactless authentication
Yes
No
Card structure is described in MorphoAccess Contactless Card

Specification.
68
SSE-0000060806-05
PIN VERIFICATION PIN STORED ON CARD

If a reference PIN code is stored on the card, it is possible to check this
code before controlling the fingerprints.
PIN code verification
app/bio ctrl/control PIN
1 (Yes)

Please Present
Contactless
Smart Card
If card contains a PIN code, the user is invited to enter his PIN code.
Please enter PIN

***
VAL
COR
If the PIN code is correct, the user is invited to present his finger for
biometric authentication.
Place your finger
For Authentication
Please

It is also possible to activate this mode independently of biometric
authentication. In this case, only the PIN code is checked.
ID
CARD
PK1
PK2
PIN
BIOPIN
MODE
PIN code verification
Yes
No
No
No
Yes
No
PIN then authentication
Yes
No
Yes
Yes
Yes
No
SSE-0000060806-05
69
BIOPIN VERIFICATION - BIOPIN STORED ON CARD

In this mode the card should contain a BIOPIN code. The goal of this code
is to replace fingerprints authentication by BIOPIN code verification.
BIOPIN code verification
app/bio ctrl/BIOPIN enabled
1 (Yes)
This mode must be activated with the authentication that uses fingerprints
from contactless card (authent PK Contactless to 1). The terminal looks
for finger templates stored on the card. If there arent any, it looks for a
BIOPIN code.
To trigger the BIOPIN code verification, the user presents his card to the
terminal.
If the card contains a user BIOPIN, the user is invited to enter it.
Please enter
biometric PIN
***
VAL
COR
If the BIOPIN is correct, the terminal triggers the access or returns the
user ID to the Central Security Controller.
This mode can be combined with a preliminary PIN code verification.
ID
CARD
PK1
PK2
PIN
BIOPIN
No
No
No
Yes
MODE
BIOPIN code verification
70
Yes
No
SSE-0000060806-05
AUTHENTICATION WITH BIOMETRIC TEMPLATES IN LOCAL

DATABASE
In this mode, only the ID (Identifier) is read on the card. If the ID exists in
the biometric database, the MorphoAccess performs an authentication
using the biometric templates associated to this ID.
The ID can be stored into a TLV structure (typically a card encoded by
MEMS) or directly read at a given offset of the card (binary ID).
ASCII ID, structured data

Contactless authentication with templates on local database
app/bio ctrl/authent ID contactless
1 (Enabled)
The identifier must be stored into a TLV structure.

ASCII identifier in tagged structure.
app/contactless/data format
0 (structured data)
app/contactless/data length
app/contactless/data offset
The user identifier is used as an index in the local database of the

MorphoAccess: reference biometric templates are stored in the local
database.
Please Present
Contactless
Smart Card
If the corresponding ID exists in the terminal database, the user is invited

to place his finger for biometric authentication.
Place your finger
For Authentication
Please

SSE-0000060806-05
71
Once the user authentication is done, the terminal automatically loops

back and waits for a new card presentation.
ID
CARD
PK1
PK2
PIN
BIOPIN
No
No
No
No
MODE
authent ID contactless
Yes
No
Note: a non-empty database must exist in the terminal.
Binary identifier, non-structured data

This mode can not be used when card profile reading is configured (cf.
Enabling contactless smartcard reading).
Contactless authentication with templates on local database
1 (Enabled)
In this mode the identifier is read at a given offset on the card and is
supposed to be binary. No TLV structure is required on the card.
It is possible to read non-byte aligned data. It is useful to read a user ID
included in a Wiegand data or to use the card serial number as an
identifier.
1 (binary data)
Binary data are defined by their position from the first read block.
ID length is limited to 8 bytes (app/contactless/data length 8.0).
ID offset is limited to 15 bytes (app/contactless/data offset 15.0).
Data localization
app/contactless/B
[1-215]: read block
app/contactless/data length
[number of bytes].[additional bits]
app/contactless/data offset
[number of bytes].[additional bits]
The interpretation of the data can be defined.

Data interpretation
app/contactless/data type
0.1 (binary data, MSB first)

0.0 (binary data, LSB first RFU)
72
SSE-0000060806-05
The user identifier is used as an index in the local database of the

MorphoAccess: in this case reference biometric templates are stored in
the local database.
Authentication process is exactly the same as the one presented above.
Example 4 bytes identifier.
The terminal is configured to read 4 bytes.
Read bytes are F4 E1 65 34.
Corresponding user identifier in the local database is 4108412212
(ASCII).
Example reading a MIFARE smartcard Serial Number (big endian
format).
app/contactless/data format = 1
app/contactless/data type
= 0.1
app/contactless/data length = 4.0

app/contactless/data offset = 0.0
app/contactless/B
=1
Example reading 32-bits identifier in a complete Wiegand frame.

The card contains at sector 15 a complete 37 bits Wiegand frame
(including parity bits, site code).
On this example a 32 bits identifier begins at bit four, parity bits are noted
P.
Sector 15
Byte 0
0
Site
Byte 4
5
10
32 bits ID
30
31
32
33
34
ID
35
36
37
38
39
The corresponding configuration will read only the 32 bits ID on the card.
app/contactless/data format = 1
Binary identifier
app/contactless/data type = 0.1
Binary identifier read in MSB
app/contactless/data length = 4.0
4 bytes length
app/contactless/data offset = 0.4
ID begins bit 4 of sector 15
app/contactless/B = 46
Read at sector 15
It is possible to configure the MorphoAccess Wiegand output to add

parity bits.
SSE-0000060806-05
73
AUTHENTICATION BASED ON CARD MODE

Contactless authentication with card mode
app/bio ctrl/authent card mode
1 (Enabled)
In this mode the card decides on the control progress.

The CARD MODE tag is required. This tag can take several values.
PKS [0x02]: the user identifier, template 1 and template 2 are

required on the card. Biometric authentication is triggered with
biometric templates. If a BIOPIN is present instead of templates,
BIOPIN is controlled.
ID_ONLY [0x01]: only the user identifier is required. There is no

biometric control, the control is immediately positive. This feature
is useful for visitor requiring an access without enrolment. But it is
still possible to store templates on the card.
PIN_CODE [0x10]: only PIN code is controlled.
PIN_THEN_PKS [0x12]: PIN code is controlled then templates or

BIOPIN.
To enable this mode set app/bio ctrl/authent card mode to 1.
To disable this mode set app/bio ctrl/authent card mode to 0.
Required tags on card if CARD MODE tag value is PKS.
ID
CARD
PK1
PK2
PIN
BIOPIN
MODE
authent card mode (PKS)
Yes
Yes
Yes
Yes
No
No
authent card mode (PKS)

(BIOPIN)
Yes
Yes
No
No
No
Yes
Required tags on card if CARD MODE tag value is ID_ONLY.

ID
CARD
PK1
PK2
PIN
BIOPIN
No
No
No
No
MODE
authent card mode (ID_ONLY)
74
Yes
Yes
SSE-0000060806-05
Required tags on card if CARD MODE tag value is PIN_CODE.

ID
CARD
PK1
PK2
PIN
No
No
Yes
BIOPIN
MODE
authent card mode

(PIN_CODE)
Yes
Yes
No
Required tags on card if CARD MODE tag value is PIN_THEN_PKS.

ID
CARD
PK1
PK2
PIN
BIOPIN
MODE
authent card mode

(PIN_THEN_PKS)
Yes
Yes
Yes
Yes
Yes
No
authent card mode

(PIN_THEN_PKS) (BIOPIN)
Yes
Yes
No
No
Yes
Yes
Card structure is described in MorphoAccess Contactless Card

Specification.
Note about bypass option combined with card mode

When the bypass authentication configuration key is activated (see
Bypassing the biometric control in authentication), the global control is
bypassed and card mode is ignored.
Remark about MorphoAccess with MA-Xtended licence

loaded
A MorphoAccess with MA-Xtended licence loaded scans the five
biometric databases to find the biometric templates associated to the ID.
SSE-0000060806-05
75
MULTI-FACTOR (MERGED) MODE

This mode is a merge
authentication mode.
of
identification
mode
and
contactless
This mode allows:
performing identification when the user places his finger (operation

identical to identification mode),
performing a contactless authentication when the user swipes his

contactless card (operation identical to contactless authentication
without database mode).
To trigger authentication, the user presents his card to the terminal or
places his finger on the sensor.
Please place
your finger or
Present card
If the authentication or the identification is successful, the terminal triggers

the access or returns the corresponding ID to the Central Security
Controller.
If there is no database, contactless card presentation is still possible.
Enabling one contactless mode and identification activate this mode.
Merged mode
1 (Enabled)
And
76
0 (Disabled) or 1 (Enabled)
SSE-0000060806-05

Required tag on card depends on the authentication mode, but at least an
ID is necessary.
ID
CARD
PK1
PK2
PIN
BIOPIN
No
No
No
No
MODE
bypass authentication
SSE-0000060806-05
Yes
No
77
AUTHENTICATION WITH LOCAL DATABASE: ID ENTERED FROM

KEYBOARD
Biometric authentication with ID entered from keyboard

app/bio ctrl/authent ID keyboard
1 (Enabled)
In this mode, the ID of the user is entered using the MorphoAccess

keyboard. If the ID exists in the database (or in one of the five databases),
the MorphoAccess performs an authentication using the biometric
templates associated to this ID.
ID entered using the keypad and the authentication starts
The default screen invites the user to enter his numerical identifier.
Please enter ID
3563_
VAL
NOTE:
Key
COR
ID length is limited to 24 characters.

deletes the last character.
Once the ID is entered, the user confirms with green key
78
SSE-0000060806-05
If the corresponding ID exists in the terminal database, the user is invited

to place his finger for biometric authentication.
Place your finger
For Authentication
Please

If the identifier is not present in the local database, authentication is not
launched.
User not found in
current database
35639
Once the user identification is done, the MorphoAccess automatically

loops back and waits for a new ID.

loaded
A MorphoAccess with MA-Xtended licence loaded will scan the five
Note about bypass option

Bypassing the biometric control in authentication), the MorphoAccess
checks that the ID is present in the local database (or databases for MAXtended licence) before granting the access.
SSE-0000060806-05
79
AUTHENTICATION WITH LOCAL DATABASE: ID INPUT FROM

WIEGAND OR DATACLOCK
Biometric authentication: ID input from Wiegand or Dataclock

app/bio ctrl/authent remote ID source
1 for Wiegand
2 for Dataclock
This mode requires an external card reader that will send the users ID to
authenticate to the MorphoAccess Wiegand or Dataclock input.
Wiegand or Dataclock input
The default screen invites the user to pass his badge so the external
reader sends the user ID to the MorphoAccess Wiegand or Dataclock
input.
Pass your badge
For Authentication
Please
If the ID exists in the database, the MorphoAccess performs an

authentication using the biometric templates associated to this ID.
Place your finger
For Authentication
Please

returns the user ID to the Central Security Controller.
Once the user authentication is done, the MorphoAccess automatically
loops back and waits for a new input ID.
80
SSE-0000060806-05
If the identifier sent by the reader is not present in the local database,
authentication is not launched.
User not found in
current database
64235

loaded
A MorphoAccess with MA-Xtended licence loaded will scan the five
Note about bypass option

Bypassing the biometric control in authentication), the MorphoAccess
checks that the ID sent to the Wiegand or Dataclock input is present in the
local database (or databases) before granting the access.
Wiegand frame configuration

When set up to communicate with Wiegand protocol, the MorphoAccess
can handle multiple data format.
Default format is 26 bits.
The Wiegand frame format is defined using six configuration keys. A
different protocol can be defined for input.
Wiegand frame timings are not customizable. Additional security
(ciphering) is not handled. All Wiegand protocols are reverse.
Here after are listed the customizable parameters of a Wiegand frame.
- Length
A Wiegand frame can contain up to 128 bits.
- Control bits
In a Wiegand frame, start and stop bits are used as control bits. They can
be fixed to 0 or 1 or be used as parity (odd or even) bits calculated over
bits of the frame.
- Data
In the Wiegand protocol, three data are handled: the Site code (also called
Facility Code or Comparison Number), the ID (also called Badge Number
or Sequence Number) and a custom data. Data can have a variable bit
size and can be located anywhere in the frame. Data are inserted in the
frame MSB first.
SSE-0000060806-05
81
NOTE:
Since the software version 2.00 configuration key name has

been modified. The previous set key value is preserved.
Wiegand input parameters

app/wiegand in/
frame length
(before v2.00:
length)
start format
(before v2.00:
start)
1-128
0.0
1.0
2.n
3.n
4.0
n.m
Defines the start control bit:

Reset to 0.
Set to 1.
Even parity calculated over the n first bits.
Odd parity calculated over the n first bits.
No start bit.
Defines the stop control bit:
Reset to 0.
Set to 1.
Even parity calculated over the n last bits.
Odd parity calculated over the n last bits.
No stop bit.
Insert m bits of site value at offset n.
n.m
Insert m bits of ID value at offset n.
n.m
RFU.
0.0
1.0
2.n
3.n
4.0
stop format
(before v2.00:
stop)
site format
(before v2.00:
site)
ID format
(before v2.00:
ID)
custom format
(before v2.00:
custom)
Defines the number of bits of the frame.
Wiegand frame example (26 bits)

0
START
SITE
10
11
12
23
ID
8 bits
START bit calculation range
82
24
25
STOP
16 bits
1
STOP bit calculation range
SSE-0000060806-05
BYPASSING THE BIOMETRIC CONTROL IN AUTHENTICATION

This mode requires only a user ID. This ID can be read on a smartcard,
entered on the keyboard or received on the Wiegand or Dataclock input.
The bypass authentication configuration key must be combined with an
authentication mode. Activating this flag means that the biometric
verification is bypassed.
The terminal controls that the user ID exists in the database

When combined with an authentication mode with templates in local
database, the MorphoAccess verifies that the ID is present in the local
database before granting the access.
ID on a contactless card
Disabling biometric control, but ID must be present in the local database
app/bio ctrl/bypass authentication
1 (Enabled)
1 (Enabled)

ID
CARD
PK1
PK2
PIN
BIOPIN
No
No
No
No
MODE
Yes
No
ID entered on the keyboard

1 (Enabled)
1 (Enabled)
ID sent to the Wiegand or Dataclock input

1 (Enabled)
1 for Wiegand
2 for Dataclock
SSE-0000060806-05
83
The terminal works as a smart card reader.

When combined authent PK contactless the MorphoAccess always
authorizes the access: the MorphoAccess works as a simple card
reader.
Disabling biometric control, access is always granted
1 (Enabled)
1 (Enabled)

ID
CARD
PK1
PK2
PIN
BIOPIN
No
No
No
No
MODE
Yes
No
The terminal read binary ID on card and works as a smart card

reader
In this configuration the MorphoAccess reads binary data on card and
send it without verification.
Disabling biometric control (biometric control result is positive), enabling
contactless card authentication mode.
1 (Enabled)
1 (Enabled)
1 (Enabled)

84
1 (binary data)
SSE-0000060806-05
The terminal read Card UID on card and works as a smart card
reader
This feature is available since 2.09 firmware release
In this configuration the MorphoAccess reads the card UID (when the
contactless card complies with ISO/IEC 14443 type A card), and send it
without verification.
Disabling biometric control (biometric control result is positive), enabling
contactless card authentication
1 (Enabled)
1 (Enabled)
1 (Enabled)
Card UID used as users identifier

app/contactless/even on
app/bio ctrl/AC_ID
1 (Card UID)
Includes CARDSN:STD; string,
or CARDSN:REV; string if the bytes of
the Card UID must be read in reverse
order.
The CARDDATA; string can be removed.
SSE-0000060806-05
85
RECOGNITION MODE SYNTHESIS

The MorphoAccess operating mode is driven by:
the authentication or identification mode required: Card Only, Card

+ Biometric, Biometric only,
what defines the operating mode: Card or Terminal.
Mode defined by Card
Mode defined by Terminal
Operating mode
Authentication
ID in card
ID in card
Card only
Card Mode Tag = ID_ONLY
bypass authentication 1
authent ID contactless 1
Check ID on terminal
ID in card
authent PK contactless 1
No ID check on terminal
Authentication
ID and BIO in Card
ID and BIO in card
Card
Card Mode Tag = PKS
+ Biometric
authent PK contactless 1
ID on card and BIO in terminal
authent ID contactless 1
86
Identification
ID and BIO in terminal
Biometric only
identification 1
SSE-0000060806-05
SETTING UP RECOGNITION STRATEGY

Two attempts mode
If the recognition fails, it is possible to give a second chance to the user.
In identification mode, if a bad finger is presented, the user has 5 seconds
to present a finger again. The result is sent if this period expires or if the
user presents a finger again.
In authentication mode, if the user presents a bad finger, he can replace
his finger without presenting his card again. The result is sent only after
this second attempt.
It is possible to set the finger presentation timeout and to deactivate this
two attempts mode.
If the user is not identified, a second step follows immediately using a
smarter coding method. This coding allows recognizing users with dry
fingers or fingers with a bad placement on the sensor. However this
coding is slower than the light one.
Parameters
This mode can be configured using the Configuration Tool for example.
By default, the two attempts mode is activated.
Setting up the number of attempts
app/bio ctrl/nb attempts
1 (only one attempts)

2 (two attempts mode)
The period between two attempts in identification (two attempts mode) can
be modified.
Setting up the identification timeout
app/bio ctrl/identification timeout
5 (1-60)
In authentication mode a finger presentation period can be defined.

Setting up the authentication timeout
app/bio ctrl/authent timeout
SSE-0000060806-05
10 (1-60)
87
SETTING UP MATCHING PARAMETERS

Setting up matching threshold
bio/bio ctrl/matching th
3 (1-10)
The performances of a biometric system are characterized by two

quantities, the False Non Match Rate - FNMR - (also called False Reject
Rate) and the False Match Rate - FMR - (also called False Acceptance
Rate). Different trade-offs are possible between FNMR and FMR
depending on the security level targeted by the Central Security Controller.
When convenience is the most important factor, the FNMR must be low
and conversely if security is more important then the FMR has to be
minimized.
Different tunings are proposed in the MorphoAccess depending on the
security level targeted by the system. The table below details the different
possibilities.
This parameter can be set to values from 1 to 10. This parameter specifies
how tight the matching threshold is. Threshold scoring values are
identified hereafter:
1
Very few persons rejected
2
3
FMR < 0.3%

Recommended value
4
5
88
FMR < 1%
FMR < 0.1%
FMR < 0.03%
Intermediate threshold
FMR < 0.01%
FMR < 0.001%
FMR < 0.0001%
FMR < 0.00001%
Very high threshold (few false

acceptances). Secure
application
FMR < 0.0000001%
10
High threshold for test purpose

only
There are very little false

recognition, and many rejections.
SSE-0000060806-05
FAKE FINGER DETECTION (OPTION)

Compatibility with MorphoAccess 200 and 300 Series
equipped with fake finger detection
- Delay after fake finger detection
The function associated to MorphoAccess.200 and 300 Series
/cfg/Maccess/Security Policy/Delay in 10ms configuration key is no more
supported.
- FFD security level
The function associated to app/bio ctrl/FFD security level is only for standalone mode. (On MorphoAccess.200 and 300 Series, this parameter
applied to standalone mode and ILV) ILV has to set this parameter to have
a security level different from default security level.
FFD security level

The fake finger detection is characterized by a false reject rate
(percentage of live fingers detected as fake fingers) and a false
acceptance rate (percentage of fake finger detected as real ones). This
FRR (resp. FAR) is called FFD-FRR (resp. FFD-FAR). The overall reject
rate of MorphoAccess equipped with fake finger detection is in fact:
standard MA FRR + FFD-FRR.
Three security levels are proposed and provide different trade-off between
FFD-FAR and FFD-FRR.
0
Low fake finger detection security level
1 (default) Medium fake finger detection security level

2
High fake finger detection security level
Setting up FFD security level

bio/bio ctrl/FFD security level
SSE-0000060806-05
1 (0-2)
89
Presence detection
Terminals with fake finger detection option allow another presence
detection mode. Sensor off, a finger may be detected.
0 (default) Standard presence detection in identification mode. Sensor
LEDs are ON (MorphoAccess 500 without fake finger
detection standby state)
1
In identification mode, sensor is in standby (LEDs are OFF)

while finger detection is processing.
Setting up presence detection

bio/bio ctrl/presence detection
0 (0-1)
Failure ID
The administrator can choose the specific ID sent to Wiegand or
Dataclock interfaces when a fake finger was detected.
Setting up FFD failure ID
app/failure ID/FFD ID
90
65535 (0-65535)
SSE-0000060806-05
IDLE MODE
SSE-0000060806-05
91
IDLE MODE PRESENTATION

This feature is available since 2.09 firmware revision.
When using this mode, some features are temporary deactivated after a
certain period of inactivity, so that the MorphoAccess does not draw
attention the night or consumes less.
For the moment, only the following features can be deactivated by the idle
mode:
LCD and keyboard backlight,
Biometric sensor.
Those features can be activated again by using the remaining activated
features such as pressing the keyboard, receiving a distant command, and
so on.
It means, if only the backlight is deactivated, it can also be turned on by
putting a finger on the biometric sensor or by presenting a contactless
card in the antenna field.
92
SSE-0000060806-05
IDLE MODE ACTIVATION

The idle mode is not available when using the MorphoAccess in Proxy
Mode.
This mode is activated by setting the features to deactivate and the
inactivity timeout after which the features are deactivated.
Idle Mode
app/modes/idle peripherals
app/modes/idle timeout
3 (Deactivate backlight and

sensor)
0 (Deactivated, timeout in
minutes)
Please refer to MorphoAccess Series Parameters Guide documentation

for further information about the activation of this idle mode.
SSE-0000060806-05
93
PROXY MODE
Proxy mode is an operating mode where the Host System performs the access
control remotely.
94
SSE-0000060806-05
PROXY MODE (OR SLAVE) PRESENTATION

This operating mode allows to control the MorphoAccess remotely (the
link is IP or RS422) using a set of biometric and databases management
commands.
In Proxy mode the access control is performed remotely by the Host
System: the MorphoAccess works as a slave waiting for external
commands such as:
user identification,
user verification,
relay activation,
read data on a contactless smart card,
Biometric database management,
terminal configuration changes,
read an entry from the keyboard,
display a message,
read a contactless smart card.
Please refer to MorphoAccess Host System Interface Specification: this

document explains how to remotely manage a terminal.
For further details about SSL on the MorphoAccess, please refer to the
SSL Solution for MorphoAccess documentation.
SSE-0000060806-05
95
PROXY MODE ACTIVATION

Identification and authentication must be disabled. It means that all
controls must be turned off: the terminal becomes a slave.
Proxy mode
0 (Disabled)
0 (Disabled)
0 (Disabled)
0 (Disabled)
0 (Disabled)

96
0 (None)
0 (No)
0 (Disabled)
SSE-0000060806-05
APPLICATION CUSTOMIZATION
SSE-0000060806-05
97
SETTING UP TIME MASK

When using MEMS, a time mask feature is available. This mode
enables the access according to its time mask. Time mask is defined by
slots of 15 minutes over a week.
NOTE:
Since software version 2.00 the configuration key path has been
modified. The previous set key value is preserved.
Time mask activation

app/modes/time mask
1 (Enabled)
Before v2.00: app/time mask/enabled
To use this feature the local database must have been created with a
specific additional field. If this field does not exist activating this feature
will forbid the access to every user.
Please refer to MorphoAccess Host Interface Specification
understand how to create a database with time mask feature.
98
to
SSE-0000060806-05
MULTILINGUAL APPLICATION
The MorphoAccess can display texts in several languages. It is possible
to download a user defined language table. For more information about
this feature, refer to the MorphoAccess Host System Interface
Specifications.
Default language
app/G.U.I/default language
0 English (default)
1 Spanish
2 French
3 German
4 Italian
5 Portuguese
6 Arabic
7 Turkish
SSE-0000060806-05
99
DISPLAY HOUR
It is possible to display date and hour on terminal screen.
Display hour
app/G.U.I./display hour
Place your finger

for Identification
Please
4
100
14:25 DEC 10
SSE-0000060806-05
RESULT EXPORTATION
The MorphoAccess can export the result of the control to a Central Security
Controller, and can log the result in a local diary or directly command an access.
This section is only an introduction about the MorphoAccess interfaces. Please
refer to MorphoAccess Remote Messages Specification for complete details of
each interface.
SSE-0000060806-05
101
REMOTE MESSAGES: SENDING THE ID TO THE CENTRAL

SECURITY CONTROLLER
Presentation
The MorphoAccess can send status messages in real time to a Central
Security Controller by different means and through different protocols. This
information, called Remote Messages, can be used for instance to display
on an external screen the result of a biometric operation, the name or the
ID of the person identified depending on the role of the controller in the
system.
IP
RS485/422
Wiegand/Dataclock
The MorphoAccess Remote Messages Specification describes the

different solutions offered by the MorphoAccess to dialog with a
controller, and how to make use of them.
Supported Protocols
The terminal can send messages about the biometric operations
performed by the MorphoAccess to a controller through the following
protocols:
Wiegand,
Dataclock,
RS485/422,
IP (TCP or UDP or SSL).

For further information about the SSL on MorphoAccess, please refer to
SSL Solution for the MorphoAccess documentation.
102
SSE-0000060806-05
RELAY ACTIVATION
If the control is successful, a relay may be activated to directly control a
door.
Relay activation
app/relay/enabled
1 (Enabled)
The relay aperture time can be defined and is set by default to 3 seconds
(i.e. 300).
Relay aperture time in 10 ms
app/relay/aperture time in 10 ms
300
(50 to 60000)
The default state of the relay can also be defined. By default, the relay is
opened when it is in idle state.
Relay default state
app/relay/relay default state
0 (Opened)
1 (Closed)
Access control installation using a relay offers a low security level.
SSE-0000060806-05
103
Relay external activation

This feature is available since 2.07 firmware revision.
MorphoAccess relay is controlled by LED1 input
app/relay/external control by LED1
1 (Enabled)
This function controls the relay with a push-button connected to LED1

input. It means either a successful recognition or a signal on LED1 will
activate the relay.
If LED1 is high impedance (push-button off) the relay is not

activated.
If LED1 is connected to GND (push-button on) the relay is

activated.
Typically the MorphoAccess relay controls the door.
To enter in the building the user must be successfully recognized

by the MorphoAccess.
A simple push-button connected to LED1 on the MorphoAccess

will trigger the door to leave the building.
104
SSE-0000060806-05
LOG FILE
Enabling recording of all access request results in an internal log file
app/log file/enabled
1 (Enabled)
When this feature is enabled, the MorphoAccess creates a dated record

for each access request when the result is known, in an internal log file.
The created record includes:
the date and the time of record creation,
the result of the access control (granted or denied, and if denied for
which reason),
the identifier of the user (if available),
the selected time and attendance function (if applicable).

The MorphoAccess 500 Series terminals can record up to 8000 dated
records.
It is possible to download the log file. For more information about this
feature, refer to the MorphoAccess Host System Interface Specification.
It is also possible to display the content of the log file using the Logs
Viewer Application.
JANUARY 8 2007
15:25,OK,783170
15:28,KO,
15:45,OK,7895641
15:59,KO,783170
Enabling specific actions when internal log file is full

app/log file/full handling
00000000 (no specific action)
Depending on the configuration, when the 8000 records limit has been
reached, the MorphoAccess 500 Series terminal can:
Send an information message to a distant host (cf. Messages

sending)
Display a message on the screen
Reset the log file.

Please refer to MorphoAccess Parameters Guide for further details.
SSE-0000060806-05
105
LED IN ACTIVATION
Use this signal to wait a controller ACK before granting the access.
User ID
LED1 to GND: Access authorized

LED2 to GND: Access denied
1. If the user is recognized the MorphoAccess sends the user
identifier to the controller.
2. The MorphoAccess waits for a GND signal on LED1 or LED2. A
timeout can be defined.
3. The controller checks the users access rights.
4. The controller sets LED1 to GND to grant the access or sets LED2
to GND to deny the access.
This feature improves integration in a Central Security Controller (ACS).
The ACS through LED IN signals validates result of biometric matching.
LED IN mode activation
app/led IN/enabled
1 (Enabled)
When the ACS validates the control a timeout must be specified: it defines
the time during which the MorphoAccess will wait for an
acknowledgement signal from the ACS through LED IN signals.
LED IN acknowledgement timeout in 10 ms
app/led IN/controller ack timeout
300
(0 to 3000)
If the controller has only one LED signal dedicated to access authorized,
this signal must be connected to LED1 input. In this case access
forbidden signal will be based on a timeout. "controller ack timeout" value
must be defined as short as possible in a range corresponding to
controller reply delay.
A controller with distinct outputs (one for access forbidden, one for
access authorized) has to be connected to LED1 and LED2 I/O board
106
SSE-0000060806-05
SECURITY FEATURES
SSE-0000060806-05
107
SECURITY SWITCH MANAGEMENT

Alarm activation
The MorphoAccess can detect two intrusion attempt types:
someone tries to steal the complete terminal (anti theft opto-sensor

is triggered),
someone tries to open the terminal (tamper switch is triggered).

The MorphoAccess can transmit an alarm indication to the central
controller in case of intrusions. For that purpose, contact connections are
provided on I/O board (open circuit equals detection).
The MorphoAccess can send an alarm message to the central controller
in case of intrusions. It can also play a sound alarm while sending the
alarm.
NOTE:
Either the tamper switch or the opto-sensor triggers the alarm

message. Please refer to MorphoAccess 500 Series
Installation Guide to identify these switches on the terminal.
Alarm message
IP (UDP, TCP, SSL)
RS485/RS422
Wiegand
DataClock
To send an alarm on an output (IP, RS485/RS422, Wiegand, Dataclock),

the corresponding interface must be activated otherwise no alarm will be
sent.
Because Wiegand and Dataclock are multiplexed on the same lines, only
one of these protocols shall be enabled at one time, else priority is given
to Wiegand, then Dataclock.
Those keys are:
app/send ID wiegand/enabled,
app/send ID dataclock/enabled,
app/send ID serial/enabled,
108
SSE-0000060806-05

app/send ID serial/mode (to select RS422 or RS485 link),
app/send ID UDP/enabled,
app/send ID ethernet/mode (to choose between UDP or TCP),
app/send ID ethernet/SSL enabled (Please refer to SSL Solution

for MorphoAccess documentation).
Setting the key app/tamper alarm/level to an appropriate value configure
security switch management feature.
Tamper Alarm Level
0 (0 2)
app/tamper alarm/level
0 No Alarm.
1 Send Alarm (No Sound Alarm).
2 Send Alarm and Activates Buzzer (Sound Alarm)
The key app/failure ID/alarm ID defines the value of the alarm ID to send
to Wiegand or Dataclock. This ID permits to distinguish between a user ID
and an error ID. To be validated, key app/failure ID/enabled must be set
to 1.
Tamper Alarm ID
app/failure ID/alarm ID
65535 (0 65535)
app/failure ID/enabled
1 (Enabled)
In Wiegand and Dataclock the alarm ID is sent like other Failure Ids. See
the documentation MorphoAccess Remote Messages Specification for a
description of the packet format in UDP and RS485.
Examples
Example 1: Send an alarm ID (62221) in Wiegand, and play sound
warning, in case of intrusion detection.
To send an alarm in Wiegand, the key app/send ID wiegand/enabled must
be set to 1, and the key app/tamper alarm/level must be set to 2 (alarm
and buzzer).
The key app/failure ID/alarm ID must be set to 62221 to link the intrusion
event to this identifier and the key app/failure ID/enabled must be set to 1.
Example 2: Send an alarm in UDP quietly in case of intrusion
detection.
To send an alarm in UDP, the key app/send ID UDP/enabled must be set
to 1.
Then the key app/tamper alarm/level must be set to 1 (quiet alarm.)
SSE-0000060806-05
109
PASSWORDS
Two passwords protect the system:
the Terminal Configuration Password protects the MorphoAccess
local administration and controls devices settings,
the User Management Password is required to access to local
database: it protects the Enrolment Application and the Log Viewer
Application.
Both default passwords values are 12345.
If a password is forgotten, contact the hotline. Then it is strongly
recommended to put the new password in a safe place.
110
SSE-0000060806-05
MESSAGES SENDING
This section describes how the MorphoAccess 500 Series terminal can send
messages to another entity. Those messages are different than the result exportation
(cf. Result exportation).
SSE-0000060806-05
111
PRINCIPLE
When specific events occurred during the MorphoAccess access control
applications working, some messages can be generated and sent to
another physical entity.
The events that produce messages sending are:
Internal log file full
Internal database synchronization request

Please refer to MorphoAccess Remote Messages Specification for
details about the messages content.
112
SSE-0000060806-05
EVENTS
The messages sending process is customizable using two configuration
files:
Events.cfg
Remotemsg.cfg
This section only details the events.cfg file.
The terminal allows choosing which event generates a message to send.
By default, every event generates a message.
Events mask
FFFFFFFF
Events/general/active
(Every events generate messages)

For each event, the number of identical messages sent can be configured:
Log Full number of sending
Events/log_full/nb sending
0
(No sending attempt)
For each messages to send, the following parameters are customizable:
Number of retry for the current message,
Time to wait between two attempts,
Response awaited or not,
Terminal sending interface (cf. Sending Interfaces).

Please refer to MorphoAccess Parameters Guide for further details
about the messages sending configuration.
SSE-0000060806-05
113
SENDING INTERFACES
This section only details the remotemsg.cfg file.
The terminal allows choosing the number of interfaces that will be
available for the messages sending process (cf. Events).
By default, no interface is available.
Number of available interfaces
Remotemsg/interface/nb interfaces
For each interface available, the following parameters are customizable:
Communication layer
Protocol used
Parameters depending on the layer and the protocol used.

There is only the TCP protocol on the IP layer that is available. In that
case, the parameters available are:
The distant IP address to contact
The distant port to connect to
The sending timeout
The receiving timeout

Please refer to MorphoAccess Parameters Guide for further details
about the interfaces configuration.
114
SSE-0000060806-05
APPENDIX
SSE-0000060806-05
115
ENROLMENT ON TERMINAL WITH SYNCHRONIZATION

Principle
Depending on its configuration, the MorphoAccess terminal can log in a
file every actions performed on the biometric database (or databases)
using the dedicated enrolment application.
Then the database administrator can synchronize other MorphoAccess
with this database, but keeping the reference database on a host system
(using MEMS for example).
On the administrator demand, the terminal sends a synchronization
message to the host system (cf. Messages sending).
The host system asks for the changes by asking for the log lines and then
updates its reference database by asking for the new users data for
example.
Finally, the host system downloads the updated database in every
MorphoAccess and erases the log file.
Note: The log file containing the biometric changes is not the access
control result log file.
Example with MEMS application:
Local administrator adds/modifies/deletes users or encodes
contactless smartcards, generating corresponding Local
Enrolment Logs.
At the end of the enrolment session, local administrator can
launch synchronization.
Terminal then sends a synchronization request to distant host.
Distant application administrator acknowledges
synchronization request.
Then it asks the terminal the Local Enrolment Logs (data = ID
+ add/modify/delete/encode tag)
Distant application administrator then asks the terminal for the
database records it would like to retrieve.
Terminal answers by sending corresponding records
(including biometric data).
Data are then updated in centralized database.
Distant application can then re-dispatch consolidated
database to other connected terminals.
116
SSE-0000060806-05
Activation
To activate this feature, several parameters have to be set:
The actions to log (key /log/LogParam/LogMask),
The name of the internal log file (key /log/LogParam/LogFile)
The size of the internal log file (key /log/LogParam/LogFileSize),
The
events
that
generates
messages
sending
(key
/events/general/active),
The number of synchronization messages (key /events/bio_chg/nb

sending),
The sending parameters (key /events/bio_chg/send#) cf. Events.
The sending interface (key /remotemsg/interfaces/int#) cf. Sending

Interfaces.
Please refer to MorphoAccess Parameters Guide to know about those
configurations key, and to MorphoAccess Enrolment Application User
Guide to know about the logged actions.
Once the terminal is configured, the synchronize item can be selected in
the dedicated enrolment application.
Stopping
The synchronization cannot be cancelled. The process stops either when
the host system confirms the synchronization message reception, or when
every attempt to send that message has failed.
SSE-0000060806-05
117
MORPHOACCESS 220 / 320 COMPATIBILITY

These tables present parameters equivalence between MorphoAccess
300 and 200 Series and MorphoAccess 500 Series.
Multi-factor mode (/cfg/Maccess/Admin/mode 5 on 220 and 320) is
activated when app/bio ctrl/identification is set to 1 and at least one
contactless card mode is enabled.
MA 200/300 Series
MA 500 Series
Identification
/cfg/Maccess/Admin/mode 0
app/bio ctrl/identification 1
Contactless authentication with ID on card, template in local database

app/bio ctrl/authent ID contactless 1
Contactless authentication: Card mode

/cfg/Maccess/Contactless/without
DB mode 0
app/bio ctrl/authent card mode 1
/cfg/Maccess/Admin/mode 3 or
(multi-factor mode)
Contactless authentication: Biometric verification
DB mode 2
app/bio ctrl/authent PK contactless 1
(multi-factor mode)
Contactless authentication: ID only, no biometric verification
DB mode 1

app/bio ctrl/bypass authentication 1
(multi-factor mode)
118
SSE-0000060806-05
MA 200/300 Series
MA 500 Series
Authentication: ID input from Wiegand or Dataclock

app/bio ctrl/authent
source 1 or 2
remote
ID
Jumper configuration defining the ID

source (Dataclock or Wiegand)
Proxy mode
app/bio ctrl/authent card mode 0
app/bio ctrl/authent ID contactless 0
app/bio ctrl/authent ID keyboard 0
SSE-0000060806-05
119
Authent PK
contactless
Authent ID
contactless
Bypass
authentication
Operation
Authent card
mode
CONTACTLESS MODES TABLE
Authentication with templates in database

Read ID on contactless card.
Retrieve corresponding templates in database.
Biometric authentication using these templates.
Send ID if authentication is successful.
Authentication with templates on card

Read ID and templates on contactless card.
Biometric authentication using these templates.
Send ID if authentication is successful.
Card mode authentication

Read card mode, ID, templates (if required by card mode)
on contactless card.
If card mode is ID only , send ID.
If card mode is Authentication with templates on card ,
biometric authentication using templates read on card, then
send ID if authentication is successful.
Authentication with templates in database biometric

control disabled
Check corresponding templates presence in database.
Send ID if templates are present.
Authentication with templates on card biometric

control disabled
Send ID.
Card mode authentication biometric control disabled

Read card mode, ID, templates (if required by card mode)
on contactless card.
Whatever card mode, send ID.
120
SSE-0000060806-05
REQUIRED TAGS ON CONTACTLESS CARD

Operation
ID
CARD
PK1
PK2
PIN
BIOPIN
MODE
Authentication with templates

in database
Yes
No
No
No
No
No
Authentication with templates

on card
Yes
No
Yes
Yes
No
No
Card mode
(ID_ONLY)
authentication
Yes
Yes
No
No
No
No
Card mode
(PKS)
authentication
Yes
Yes
Yes
Yes
No
No
Authentication with templates Yes

in database biometric control
disabled
No
No
No
No
No
Authentication with templates Yes

on card biometric control
disabled
No
No
No
No
No
Card mode authentication Yes

(ID_ONLY) biometric control
disabled
Yes
No
No
No
No
Card mode authentication Yes

(PKS) biometric control
disabled
Yes
Yes
Yes
No
No
BIOPIN check
Yes
No
No
No
No
Yes
PIN check
Yes
No
No
No
Yes
No
SSE-0000060806-05
121
FAQ
Sensor is off
Check that the base contents at least one record.
Check that identification mode is enabled.
Terminal returns erratic answers to ping requests

Check the subnet mask. Ask your administrator the right value.
122
SSE-0000060806-05
RELATED DOCUMENTS
Administrator Information
MorphoAccess 500 Series User Guide
This document describes operating mode and terminal settings
MorphoAccess Parameters Guide
The complete description of terminal configuration files and registry keys
This document gives also parameters default values
MorphoAccess 500 Series Configuration Application User Guide
This document describes the configuration application processing
MorphoAccess 500 Series Enrolment application User Guide
This document describes the local enrolment process and features
MorphoAccess 500 Series Log viewer User Guide
This document describes the log viewer process and features
Installation Information
MorphoAccess 500 Series Installation Guide
This document describes installation operating and MorphoAccess 500
Series interfaces features
Developer Information
MorphoAccess Host Interface Specification
A complete description of remote management commands
MorphoAccess Remote Messages Specification
Details how the MorphoAccess sends the access control result to a
Central Security Controller
SSE-0000060806-05
123
MorphoAccess Contactless Card Specification

This document describes the MorphoAccess contactless card feature
Support Tools
Configuration Tool User Guide
Configuration Tool user guide, via IP
USB Tool User Guide
Configuration Tool user guide, via USB key
MorphoAccess Upgrade Tools User Guide
Upgrade Tool user guide about firmware upgrading procedures
Licence Manager User Guide
Download a licence in MorphoAccess using Licence Manager.exe PC
application
124
SSE-0000060806-05
CONTACTS
SSE-0000060806-05
125
SUPPORT
Customer service
Sagem Scurit
SAV Terminaux Biomtriques
Boulevard Lnine - BP428
76805 Saint Etienne du Rouvray
FRANCE
Phone: +33 2 35 64 55 05
Hotline
Sagem Scurit
Support Terminaux Biomtriques
18, Chausse Jules Csar
95520 Osny
FRANCE
hotline.biometrics@t.my-technicalsupport.com
Phone: +33 1 58 11 39 19
http://www.biometric-terminals.com/
Copyright 2009 Sagem Scurit
http://www.sagem-securite.com/
126
SSE-0000060806-05
Head office : Le Ponant de Paris

27, rue Leblanc - 75512 PARIS CEDEX 15 - FRANCE

MorphoAccess 500 Series User Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MorphoAccess 500 Series User Guide

Uploaded by

Copyright:

Available Formats

MorphoAccess 500 Series

OMA 500 Series

Produced by Sagem Scurit

MorphoAccess 500 Series User Guide

SCOPE OF THE DOCUMENT

EASY SETUP ASSISTANT

STAND ALONE MODES (NETWORKED OR NOT)

PRELIMINARY: ADDING A BIOMETRIC TEMPLATE IN LOCAL DATABASE

Sagem Scurit document. Reproduction and disclosure forbidden

BYPASSING THE BIOMETRIC CONTROL IN AUTHENTICATION

IDLE MODE PRESENTATION

PROXY MODE (OR SLAVE) PRESENTATION

SETTING UP TIME MASK

REMOTE MESSAGES: SENDING THE ID TO THE CENTRAL SECURITY CONTROLLER

SECURITY SWITCH MANAGEMENT

ENROLMENT ON TERMINAL WITH SYNCHRONIZATION

Sagem Scurit document. Reproduction and disclosure forbidden.

CONTACTLESS MODES TABLE

Sagem Scurit document. Reproduction and disclosure forbidden

Add a Date/Time settings description

Add juvenile option feature of MA2XX and MA3XX devices.

Add MA 500+ Series and DESFire terminals

Add Wi-Fi static IP and WPA-PSK configuration

WI-FI is a registered mark of the WI-FI Alliance

Sagem Scurit document. Reproduction and disclosure forbidden.

Congratulations for choosing the MorphoAccess 500 Series Automatic Fingerprint

Sagem Scurit document. Reproduction and disclosure forbidden

SCOPE OF THE DOCUMENT

Sagem Scurit document. Reproduction and disclosure forbidden.

reorient or relocate the receiving antenna,

increase the separation between the equipment and receiver,

connect the equipment into an outlet on a circuit different from that

consult the dealer or an experienced radio/TV technician for help.

Sagem Scurit document. Reproduction and disclosure forbidden

Sagem Scurit document. Reproduction and disclosure forbidden.

MorphoAccess is a fingerprint identification device for physical access control, time

Sagem Scurit document. Reproduction and disclosure forbidden

a high quality optical scanner to capture fingerprints (1),

a bicolour led (2),

an optional contactless smart card reader (see details in section

a keyboard for time and attendance functions, local administration,

a 128x64 display screen (5).

Sagem Scurit document. Reproduction and disclosure forbidden.

a multiplexed Wiegand / Dataclock output to export the user

a RS422 or RS485 output (2),

a LED OUT signal output (3),

two LED IN inputs to improve integration with a Central Security

a relay to directly command an access (door lock) (5),

a multiplexed Wiegand / Dataclock input to receive the user

an Ethernet interface (LAN 10/100 Mbps) allowing remote

a Power Over Ethernet Interface (LAN 10/100 Mbps) allowing

The MorphoAccess 500 Series Installation Guide describes precisely

Sagem Scurit document. Reproduction and disclosure forbidden

MorphoAccess biometric database management

Local management mode,

Remote management mode.

Sagem Scurit document. Reproduction and disclosure forbidden.

MorphoAccess operating mode

In Stand Alone Mode (terminal networked or not), the terminal can

In Proxy Mode, the terminal is remotely operated by a host

MorphoAccess result sending

Sagem Scurit document. Reproduction and disclosure forbidden

Sagem Scurit document. Reproduction and disclosure forbidden.

Multi-applicative architecture synthesis