plusID Manager is the software application used to issue plusID
™
personal identity
verification devices. It enables the enrollment and configuration of devices by an authorized
Enrollment Administrator, or other designated personnel.
2. What is a plusID Device?
plusID is a universal biometric token that replaces access cards used to enter secured
buildings and passwords used to log on to computers. plusID uses its owner’s
fingerprint to verify their identity before granting access. It works in much the same way that
a remote control is used to operate a television or a garage door, but requires its authorized
owner’s fingerprint to “unlock” the device for operation.
3. What is Enrollment?
Enrollment is a key component to plusID device issuance. It is what makes the device work
for its enrolled owner and no one else. During enrollment a user’s fingerprint images are
captured, encoded, and securely stored as templates on the plusID device. During regular
operation, any live fingerprint presented to the device is compared to the templates stored on
the device to ensure that only the authorized user can operate the device. This comparison, or
matching process, is called verification. Enrollment readies a device to be used for
verification.
The enrollment process also includes assigning access credentials to the buttons found on the
front of the device. This is what enables the plusID device to be used for physical access to
doors and facilities.
4. System Components
• One (1) CD-ROM containing the Privaris plusID Manager software application and
documentation
• plusID device(s)
• One (1) available USB port on the computer running plusID Manager
• One (1) mini-USB cable (packaged with each plusID device)
®
• Microsoft
Windows® 2000 SP4, XP Home, XP Professional or Vista
• 64 megabytes of RAM
• 50 megabytes of available hard drive space
• 800x600 minimum screen resolution
5. How It Works
The plusID Manager software communicates with plusID devices over a USB connection.
When connected to the USB port of a computer, the blue light on the device stays on to show that
a connection between the device and the PC has been made.
6. Securing plusID Devices
4 11.08.07
Privaris plusID Manager Operators Manual V1.1
a. The Administrator PIN & Device Registrationa.
The Administrator PIN & Device Registration
plusID devices are secured to a specific organization through the assignment of an
Administrator PIN. It is what prevents the manipulation of issued plusID devices by
outside organizations and malicious or otherwise non-authorized parties.
The Administrator PIN is assigned to the device during registration (when the device is
connected to the plusID Manager application for the first time) and is securely stored on
the device.
Each issuing organization must select an Administrator PIN (Personal Identification
Number) that will be used by Enrollment Administrators to enroll and update all plusID
devices. This PIN should be treated as a corporate secret and guarded in the same manner
as other keys/passwords that grant access to valuable resources. It is recommended that
the Administrator PIN only be accessible by officers of the company and designated
Enrollment Administrators/Security Personnel.
! If the Administrator PIN is lost or forgotten you will not be able to reset the
Administrator PIN that is installed on devices during device registration and you will not
be able to access or modify any previously issued devices.
! It is highly recommended that each organization select a single Administrator PIN for all
plusID devices. Creation of more than one PIN will result in a population of devices
having different PINs and there is no way to determine what PIN is on a device other
than by trial and error (with a limited number of attempts).
! If the Administrator PIN were ever to be compromised, issued devices would be
susceptible to manipulation by outside organizations, and the security of corporate
physical and logical assets would be placed at risk.
b. Single Administrative Authority
Each plusID device can have only one administrative authority (i.e., managed by one
installation of the plusID Manager). For security purposes, once issued, the device can
only be modified or updated using the same computer on which it was originally
registered. The only way for a registered device to be updated using different
workstation than the one on which it was registered is for the device to be
disassociated with the computer (see “Change Device Manager” in Section II.9.c.),
and then re-registered to a new computer.
! This version of the plusID Manager software is not intended to be installed on more than
one computer/workstation per organization.
If trying to connect a previously issued device registered by another computer, a
Security Advisory will appear (Figure 1). Upon acknowledging this message, any
administrator-related functions (such as biometric enrollment or credential
assignment) are removed from the normally available user interface options.
5 11.08.07
1.08.07
Figure 1
Privaris plusID Manager Operators Manual V1.1
7. plusID Manager Installation7.
plusID Manager Installation
The CD containing the plusID Manager software will run automatically when
inserted in the CD-ROM drive, provided auto run is enabled, and will display the plusID
Manager Setup Wizard (Figure 2). If the installation program does not run automatically,
navigate to the CD-ROM drive and double click setup.exe.
Installation Setup Wizard
Figure 2
Follow the screen prompts to install the software:
Component selection
There are two available components, the plusID Manager software and the minidriver
that is required to use the plusID device for computer logon and to issue credentials
for computer logon to other device recipients. Select from an Administration
Installation (plusID Manager and minidriver), Client Installation (minidriver only) or
Custom Installation (either).
When the component selection is complete, another Setup Wizard window will
appear to configure the installation options for the plusID Manager software:
• Acceptance of the plusID software licensing agreement terms
• Designation of the software destination location
• Designation of software icons
6 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
• Automatic installation of Crystal Reports for .Net Framework 2.0 (required
for the plusID Manager’s reporting tool), if not already resident on
computer
8. Connecting to a plusID Device
A plusID device will power on automatically when connected via USB:
• Turn on the computer
• Insert the large end of a mini-USB cable (included with every plusID device) into the
computer’s USB port
• Insert the smallest end of the mini-USB cable into the USB port at the base of the
plusID device
The device’s blue light will blink while it is connecting and turn solid once a connection with
the computer has been established. As long as the device is connected via USB, the solid
blue light will stay on and the device’s battery will be being charged (provided the PC is not
hibernating).
Found New Hardware Wizard
The first time the device is connected to a computer, the Found New Hardware Wizard will
appear to prompt the downloading of a device driver (a standard Microsoft driver) that
enables the device to communicate with the computer:
• if the plusID Manager CD-ROM is inserted in the computer, point the hardware
wizard to the CD
• if the plusID Manager CD-ROM is not inserted, point the hardware wizard to the
Internet, where it will find the standard Microsoft driver
9. Starting the Application
! Starting the plusID Manager software requires Administrator privileges.
To start the application from the Windows taskbar click Start>Programs>Privaris>plusID
Manager (or elsewhere if you modified the default file destination during installation), or
double-click the plusID Manager desktop icon shortcut, if created during setup.
The plusID Manager home page and main menu tree will be displayed (Figure 3).
7 11.08.07
Privaris plusID Manager Operators Manual V1.1
The main menu tree has three branches.
1. plusID Manager
2. Devices
3. Help
Each branch contains several menu options and can be expanded and collapsed using the
up/down arrow to the right of the branch’s name.
If a plusID device is not connected to the computer when the plusID Manager application is
opened, the menu options contained under “Devices” will not be available, but rather, the
following page is displayed:
Figure 3
Main Menu
8 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
9 11.08.07
Privaris plusID Manager Operators Manual V1.1
App
Section II: PLUSID MANAGER MENU OPTIONS Section II: PLUSID MANAGER MENU OPTIONS
1. Application Settings1.
Application Settings
The “Application Settings” screen (Figure 1) contains three tabs: Settings, Utilities and
About:
Figure 1
lication Settings
Settings
Enter the issuing organization’s name on this screen and it will be included on every report
that is run from the plusID Manager software. This field is not mandatory.
Select whether or not the Administrator PIN warning is displayed each time that a new device
is registered.
! The Administrator PIN function is critical to ensuring the security of devices.
Utilities
During device registration, the plusID Manager stores all of the information associated with
the user and their device, including their contact information, the device serial number, access
credentials and all of the settings assigned to the device at the time of issuance. This
information is stored locally in the plusID Manager’s database.
! The plusID Manager database stores only user contact and device information, no biometric
data is stored. All biometric data is securely processed and stored on user’s individual
plusID devices.
The “Utilities” screen allows an organization to determine if and where this database of
device and user information is backed-up for safe keeping.
10 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
If the “Always back-up database on start up…” box is checked, a file location for
If the “Always back-up database on start up…” box is checked, a file location for
downloading the back-up data must be designated using the adjacent “Browse” button. The
downloading the back-up data must be designated using the adjacent “Browse” button. The
“Back-up Database Now” button activates a real-time database download (as opposed to the
“Back-up Database Now” button activates a real-time database download (as opposed to the
back-up occurring only when the application is closed). Once selected, a pop-up appears for
back-up occurring only when the application is closed). Once selected, a pop-up appears for
designating where on the computer the back-up file should be saved. It is strongly
designating where on the computer the back-up file should be saved. It is strongly
recommended that the data be backed-up on an external medium other than the computer’s
recommended that the data be backed-up on an external medium other than the computer’s
hard drive, such as a network drive or USB storage device.
hard drive, such as a network drive or USB storage device.
The “Restore Database Now” button reinstates the plusID Manager’s database in the event
The “Restore Database Now” button reinstates the plusID Manager’s database in the event
the plusID Manager application needs reinstalled, for instance if the computer’s hard drive
the plusID Manager application needs reinstalled, for instance if the computer’s hard drive
was lost.
was lost.
Figure 2
Utilities
About
The “About” screen lists the version number of the plusID Manager software application.
2. Default Device Settings
The “Default Device Settings” screen (Figure 3) contains the settings that will be applied to
all plusID devices enrolled with the plusID Manager software. These settings can be changed
at any time, but changes will apply only to devices enrolled, re-enrolled, or re-configured,
after the Default Device Settings have been modified.
Note: These default settings can be changed for individual plusID devices at any time by
selecting the “Settings” option under “Devices” from the main menu tree. Changes made on
the “Settings” screen override the default device settings only for the individual plusID device
that is connected at that time.
11 11.08.07 1.08.07
Privaris plusID Manager Operators Manual V1.1
g
Default Device Settin
Figure 3
s
To configure the default settings, select “Default Device Settings” from the main menu tree.
Select “Apply Changes” after modifying any of the settings on this screen for the settings to
take effect.
The “Refresh” button rereads the current database values, discarding any current
modifications that have not been applied.
Following are descriptions of the individual setting options.
a. Timeout Settings
Pre-VerificationThe Pre-Verification timeout setting determines how long the device will wait for a
verification (fingerprint swipe) before powering off.
The timeout can be set from 5 to 255 seconds. The default setting is 10seconds.
12 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
Note: This setting only applies to verifications performed after enrollment, during normal
device usage, and when the device is not connected to a computer.
Post-Verification
The Post-Verification timeout setting determines how long the device’s credentials will
remain active after a successful verification. The device is active for as long as its green
light is on, post-verification.
The timeout can be set from 5 to 255seconds. The default setting is 10 seconds.
! The longer the post-verification timeout setting the greater the demand on the device’s
battery, which may reduce the average number of verifications available per charge.
b. Security Settings
Fingerprint Matching Level
The plusID device has three configurable security settings: High, Medium, and Low.
Each setting corresponds to an associated fingerprint matching level, or False Acceptance
Rate (FAR).
Every biometric system has an associated FAR. An FAR is the percentage of
unauthorized users that the device will incorrectly match to a valid user’s stored
fingerprint template. Below are the FARs that can be set in the plusID device:
Security Setting
False Acceptance Rate (FAR)
High (More Strict) 1 in 100,000 (.001%)
Medium (Default) 1 in 10,000 (.01%)
Low (Less Strict) 1 in 1,000 (.1%)
The low security setting may match (verify) a fingerprint faster than the high security
setting, but will allow a higher number of false acceptances, and vice versa.
The recommended, and default security setting for the plusID device is high.
c. User Logon Settings*
Authentication Mode
The Authentication Mode selection sets the security level required when using the plusID
device for computer logon (post-enrollment). If the device is not being used for logon,
this setting can be left at its default value.
There are two options:
Biometric and PIN
requires a personal identification number (PIN) and a biometric verification
(using the plusID device). Note: If this option is selected, a User PIN must be
assigned. (See Section III.8. for more information.)
Biometric Only
requires only a biometric verification (using the plusID device)
13 11.08.07
Privaris plusID Manager Operators Manual V1.1
The first option is a three-factor security solution: something the user has (the plusID
device), something they know (a PIN) and something they are (their fingerprint).
The second option is a two-factor security solution
: something the user has (the plusID
device) and something they are (their fingerprint).
The default value is the highest security level, Biometric and PIN.
*
See Appendix E for system requirements for using plusID devices for logon in a Microsoft® Domain
Environment.
d. Sound Settings*
! This option is not available on all plusID models and will be disabled when a
plusID device without sound capability is connected.
This selection determines if and when the plusID 90 device provides audible feedback to
the user to indicate a successful or failed verification and when a transaction is complete.
Selecting a check box turns on the sounder. Selecting the “All Sounds” option turns the
sounder on for all three instances described below.
USB Connected
activates the sounder anytime the device is connected over USB, including during
enrollment and configuration, as well as when used for computer logon.
USB Disconnected
activates the sounder whenever the device is being used wirelessly.
Long Range
provides an extra sound/beep after a successful verification to indicate that the long
range transceiver has recognized and granted access to the user/plusID.
3. Long Range Settings
! This option is specific to the plusID 90 model.
! Additional hardware (a long range transceiver) and software (The Transceiver Configuration
Tool) are required for use in a long range setting.
One application of the plusID 90 model is identity verification in a stand-off (long
range) setting, such as at a vehicle gate.
The required long range transceiver is an electronic device, that when connected to
an antenna, can communicate with the plusID 90 at distances of up to 100 meters
(depending on the antennae selected) to grant access. The transceiver connects to
most existing physical access control systems using a Wiegand interface, or to a PC
based interface using Ethernet.
The Long Range Settings Screen (Figure 4) is used to define the transceiver(s) being
used in the long range setting with plusID 90 devices. Two steps are required:
14 11.08.07
Privaris plusID Manager Operators Manual V1.1
g
Step one is to create a key to be assigned to a transceiver. Step two is to define or
Step one is to create a key to be assigned to a transceiver. Step two is to define or
“create” the transceiver(s) and assign a key.
“create” the transceiver(s) and assign a key.
Organizations can have multiple transceivers at one or multiple locations. Individuals
Organizations can have multiple transceivers at one or multiple locations. Individuals
can be given access to some or all of them, as determined by which transceiver’s
can be given access to some or all of them, as determined by which transceiver’s
credentials are downloaded to the user’s plusID 90 device. Downloading the long
credentials are downloaded to the user’s plusID 90 device. Downloading the long
range transceiver credentials is a required step that occurs after the transceiver(s)
range transceiver credentials is a required step that occurs after the transceiver(s)
have been defined (see “Credentials” Section III.7.d).
have been defined (see “Credentials” Section III.7.d).
Following are descriptions of the individual setting options.
a. Keys
A key must be created and assigned to each long range transceiver. This can be
done in the plusID Manager or in the Transceiver Configuration Tool. The
Transceiver Configuration Tool is the software that accompanies the Long Range
Transceiver. The key must be assigned the same name and the same value in both the
plusID Manager and the Transceiver Configuration Tool.
A key is an encrypted alphanumeric string and a security feature. The
transceiver key is ultimately assigned to each plusID 90 device, thus binding it to
a long range transceiver. This ensures that the transceiver communicates only
with authorized plusID 90 devices and prevents communication with devices
issued by any other organization.
! The same key can be assigned to multiple transceivers. Any plusID device with a key
will have access to all transceivers with the same key.
Figure 4
Lon
Range Settings
15 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
y
To create a new key To create a new key
Recommended if the transceiver key has not already been created within the Transceiver Configuration Tool.
1. Select the “New Key” button. The New Transceiver Key entry screen
(Figure 5) will appear.
2. Assign a unique name for the key and enter it in the “Key Name” field.
Example: North Entry Gate.
3. Select how the key’s value is to be determined:
a. Randomly Generated: this is the most secure option
b. From Passphrase: enter a word or phrase
The preview bar at the bottom displays the key as it is generated. The
key changes as the option changes or as the text entered in the
“Passphrase” field changes.
4. Click “OK” to save the key
5. Select “Export” and choose a location for saving the new key so that it
can be easily imported into the Transceiver Configuration Tool
New Transceiver Ke
Figure 5
Screen
To use an existing key
16 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
p
Recommended if the transceiver key has already been created within the
Recommended if the transceiver key has already been created within the
Transceiver Configuration Tool.
Transceiver Configuration Tool.
1. Select the “Import a Key” button. The Import Transceiver Key entry
1. Select the “Import a Key” button. The Import Transceiver Key entry
screen (Figure 6) will appear.
screen (Figure 6) will appear.
2. Assign a name for the key and enter it in the “Key Name” field. It should
2. Assign a name for the key and enter it in the “Key Name” field. It should
be the same name, or as close as possible to the name assigned to the
be the same name, or as close as possible to the name assigned to the
key in the Transceiver Configuration Tool.
key in the Transceiver Configuration Tool.
3. Click the “Browse” button to find the file location of the saved key. 3. Click the “Browse” button to find the file location of the saved key.
4. Click “OK” to save the key. 4. Click “OK” to save the key.
Additionally, the “New Key” button can be selected and the same passphrase
Additionally, the “New Key” button can be selected and the same passphrase
can be entered as was entered in the Transceiver Configuration Tool for the
can be entered as was entered in the Transceiver Configuration Tool for the
existing key to be used. The spacing and capitalization of the passphrase
existing key to be used. The spacing and capitalization of the passphrase
have to be exact for the same key to be assigned.
have to be exact for the same key to be assigned.
Im
ort Transceiver Key Screen
Figure 6
b. Transceivers
After creating at least one key (see above), a new transceiver can be
created/defined.
From the Long Range Settings screen (Figure 4), select and highlight the key
that will be associated with the new transceiver.
17 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
1. Select the “New Transceiver” button. The Create New Transceiver
Screen (Figure 7) will appear.
2. Provide a unique name for the transceiver. It can be the same or
different from the name of the key. Example: North Entry Gate, Lane #2
3. Enter a description of the transceiver’s location (optional)
4. Select at least one type of credential for use with the transceiver. The
options are: Managed or Wiegand. This selection determine which type
of user access credentials can be downloaded onto user’s plusID 90
devices using the Credentials Screen (see Section III.7.d.)
Wiegand
: In this mode the transceiver outputs a Wiegand code making it
compatible with existing physical access control systems (PACS)
Managed
requires a 3
Garage Door
: In this mode the transceiver is a pass through device that
rd
party PC based control system.
: In this mode the transceiver can be used to fire a relay to,
for example, raise a garage door.
5. Select “OK”
The selected options may be edited by double-clicking on the transceiver from
the list, or by selecting the “Edit Transceiver” button from the Long Range
Settings screen (Figure 4).
18 11.08.07
Privaris plusID Manager Operators Manual V1.1
Figure 7
Create New Transceiver Screen
4. Reports
The Reports screen contains two pre-determined plusID Manager reports which can be
generated and run with date and user name filters. The two available reports are:
Devices
Displays specific information on every device that has been issued using the
plusID Manager application
User Accounts
Displays specific information on every user that has been enrolled using the
plusID Manager application, including each user’s issued device(s) and credential(s).
Highlight and select the desired report, apply the desired filters, then select “Generate
Report.”
Reports are launched in a pop-up window and can be viewed, exported to a delimited file, or
copied from the preview screen.
Report Filters
19 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
Reports can be filtered by various parameters depending on the selected report. For example,
a filter for the User Report would be user name.
To filter by a specific user’s name to whom a device has been issued, enter the first and/or
last name, or any portion of either name. For example, to search for Mary Jones, enter “Mary” or
“Jones” or “Mary Jones” or “Mar” or “Jon” or “M” or “J.” The more specific the search criteria, the
more narrow the results will be.
To retrieve all data records, do not apply any filters. Simply, leave undesired filter fields
blank.
20 11.08.07
Privaris plusID Manager Operators Manual V1.1
Section III: DEVICES MENU OPTIONS Section III: DEVICES MENU OPTIONS
The “Devices” branch of the main menu tree is only visible when a plusID device is connected to the
The “Devices” branch of the main menu tree is only visible when a plusID device is connected to the
plusID Manager computer via USB. To expand or collapse the “Devices” branch of the menu tree,
plusID Manager computer via USB. To expand or collapse the “Devices” branch of the menu tree,
click the arrow to the right of “Devices.”
click the arrow to the right of “Devices.”
With a plusID device connected, the main “Device” screen will appear (Figure 1). This screen
With a plusID device connected, the main “Device” screen will appear (Figure 1). This screen
provides a snapshot of the device(s) connected to the plusID Manager. It lists the plusID model
provides a snapshot of the device(s) connected to the plusID Manager. It lists the plusID model
number, serial number and the version of the firmware (software) contained in each device. The
number, serial number and the version of the firmware (software) contained in each device. The
number listed after the plusID model number (0, 1 or 2) corresponds to an identifier that is generated
number listed after the plusID model number (0, 1 or 2) corresponds to an identifier that is generated
by the operating system, typically sequentially as devices are inserted.
by the operating system, typically sequentially as devices are inserted.
Figure 1
Devices Screen
If more than one plusID device is connected, a separate node of the menu tree will appear for each
device (Figure 2), specifying their model numbers. Clicking on the plus/minus sign to the left of this
node expands/collapses the menu options for each device.
When a device is connected to the plusID Manager software for the first time the
“Register plusID Device” screen will appear (Figure 3). This screen registers the
device to its user as well as to the issuing organization.
Device Re
Figure 3
istration Screen
The device is registered to the user by either entering a new user’s first and last name, or
selecting an existing user from the database.
The device is registered (and thereby secured) to the issuing organization by issuing an
Administrator PIN to the device. The Administrator PIN is a security feature that makes plusID
devices unique to each issuing organization, and prohibits the manipulation of issued plusID devices
by outside organizations and malicious or otherwise non-authorized parties.
Each plusID device is shipped with a factory default Administrator PIN. To secure a
device to the issuing organization, the factory default PIN must be overwritten with the
organization’s Administrator PIN using the “Device Registration” screen (Figure 3).
! It is highly recommended that each organization select a single Administrator
PIN for all plusID devices. Creation of more than one PIN will result in a population
of devices having different PINs. There is no way to determine what PIN is on a device
22 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
other than by trial and error and thber of attempts is limited. This PIN s
e numhould be
treated as a corporate secret and guarded in the same manner as other
keys/passwords that grants to valuable resources. If the Administrator PIN we
accesre
ever to be compromised, issued devices would be susceptible to manipulation by
outside organizations, and the security of corporate physical and logical assets would be
placed at risk. (See Section I.6.a. under Gettin
g Started for critical information on
Administrator PIN selection and ramifications).
2. Device Registration
When a new or reset device is connected to the plusID Manager for the first time
e “Register lusIDevice” screen is displayed (Figure 3).
th p D
The three
connected.
steps below must be repeated each time a new plusID device is
1. Enter the first and last name of the user (mandatory). There are 2
e user name, either by typing in a new user name, or selecting an existing user.
th
modes of entering
Note: This information is not stored on the user’s device. It is stored only in the
plusID Manager’s database for record keeping purposes.
If the device is being connected for the first time but a user is no being enrolled, a placeholder first and last name can be entered to register the device, and then c
when the device is enrolled.
hanged (using the “User Info” screen)
t
2.
Enter the device’s factory default PIN (4321) in the Current PIN field.
Then enter the organization’s Administrator PIN in the New PIN field and confir
m it
in the indicated field. This overwrites the default PIN and installs the
23 11.08.07
Privaris plusID Manager Operators Manual V1.1
A
y
organization’s Administrator PIN on the device. The Administrator PIN can be from
organization’s Administrator PIN on the device. The Administrator PIN can be from
four (4) to eight (8) letters, numbers and/or characters.
four (4) to eight (8) letters, numbers and/or characters.
!
!
It is imperative that the Administrator PIN be treated as a corporate secret and
It is imperative that the Administrator PIN be treated as a corporate secret and
guarded in the same manner as other keys/passwords that grant access to valuable
guarded in the same manner as other keys/passwords that grant access to valuable
forgotten
resources. There is no way to reset the Administrator PIN. If it were lost or
resources. There is no way to reset the Administrator PIN. If it were lost or
ble to modify any previously issued devices (See Section I.6.a. under
you will not be a
you will not be a
Getting Started for critical information on Administrator PIN selection and
Getting Started for critical information on Administrator PIN selection and
ble to modify any previously issued devices (See Section I.6.a. under
forgotten
ramifications). ramifications).
PIN for all new plusID devices is 4321
! The current (default) Administrator! The current (default) Administrator
PIN for all new plusID devices is 4321
3. Select the Register Device button.
3. Select the Register Device button.
The Administrator PIN is requeste
The Administrator PIN is requeste
device. It will not be requested again during the same session, but will be required
device. It will not be requested again during the same session, but will be required
each time a new device is connected.
each time a new device is connected.
d only once per plusID Manager session, per
d only once per plusID Manager session, per
3. Use of the Administrator PIN with Previously Registered Devices
3. Use of the Administrator PIN with Previously Registered Devices
When a registered device is connected to the same plusID Manager computer on
which it was registered, it will be recognized as an authorized device. The “Device Registration” screen will not be displayed. The Administrator PIN (the PIN
chosen by the Administrator’s organization, not the default PIN) will be requested
whenever a function requiring security is invoked, such as enrolling an additional
finger or loading a credential (Figure 4).
Figure 4
dmin PIN Entr
The Administrator PIN is requested only once pe
ot be requested again during the same session, but will be required each time a new device
n
r plusID Manager session per device. It will
is connected.
In the case of a device that has been reset, the Device Registration screen will be pre
just as with a new unregistered device. Though the reset
i
Adm nistrator PIN assigned during its initial registration, not the default PIN. The
Administrator PIN is not re
set when the device is reset.
device will still have the same
sented
Incorrect PIN Entry
a.
24 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
g
If the incorrect Administrator PIN or User PIN is entered an Incorrect PIN
message is displayed (Figure 5).
message is displayed (Figure 5).
If the incorrect Administrator PIN or User PIN is entered an Incorrect PIN
Incorrect PIN Messa
Figure 5
e
To prevent malicious attempts to access plusID devices, only nine incorrect tries are
permitted. If the correct PIN is not entered on the tenth try, the device will be
inaccessible. The number o
f retries remaining is shown in the Incorrect PIN message
box. In the case of the User PIN the Administrator can reset the PIN to the factory
default setting (see below).
! strator PIN is entered incorrectly ten times, the connected device
will be permanently inaccessible to the Adm
If the Admini
inistrator.
b. Issuing More than One Device per U ser
If issuing an additional or a replacement device to a user, the user inform ion
may be retrieved from the database to ensure the accuracy of data entry. Click e
“Search for existing users” button on the “Device Registration” scre
ser from the list of users in the database. All of the same user information will be
u
ssociated with the new device in the plusID Manager database.
a
en and select the
4. Device Status
at
th
Figure 6
25 11.08.07
Device Status Screen
1.08.07
Privaris plusID Manager Operators Manual V1.1
The “Device Status” screen (Figure 6)provides a snapshot of the technical specifics
of the device that is connected, including:
Battery Status
The plusID device is powered by a rechargeable battery. The Battery Status portion of
the screen indicates whether or not the device is currently being charged, and includes a
progress bar to indicate the device’s current battery level. The further to the right the bar is,
the fuller the battery.
Note: The device is rechargeable over USB. So whenever a plusID device is connected
to the plusID Manager computer, it is being charged.
See Appendix Cfor battery recharging instructions.
File System PropertiesFile System Properties details the amount of used and available storage space on a
device. Each plusID device has 48K of available space for storing fingerprint templates,
access credentials, and any additional credentials added by the issuing organization
(requires Privaris software development kit).
26 11.08.07
Privaris plusID Manager Operators Manual V1.1
Manufacturing InformationManufacturing Information lists the device’s model number, serial number, and date
of manufacture. This information is typically only needed for customer service
inquiries.
Revision InformationRevision Information lists the version information of the hardware and software
specific to each device.
Device PropertiesDevice Properties lists the plusID device’s unique MAC address, which refers to a
communication channel(s) within the device. This address will only display if required for the operation of the device.
Refresh Status ButtonIf there has been a change to any of the device specific status information, pressing
the Refresh Status button will update the information in real time.
5. Enrollment
Enrollment is the key element of the plusID device issuance process. It is what
makes the device work for its enrolled owner and no one else. A precise enrollment is
critical for the plusID device to operate properly.
During enrollment the user’s fingerprint images are captured, encoded and securely stored as
a template on the plusID device. A typical enrollment requires three to five
fingerprint swipes. Enrollment readies the plusID for regular day-to-day use, which is called
verification. Verification is simply a fingerprint swipe in which the device compares the live
fingerprint presented to it with the fingerprint templates stored during enrollment to ensure
that only the authorized user can operate the device.
a. Enrollment Administrator Guidelines
1. Always review the “How to Swipe” instructions with each user before beginning
enrollment. It is also recommended that the 1 minute plusID video be shown to
each user before enrollment to demonstrate the proper swiping technique and
speed. (The video is linked from within the “How to Swipe” file under Help /
Fingerprint Instructions from the main menu)
2. Alway s enroll both thumbs to ensure that there is a backup in case of injury.
3. Always enroll the users’ primary thumb first.
4. In the event a thumb is not an option, default to the user’s index finger(s).
5. More than two thumbs/fingers can be enrolled in a single device, but is likely to
result in slower verifications.
6. Remember that as an Enrollment Authority you can erase and re-enroll a user’s
fingerprint at any time.
27 11.08.07
Privaris plusID Manager Operators Manual V1.1
b. Device User Guidelinesb. Device User Guidelines
1. Fingers should be free of excessive dirt or grease but otherwise do not need to be
washed prior to enrollment.
2. The plusID device should be held with one hand - just as it will be held during
normal device use.
3. Review the “How to Swipe” instructions that follow to ensure the proper
positioning of the fingerprint relative to the sensor. The central, most feature-
rich portion of the fingerprint – not the fingertip – must be swiped over the
device’s fingerprint sensor. This is where the fingerprint pattern is
centralized and typically forms a bull's eye, U or S shape (see image
below).
28 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
How to Swipe (Device User Guidelines, cont.)
Fingerprint Sensor Instructions
Review the instructions below with each user and let them practice swiping
with their device. Not doing so will result in a poor quality enrollment and difficulty using the plusID device. (These images are also linked from the “Help” section of the plusID Manager.)
29 11.08.07
Privaris plusID Manager Operators Manual V1.1
c. Enrollment Set-Upc. Enrollment Set-Up
1 Open the plusID Manager software application.
2 Hand the user their new plusID device.
3 Review the “How to Swipe” instructions with the user, letting them practice swiping
until they can do so properly and comfortably (see Section III.5.b. or the Help section
from the main menu)
4 Insert the largest end of the mini-USB cable, packaged with the plusID
device, into the computer's USB port, and the smallest end into the port at the
base of the plusID.
5 For each new device the “Device Registration” screen will appear (Figure 3).
i. Enter the user's first and last name. Employee number is optional,
but recommended. Employee number is any unique identifier, i.e., an official employee i.d., or social security number. Note: None of this
user information is stored on the device. It is stored only in the plusID Manager’s database for record keeping purposes.
ii. Each device is shipped with a default Administrator PIN of 4321.
Enter the default Administrator PIN as the “Current PIN.” Before
entering a new PIN, see the warning below. The new Ad ministrator
PIN can be from four to eight letters, numbers and/or characters.
! It is highly recommended that each organization select a single Administrator PIN
for all plusID devices. This PIN should be selected by an Officer of the company or by
Security Personnel. The Administrator PIN should be treated as a corporate secret and
guarded in the same manner as other keys/passwords that grant access to valuable
resources. If the Administrator PIN were ever to be compromised, issued devices would
be susceptible to manipulation by outside organizations, and the security of corporate
physical and logical assets would be placed at risk. There is no way to reset the
Administrator PIN. For more information on the Administrator PIN, see #9 under
Getting Started.
d. Enroll the First Thumb
Note: Sit near the user to watch closely and ensure that they are following the
Enrollment Guidelines. An enrollment cannot be stopped once begun, but can be
easily erased and redone.
1. Always enroll the primary thumb first. Ask if the user is right or left handed.
! If the plusID will be used only for computer logon, it may be advisable to enroll the
primary index finger (in place of the thumb), assuming that the device will regularly be
positioned flat on a desk connected to a computer, as opposed to being held and
operated in-hand.
1. Select “Enrollment” from the menu tree.
2. Select the “Enroll” button from the Enrollment screen
3. To initiate enrollment, select the respective thumb from the on-screen hand
diagram.
30 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
! The device has no way of distinguishing which finger is swiped, so be certain that the
finger selected on the screen is in fact the same finger that the use is actually applying.
4. Convey the instructions from the on-screen prompts to the user
.
The prompts will appear above the “Enroll” button and will specify when to
swipe a finger as well as provide feedback on the quality of the swipe. If the
software deems a swipe “invalid,” watch the user closely to ensure that they
are following the “How to Swipe” instructions and coach as necessary.
!Tell the user to swipe whenever they see a blinking green light.
A typical enrollment requires three to five swipes. The first few swipes of an
enrollment create the fingerprint template. The last swipe is a verification
swipe that confirms that the user's live print can be successfully matched to
their stored fingerprint template, and is required to complete enrollment.
Verification is indicated by a solid green light and should only take about a
second.
! Watch closely to ensure that the user is swiping properly. If the software
deems a swipe “invalid,” or if the user has difficulty verifying go to the “Help”
section of the main menu and select “Fingerprint Instructions.” Review the “How to
Swipe” file and ensure that the user has seen the 1 minute plusID video that is
linked from step #6, which demonstrates proper swiping technique and speed. Next
review the “Troubleshooting” guidelines. Also, Appendix A of this manual
contains Expanded Troubleshooting guidelines. Modify the user’s swiping
technique accordingly, and if necessary, erase the finger (see Section 5.i.) and
re-enroll it, starting with enrollment step #3.
The plusID’s Light Behavior During Enrollment
The plusID’s solid blue light will remain on as long as the device is
connected via USB, while the other lights correspond to the on- screen prompts.
Blinking Green
Requesting a fingerprint swipe
Solid Yellow
Brief Solid
Green
31 11.08.07
Sensor is processing a fingerprint swipe
An image has been successfully captured during
fingerprint template creation, or successfully
matched during verification
Privaris plusID Manager Operators Manual V1.1
Continuous
Solid Green
Brief Solid
Red, then
Blinking Green
Continuous
Solid Red
A successful enrollment
The sensor did not get sufficient information from
the fingerprint to process the swipe. This often
happens if the sensor is touched before a swipe is
begun, as opposed to placing the finger and
swiping in one continuous motion.
Enrollment failed. See “Troubleshooting”
(Appendix A, or under “Help” in the menu tree).
Modify the user's swiping technique accordingly,
erase and re-enroll the finger.
5. Upon a successful enrollment the on-screen prompt, will read “Enrollment
Success,” and a rectangular fingerprint image will appear atop the enrolled
finger on the hand diagram.
! If enrollment fails, see Section 5.h.
e. Enroll the Second Thumb
Repeat the instructions from 5.c. and 5.d., with the user's secondary thumb.
f. Completing Device Issuance
With two thumbs enrolled, enrollment is complete.
To complete the plusID device issuance process, the necessary access credential(s) need
to be assigned to the device to ready it for physical and/or logical (IT) access. See
Section 7 (“Credentials: Using the plusID for Physical Access”) to assign physical access
credentials for door entry, and Section 8. (“Credentials: Using the plusID for Windows
Logon”) to assign logical access credentials for computer logon.
32 11.08.07
Privaris plusID Manager Operators Manual V1.1
! If access credentials were loaded prior to enrollment, device issuance is complete.
! If access credentials were loaded prior to enrollment, device issuance is complete.
Disconnect the plusID device from the computer and hand it to the user with the USB cable
Disconnect the plusID device from the computer and hand it to the user with the USB cable
and plusID Quick Start Guide that was enclosed in their device box.
and plusID Quick Start Guide that was enclosed in their device box.
g. Verificationg. Verification
Verification (the last fingerprint swipe during enrollment) confirms a user’s identity
by matching their live fingerprint to their stored fingerprint template. This is how
the device will be used on a daily basis for access to protected resources.
Verification should only take about a second and is indicated by a solid green
light.
Each user must be able to quickly and repeatedly verify. If verification was
sluggish (two seconds or more), or if verification failed, see the “Troubleshooting”
guidelines linked from the “Help” section of the plusID Manager, or Appendix A of
this manual for Expanded Troubleshooting guidelines. After reviewing these
pointers with the user, erase the finger in question and re-enroll it, starting with step #3 in
Section 5.d.
! A verification can be prompted at any time and is a quick way 1) to test the quality of an
enrollment and 2) for the user to practice using their plusID device. It is recommended
that after each enrollment the Enrollment Administrator prompt the user to verify two or
three times in addition.
To prompt a verification:
1. Selecting “Verify” from the Enrollment screen.
2. Selecting an enrolled finger from the on-screen hand diagram
3. Follow the on-screen prompt. Just as during enrollment, the device will blink
green to request a verification (swipe), turn solid green upon a successful
verification, and solid red upon a failed verification.
h. Failed Enrollment
A typical enrollment requires three to five fingerprint swipes, though some fingerprints
will require more. The on-screen prompts will continue to request fingerprint swipes
until the device has enough data (unique features) to form a fingerprint template. If a
high enough quality fingerprint template cannot be obtained, the device will signal a solid
red light and the on-screen prompt will say “Enrollment Failed.”
This occurs most often because the user was not following the User Guidelines (3.b.
above), in particular the “How to Swipe” instructions. Carefully review the following, as
necessary, in this order:
1. “How to Swipe” instructions, linked from the “Help” section of the plusID
Manager, under Fingerprint Instructions
2. The 1 minute plusID video, to see the proper swipe technique and speed
(contained within the “How to Swipe” PDF document noted above.),
3. “Troubleshooting” guidelines, linked from the “Help” section of the
plusID Manager
33 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
4. Expanded Troubleshooting Guidelines in Appendix A of this manual 4. Expanded Troubleshooting Guidelines in Appendix A of this manual
Modify the user’s swiping technique accordingly, erase the finger and re-enroll it.Modify the user’s swiping technique accordingly, erase the finger and re-enroll it.
i. Erasing a Finger/Enrollmenti. Erasing a Finger/Enrollment
This option erases the selected finger’s fingerprint template from the plusID device.
Only an enrolled finger can be erased.
If an Enrollment was successful but the user is having trouble verifying, or
verification is sluggish (two seconds or more), it is recommended that the
respective finger be erased and then re-enrolled after reviewing the “How to
Swipe” and “Troubleshooting” guidelines linked from the “Help” section of the
plusID Manager. For Expanded Troubleshooting, see Appendix A of this manual.
Note: The erase feature does not erase a device, only individual fingerprints
stored on the device one at a time. For purposes of recycling a device for reissue, use the device reset feature (see 6.b.iii) which erases all of the stored
fingerprints at once, and restores the device to its factory default settings.
To erase a finger/enrollment:
1. Select the "Remove" button from the Enrollment screen.
2. Select the respective finger from the on-screen hand diagram.
3. Select "Yes" to confirm erasure.
j. Fingerprint Augmentation
After an enrollment, the plusID device uses data from successful verifications
during regular device use to enhance the quality of the originally stored fingerprint
template(s), as necessary. This “learning” feature helps reduce potential false reje ctions
and ensure positive user experiences with the device.
Any swipes/verifications that expose the sensor to more surface area or new fingerprint
features, beyond what was captured during enrollment will result in the automatic
augmentation of the original fingerprint template. Up to five augmentations can occur,
per fingerprint template.
Augmentation is a “behind the scenes” feature of the plusID’s fingerprint algorithm
and is not indicated in the plusID Manager interface.
6. User Info
With each enrollment performed, the plusID Manager saves a record containing information
on the enrolled user and their device. The “User Info” option from the menu tree displays the
user portion of this record. The information displayed on the “User Info” screen (Figure 7)
pertains to the owner of the connected plusID device.
34 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
Note: This information is not stored on the user’s device. User information is stored only in
Note: This information is not stored on the user’s device. User information is stored only in
the plusID Manager database for record keeping purposes and can be accessed through
the plusID Manager database for record keeping purposes and can be accessed through
“Reports” on the menu tree.
“Reports” on the menu tree.
Before a device is enrolled, the first and last name of the user to whom the device is being
Before a device is enrolled, the first and last name of the user to whom the device is being
issued must be entered during device registration (see 1.a.). Selecting “User Info” from the
issued must be entered during device registration (see 1.a.). Selecting “User Info” from the
menu tree displays this information and gives the Enrollment Administrator access to edit it
menu tree displays this information and gives the Enrollment Administrator access to edit it
as well as provide additional user specific information, such as an employee number (unique
as well as provide additional user specific information, such as an employee number (unique
ID), a phone number, and comments. The maximum character limitations for each field are:
ID), a phone number, and comments. The maximum character limitations for each field are:
Employee name = 50 characters each field, including spaces Employee name = 50 characters each field, including spaces
Employee number = 50 characters, including spaces Employee number = 50 characters, including spaces
Contact number = 50 characters, including spaces Contact number = 50 characters, including spaces
Comments = 8192 characters, including spaces Comments = 8192 characters, including spaces
The first name, last name, and middle initial from this screen will always appear at the top of
The first name, last name, and middle initial from this screen will always appear at the top of
the Enrollment screen when it is open to indicate whose device is connected.
the Enrollment screen when it is open to indicate whose device is connected.
Figure 7
User Info Screen
7. Credentials: Using the plusID for Physical Access
! Accessing the Credentials screen is an Administrator function that requires the
Administrator PIN. If the PIN request fails or is cancelled, the Credentials page is
disabled.
35 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
The “Credentials” option from the main menu tree (Figure 8) is used for loading
The “Credentials” option from the main menu tree (Figure 8) is used for loading
physical access credentials onto plusID devices so that the device can be used for
physical access credentials onto plusID devices so that the device can be used for
facility and door access. Different credentials can be assigned to each of the four
facility and door access. Different credentials can be assigned to each of the four
function buttons on the front of the plusID device, enabling a single device to be used
function buttons on the front of the plusID device, enabling a single device to be used
to access multiple doors, buildings and/or vehicle gates.
to access multiple doors, buildings and/or vehicle gates.
Figure 8
Credentials Screen
a. Overview
If the plusID device will be used in place of access cards or fobs to access
facilities and doors, a physical access credential must be loaded onto the plusID
device using the plusID Manager.
Loading (assigning) credentials is as simple as “dragging” a credential from the
list at the bottom of the Credentials Screen (Figure 8) and “dropping” it into one
of the four white squares at the top of the Credentials Screen that correspond to
each of the four function buttons on the front of a plusID device.
36 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
Multiple types of credentials can be loaded onto a single device. Additionally,
more than one credential can be assigned to a single button on the plusID,
depending on the credential format. The parameters for loading more than one
credential per button are as follows:
Prox and iCLASS = yes
Prox and long range = yes
iCLASS and Long Range = yes
Prox and Prox = no
iCLASS and iCLASS = no
Long Range and Long Range = no
Bluetooth Configuration
If Bluetooth pairing is performed for a given button, no physical access credentials may be
loaded. If pairing information is detected, the button is disable, unable to accept credentials,
and it shows the pairing information, as shown below:
The plusID Manager software will not allow an invalid credential pairing.
Viewing credential details:
In any of the credential tab controls, or on a button control area, double-clicking a
credential launches a property window as shown below:
37 11.08.07
Privaris plusID Manager Operators Manual V1.1
b. Loading Door Access Credentials onto a plusID
! Loading credentials for door access requires an additional USB port, a smart
card reader, and an idBank™ available from HID® or Privaris®.
The access credential required for door access is a card format. Card formats
are downloaded onto plusID devices via an idBank™. idBank is a smart card
containing HID Proximity, HID Indala Proximity, CASI Proximity or iCLASS
access card formats that are securely transferred to plusID devices via the plusID
Manager. idBanks are available in quantities of 25, 50, 100, 200 or 300.
Once a card format has been loaded on to a plusID device, it cannot be moved
!
back onto an idBank.
! A card format that has been loaded on to a plusID device is permanently
associated with that device and can never be assigned to another device. It can
however be reloaded onto the initial device if need be (either from the Database
tab, or by reissuing from the original idBANK card).
With the device connected via USB to the Enrollment Administrator’s
computer:
1. Connect a plusID device to the plusID Manager via USB
2. Register the device if it is not already
3. Connect a smart card reader to computer via USB (if not built into
computer).
4. Insert idBank in smart card reader
5. Select “Credentials” from the menu tree. The Credential Management
screen is displayed (Figure 8)
6. Select the “Card” tab under “Credentials Source.”
38 11.08.07
Privaris plusID Manager Operators Manual V1.1
7. Select the appropriate smart card reader from the drop down menu.
The list of available card formats will be displayed. Previously
assigned card formats are sorted to the bottom of the list, grayed out
and the status is shown as “In Use.”
8. “Drag” an unassigned card format from the list and “drop” it in one of
the four white squares above (repeat as necessary). Each square
corresponds to one of the device’s four function buttons. A progress
bar is displayed as the credential is generated.
When credential generation is complete the card format will be shown in the
selected location (Figure 8). Different card formats can be loaded for each of the
device’s four buttons for access to multiple doors and facilities. For user
convenience, the same card format can be loaded onto multiple buttons. See
Section a. above for acceptable credential pairings.
! Inform the user what doors/buildings (i.e., card formats) are assigned to each
buttons so that they will know what buttons to use for daily access.
! If the device is enrolled, but not being used for long range access or computer
logon (or if a User PIN is not required for logon), device issuance is complete.
Disconnect the plusID device from the computer and hand it to the user with their
USB cable, and plusID Quick Start Guide that was enclosed in their device box.
c. Loading Long Range Credentials onto a plusID
! This option is specific to the plusID 90 model and is automatically disabled when
any other device models is connected to the plusID Manager.
! This option requires that the Long Range Settings have been defined using the Long
Range Settings screen from the main menu. See Section II.3 for instructions.
plusID 90 devices are used for long range access (i.e., at locations with a standoff setting such as a vehicle gate) and require a different type of credential than
that used for door access at close range.
The access credential for the long range devices contains the information
necessary to remotely authenticate a plusID 90 device to a transceiver and/or a
backend physical access control system. The credential contains the transceiver
key that was assigned in the Long Range Settings.
39 11.08.07
Privaris plusID Manager Operators Manual V1.1
g
To load long range credentials:
1. Connect a plusID device to the plusID Manager via USB.
2. Select the Long Range tab under Credentials Source. (Figure 9)
3. The list of available long range transceiver credentials will be
displayed, with their type indicated: Wiegand or Managed. Each
credential is linked to a long range transceiver by the key it contains.
(Transceivers and keys are created using the Long Range Settings
screen. See Section II.3).
4. Select the transceiver with which the plusID 90 will need to
communicate. Each transceiver corresponds to an access point.
5. “Drag” the a ppropriate transceiver from the list and “drop” it in one of
the four white squares above (each square corresponds to one of the
device’s four function buttons). Doing so loads the transceiver’s
corresponding credential onto the plusID 90 device.
Loadin
Figure 9
Long Range Credentials
40 11.08.07
Privaris plusID Manager Operators Manual V1.1
g
Managed Transceivers’Managed Transceivers’
and Garage Door Transceivers’ credentials
are automatically loaded to plusID 90 devices without requiring any
additional user input.
Wiegand Transceivers
’ credentials require additional information be
entered before the credential can be loaded onto a plusID 90 device
(Figure 10).
Wie
and Data Entry Range Credentials
Figure 10
6. Entering Wiegand Data (if necessary)
The Wiegand data is transmitted by the transceiver to the backend
physical access control system (PACS) to grant access, in the exact
same manner as an access card.
! Care should be taken to not issue the same site code and card number
to more than one plusID device. The parameters for issuance are the
same as with your existing physical access control system.
a. Select the Wiegand type. Currently only 26-bit Wiegand is
supported
b. Enter a Site (i.e., Facility) Code between 0 and 255.
If your organization is running a 26 bit format Wiegand system,
(regardless of the vendor) the exact same numbers can be used, or
new numbers can be assigned.
c. Enter a unique Card Number between 0 and 65,535
41 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
d. Select “OK.” The assigned credential will be transferred and
displayed as [site code: card number].
For access to multiple locations, repeat the process above selecting another
transceiver. If multiple transceivers were assigned the same key when the
settings were defined (see Section II.3), loading a credential for one location will
provide access to all.
convenience, the same card format can be loaded onto multiple buttons. See
Section a. above for acceptable credential pairings.
! Inform the user what facilities/locations have been assigned to the buttons on their
device so that they will know what buttons to use for daily access.
If the device is enrolled, but not being used for door access or computer logon (or
!
if a User PIN is not required for logon), device issuance is complete. Disconnect
the plusID device from the computer and hand it to the user with their USB
cable, and plusID Quick Start Guide that was enclosed in their device box.
d. Loading a Stored Credential from the Database onto a plusIDAll card formats loaded by the plusID Manager are retained in the database. A
card format may be reloaded from the database onto the same
device.
1. Select the Database tab under Credentials Source.
2. Select Detail view using the icon under and to the left of the recycling
bin.
3. Choose a card format associated with the device serial number as
shown in the center column of the list.
4. “Drag and drop” it to one of the white rectangles above associated
with each of the four device buttons. A progress bar is displayed as
the credential is generated.
5. When credential generation is complete the card format will be shown
in the selected location.
e. Loading a Recycled Credential onto a plusIDCard formats moved from the device to the recycling bin are retained and can
be viewed under the Device tab. A card format that shows an “unassigned” status is still on the device and may be reassigned to any
available button.
1. Select the Device tab under Credentials Source.
2. Select Detail view using the icon under and to the left of the recycling
bin.
3. Choose a card format with an “unassigned” status
4. “Drag and drop” it to one of the white rectangles above associated
with each of the four device buttons. A progress bar is displayed as
the credential is generated.
42 11.08.07
Privaris plusID Manager Operators Manual V1.1
5. When credential generation is complete the card format will be shown
in the selected location.
f. Loading a Credential from the File Tab onto a plusID
This function is only accessed if instructed by customer support personnel.
g. Loading a Demo or Practice Credential onto a plusID
The plusID Manager software enables demonstration card formats to be loaded onto a
plusID device to demonstrate interaction with a door reader and simulate physical access.
Additionally, one “Practice Code” is included that when loaded, allows logical/computer
access users to practice verifying with their plusID device without having to be connected
to a computer.
The demonstration card formats can be added to your existing physical access control
system (PACS), or used with a battery powered HID demonstration reader included the
plusID evaluation kit from Privaris.
In normal use, card formats are loaded from an idBank (see page 7), which is a special
smart card that can be purchased from Privaris or an authorized partner, such as HID. The
smart card contains card formats that are securely transferred to plusID devices using the
plusID Manager.
To load demonstration or practice card formats onto a plusID:
1. select “Credentials” from the main menu of the plusID Managers
2. select the “Demo” tab from the middle of the Credentials screen
3. the available card formats will appear at the bottom of the screen
4. select a card format and “drag and drop” it into one of the four white squares at
the top of the screen that correspond to each of the device’s four function
buttons. Repeat as necessary.
! Only HID demo codes will work with battery powered HID demonstration readers
The demonstration card formats are reusable and can be removed (dragged from a button
to the on-screen trash can) and re-loaded as many times as desired.
h. Removing a Credential
To remove a card format, or physical access credential, from a plusID device,
“drag” it from one of the white rectangles associated with the device’s four buttons and
“drop” it into the waste basket / recycle bin located in the middle, right portion of the screen.
Removed credentials become “unassigned,” and are visible from the “Devices” tab. To re-assign
the credential, simply drag and drop it to the desired button above.
8. Credentials: Using the plusID for Windows® Computer Logon*
43 11.08.07
Privaris plusID Manager Operators Manual V1.1
If the plusID device will be used in place of passwords for computer logon in a Microsoft
domain environment, follow the instructions below.
With the device connected via USB to the plusID Manager application:
1. Select “Settings” from the menu tree. (See plusID Manager Operator’s Manual for
the distinction between “Settings” and “Default Device Settings” menu options.)
2. Under “User Logon Settings,” select the desired authentication mode for logon:
Biometric and PIN or Biometric Only, and press “Apply Changes.”
3. If Biometric Only is chosen, instruct the user to enter “1234” when prompted for a
PIN during logon. Skip steps 4 – 9 below. Their plusID device is now ready to be
used for logon.
4. If Biometric and PIN is chosen, select “PINs” from the menu tree.
5. Select the “User” tab. This screen sets the User PIN required for logon and stores it
on the plusID device.
6. Enter the current (default) User PIN: 1234.
! This is different from the Administrator PIN that was entered when the device was
registered.
7. Ask the user to select a new User PIN (from four to eight letters, numbers and/or
characters).
8. Allow the user access to the keyboard to privately enter their User PIN.
9. Press “Change PIN” for the new User PIN to take effect.
* Logon requires Microsoft Windows 2000 Server or later configured as a domain co ntroll er and runn ing
Microsoft Certificate Services, and the Privaris minidriver (included with Privaris plusID Manager
software). See Appendix E for a full description of system requirements.
! If the device is going to be used for logical/IT access only, and it has already been enrolled,
disconnect the plusID device from the computer, hand it to the user along with the USB cable
and plusID Quick Start Guide that was enclosed in the device box. Device issuance is
complete. If the device is also going to be used for physical (door) access, see Section 7.
9. Settings
The “Settings” screen includes three tabs across the top for access to Device S ettings, Device
Utilities, and Reset Options.
a. Device Settings
The first tab of the “Settings” screen, “Device Settings,” (Figure 11)lists the settings that
will be applied to the plusID device connected to the plusID Manager software. Unless
changed, these settings will be the same as the “Default Device Settings.” Changing
these settings override the Default Device Settings only for the device that is connected.
44 11.08.07
Privaris plusID Manager Operators Manual V1.1
g
Figure11
Device Settin
s Screen
Note: The default settings for all enrolled devices can be changed at any time for by
selecting the “Default Device Settings” option under “plusID Manager” from the main
menu tree.
To change the settings for an individual plusID device, select “Settings” from the
main menu tree, select the new settings, then select “Apply Changes” for the settings to
take effect.
The “Get Defaults” button resets the settings to their original values (per the “Default
Device Settings” values). To reinstate the default setting values on the device, select “Get
Defaults” then select “Apply Changes.”
The “Refresh” button cancels changes made prior to the “Apply Changes” being
selected.
Following are descriptions of the individual setting options.
i. Timeout Settings
Pre-Verification Period
45 11.08.07
Privaris plusID Manager Operators Manual V1.1
The Pre-Verification Period timeout setting determines 1) how long the device will
attempt to match a fingerprint before failing a verification attempt and 2) how long
the device will wait for a verification (fingerprint swipe) before powering off.
The timeout can be set from 5 to 255 seconds. The default setting is 10seconds.
Note: This setting only applies to verifications performed after enrollment, during
normal device usage, and when the device is not connected to a computer.
Post-Verification Period
The Post-Verification Period timeout setting determines how long the device’s
credentials will remain active after a successful verification. The device is
active for as long as its green light is on, post-verification.
The timeout can be set from 5 to 255 seconds. The default setting is 10 seconds.
! The longer the post-verification timeout setting, the greater the demand on the
device’s battery, which may reduce the average number of verifications available
per charge.
ii. Security Settings
Fingerprint Matching Level
The plusID device has three configurable security settings: High, Medium,
and Low. Each setting corresponds to an associated fingerprint matching level,
or False Acceptance Rate (FAR).
Every biometric system has an associate d FAR. An FAR is the percentage
of unauthorized users that the device will incorrectly match to a valid user’s
stored fingerprint template. Below are the FARs that can be set in the plusID
device:
Security Setting
False Acceptance Rate (FAR)
High (More Strict) 1 in 100,000 (.001%)
Medium (Default) 1 in 10,000 (.01%)
Low (Less Strict) 1 in 1,000 (.1%)
The low security setting may match (verify) a fingerprint faster than the
high security setting, but will allow a higher number of false acceptances, and
vice versa.
The recommended, and default security setting for the plusID device is
high.
iii. User Logon Settings
Authentication Mode
The Authentication Mode selection sets the security level required when using
the plusID device for computer logon (post-enrollment). If the device is not
being used for logon, this setting can be left at its default value.
46 11.08.07
Privaris plusID Manager Operators Manual V1.1
There are two options:
Biometric and PIN
requires a personal identification number (PIN) and a biometric
verification (using the plusID device). Note: If this option is selected, a
User PIN must be assigned (see Section 8. for more information).
Biometric Only
this option still requires that a placeholder personal identification number
(PIN) be entered, in addition to a biometric verification, but any four
random numbers/letters/characters can be entered, as opposed to requiring
the same user-defined PIN each time (as above).
The first option is a three-factor security solution
: something the user has (the
plusID device), something they know (a PIN) and something they are (their
fingerprint).
The second option is a two-factor security solution
: something the user has (the
plusID device) and something they are (their fingerprint).
The default value is the highest security level, Biometric and PIN.
b. Device Utilities
The second tab of the “Settings” screen, “Device Utilities,” (Figure 12) enables
the updating of a plusID device as well as the extraction of the device’s log file and
security certificate. The functions on the Device Utilities tab apply only to the plusID
device that is connected to the plusID Manager software.
47 11.08.07
Privaris plusID Manager Operators Manual V1.1
Following are descriptions of the individual functions on the Device Utilities screen:
Device Utilities Screen
i. Extract Certificate File
Figure 12
Each plusID device contains a unique security certificate. The
certificate is a unique identifier for the device. In the event a security
operation needs to be performed in which the device needs to be uniquely
identified, the certificate can be extracted (as a file), saved for transfer by
selecting the “Extract Certificate File” button.
ii. Extract Device Log
Each plusID device maintains a running log of device activity that
documents the internal workings of the device. This log file can be
extracted by selecting “Extract Device Log” and specifying where to
save the file.
The only time the log would need to be extracted was if it was requested
by Customer Service in order to diagnose a problem. The device log
is made up of engineering code that is only decipherable by engineers.
iii. Device Firmware
Firmware is the software that is embedded within the plusID device.
The device firmware function enables the updating of firmware on a
48 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
plusID device. This function is only necessary if you have received
updated device firmware from Privaris.
! A firmware upgrade does not erase or reset the device and has no
impact on any of the information that is stored on the device (i.e.,
device settings, fingerprint templates, Administrator PIN, credentials,
etc.)
If a firmware upgrade is required for compatibility with the plusID Manager
software, it will automatically be triggered by the application, as shown
below:
After a firmware upgrade is initiated, the device reboots and displays a dialog that guides the
upgrade process, shown below:
By default, the plusID Manager software ships with the most up-to-date version of
firmware. Unless instructed otherwise by customer support, simply start the upgrade
process with this image. Alternately, you may select the “Browse…” option.
49 11.08.07
Privaris plusID Manager Operators Manual V1.1
p
Press the “Start Device Upgrade Process” to initiate the upgrade. The new firmware will be
Press the “Start Device Upgrade Process” to initiate the upgrade. The new firmware will be
downloaded onto the connected device. During the download, the device’s lights will cycle
downloaded onto the connected device. During the download, the device’s lights will cycle
green, red, yellow and blue.
green, red, yellow and blue.
When the upgrade is complete a confirmation message will appear. When the upgrade is complete a confirmation message will appear.
! Do not unplug the device from the computer until the cycling lights
! Do not unplug the device from the computer until the cycling lights
stop and a device upgrade confirmation message is received.
stop and a device upgrade confirmation message is received.
c. Device Resetc. Device ResetThe third tab of the “Settings” screen, “Device Reset,” (Figure 13) enables all or portions
of the information stored on the device to be erased and reset. The options on the Device
Reset screen apply only to the plusID device that is presently connected to the plusID
Manager software.
Check the boxes next to the appropriate reset option(s) and then select the “Apply Reset”
button to implement the changes. All four lights on the device will flash concurrently
while the device reboots to implement the changes.
Device Reset O
Figure 13
tions Tab
The reset options are:
Change Device Manager
Each device can have only one administrative authority, or device manager. The
“Change Device Manager” option disassociates the device with its original administrative
authority (i.e., workstation running the plusID Manager software) and enables it to be re-
50 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
registered and administered on another or the same, workstation running the plusID
Manager software.
Selecting this option will require the device to be re-registered.
! Once the “Change Device Manager” option is implemented, and until the device is re-
registered on another workstation within the same organization, the device is susceptible
to being administered and manipulated by any other organization with plusID Manager
software. However, once it is re-registered, it cannot be updated on any another
computer running the plusID Manager software (even within the same organization).
Erase All Credentials
This option erases all credential files st ored on the device, which includes physical access
card formats used for entering doors and facilities, and any logical access credentials
required for computer logon.
Erase All Fingerprint TemplatesThis option erases all fingerprint templates that were enrolled in the device.
Reset User PIN to Default
This option changes the Personal Identification Number (PIN) that the device’s user
defined, and is required in addition to the plusID device for logging onto their computer,
and reverts it back to the system default of 1234.
Reset User Application Data
This option erases third party software information that has been stored on the device, for
example the minidriver that may be resident to enable computer logon. This command
does not erase user data from applications that are not registered with the plusID
Manager.
Reset to Factory Defaults (button in bottom left of screen)
Selecting the “Reset to Factory Defaults” option will destroy all access credentials,
fingerprint templates, and reset both PINS (Administrative and User) and revert the device
to its original factory–default state. This is the only function that eliminates all user data
stored on the device.
This operation will erase all access credentials from the device. If the credentials exist in
the plusID Manager’s database, they can be reloaded to the same device. If there is no
backup, the credential is permanently lost.
10. PINs
The PIN Management Screen enables the Administrator and User PIN to be changed
and for the User PIN (only) to be reset.
a. Changing the Administrator PINThe Administrator PIN can be changed, but it cannot be reset if lost or forgotten.
! Once set, it strongly recommended that the Administrator PIN not be changed without a compelling reason.
Creation of more than one PIN will
51 11.08.07
Privaris plusID Manager Operators Manual V1.1
result in a population of devices with different PINs and significantly increases
the odds of being locked out of a device(s). There is no way to determine what
PIN is on a device other than by trial and error (with a limited number of
attempts).
To change the Administrator PIN:
1. Select “PINs” from the main menu tree. The PIN Management screen will
be displayed.
2. Select the “Administrator” tab at the top of the dialog box
3. Enter the default Administrator PIN in the Current PIN field:
! The factory default Administrator PIN for all new plusID devices is 4321
4. Enter the organization’s new Administrator PIN twice, in the indicated
fields. The PIN
length.
5. Select “Change PIN.”
Changing the PIN overwrites the previous Administrator PIN. This new PIN will
now be downloaded onto all future enrolled devices. The computer on which the
Administrator PIN was changed will no longer be able to communicate with
previously enrolled devices (with the previous Administrator PIN).
b. User PIN
The User PIN is used for Windows login* or other smart card functions, postenrollment. Each plusID device is shipped with a factory default User PIN
(separate from the Administrator PIN). If the device is not to be used for smart
card functions it is not necessary to change the User PIN.
For more information on using the plusID device for computer logon, see Section
8, “Credentials: Using the plusID for Windows Computer Logon.”
*
Logon requires Microsoft Windows 2000 Server or later configured a s a domain controller and
running Microsoft Certificate Services, and the Privaris minidriver (included with Privaris plusID
Manager software). See Appendix E for a full description of system requirements.
c. Changing the User PINTo change the User PIN on the device from the factory default:
1. Select “PINs” from the main menu tree. The PIN Management screen will be
displayed (Figure 14)
can be from four to eight letters, numbers and/or characters in
2. Select the “User” tab at the top of the dialog box
3. Enter the default User PIN in the Current PIN field:
! The factory default User PIN for all new plusID devices is 1234
4. Ask the user to select a new User PIN, from four (4) to eight (8) letters,
numbers and/or characters.
5. Allow the user access to the keyboard to privately enter their User PIN.
52 11.08.07
Privaris plusID Manager Operators Manual V1.1
6. Select “Change PIN.” 6. Select “Change PIN.”
! For security purposes theEnrollment Administrator should not know the User
! For security purposes theEnrollment Administrator should not know the User
PIN. Should the user forget their PIN, the Enrollment Authority can reset it to
PIN. Should the user forget their PIN, the Enrollment Authority can reset it to
a default value without having the original User PIN.
a default value without having the original User PIN.
d. Resetting the User PINUnlike the Administrative PIN on the device, the User PIN can be reset to its
factory default value in the event a user forgets their logon/User PIN. To reset the
User PIN:
Figure 14
User PIN Screen
1. Select “PINs” from the main menu tree
2. Select the ‘User” tab
3. Select “Reset PIN."
4. Enter the Administrator PIN
5. The User PIN will be reset to its original default value: 1234.
53 11.08.07
1.08.07
Privaris plusID Manager Operators Manual V1.1
Section IV: HELP Section IV: HELP
The “Help” branch of the main menu tree contains documentation for quick reference in lieu of
The “Help” branch of the main menu tree contains documentation for quick reference in lieu of
referring to hard copies. There are three main categories of documentation. Click the “plus” arrow
referring to hard copies. There are three main categories of documentation. Click the “plus” arrow
next to each category to see the expanded list of files contained therein.
next to each category to see the expanded list of files contained therein.
Training Tool: A one minute plusID video that demonstrates proper swiping technique and speed is
Training Tool: A one minute plusID video that demonstrates proper swiping technique and speed is
embedded in the “How to Swipe” PDF contained in the “Help” section. Open the file and click on the
embedded in the “How to Swipe” PDF contained in the “Help” section. Open the file and click on the
arrow in #6 to start the video.
arrow in #6 to start the video.
The Help categories and documentation files include: The Help categories and documentation files include:
• Make sure that the user is holding the device with only one hand, or as it was held during
enrollment
• Wipe-off any excess dirt or grease from finger using a tissue or article of clothing
Troubleshooting Level 2
Review the following list of common swipe sensor errors and correct the user’s
behavior(s) accordingly.
Common Errors
• Accidentally touching the sensor before beginning to swipe
Do not place/rest finger on sensor before swiping, it triggers the device’s red light. Place
finger on sensor and swipe in one continuous motion.
• Bending the finger during a swipe
Always keep thumb flat and level with the device while swiping. Even a slightly bent
finger lifts the central, most feature-rich portion of the fingerprint off of the sensor and
exposes the fingertip (the least feature-rich portion of the print).
• Not following through
Do not stop swiping until the fingerprint sensor is clearly visible above the thumb.
• Pressing too hard
Do not squeeze the device. Use medium pressure. On a scale of 1 to 5, with 1 being very
light and 5 being hard, pressure should equal about a 3.
56 11.08.07
Privaris plusID Manager Operators Manual V1.1
• Not pressing hard enough
Lightly dragging thumb over the sensor is not sufficient for the sensor to see the print.
The finger must make solid contact, which requires medium pressure. On a scale of 1 to
5, with 1 being very light and 5 being hard, pressure should equal about a 3.
• Starting a swipe too high or too low
With thumb hovering over top the sensor, align the first knuckle with the sensor as the
starting point for swiping. This exposes only the central and most feature-rich portion of
the fingerprint to the sensor during a swipe.
• Swiping too fast or too slow
Use a moderate, steady speed. Swiping too fast or too slow prevents the sensor from
collecting the necessary data for processing.
• Keep thumb level while swiping, do not tilt or rock thumb to the left or right.
Helpful Tip
: show user the one minute plusID video that demonstrates proper swiping technique
and speed. It can be found in the “Help” section of the plusID Manager. Under “Fingerprint
Instructions.” Open the “How to Swipe” file and click on the arrow in #6 to start the video.
Troubleshooting Level 3
Approximately 10% of all users have a fingerprint that is not centrally located. So the area
that is swiped over the sensor is not very feature-rich and results in a low quality fingerprint
template:
• Examine the user’s fingerprint in bright light to determine if its pattern
(typically a bull’s eye, U shape, or S shape) is off-center and closer to the left
or right side of their finger.
• If their print is off-center, coach the user to roll their finger to the left or right
accordingly when swiping such that the main pattern of their fingerprint is fully
exposed to the sensor. They will always have to use the same swiping
technique (during enrollment and day-to-day device use).
Troubleshooting Level 4
If enrollment of the thumbs is still failing or verification is sluggish, try enrolling other
fingers, starting with the primary index finger. If index fingers cannot be enrolled,
attempt to enroll any other finger, with the goal of having any two fingers enrolled,
one as a primary and one as a back-up.
The device is designed for thumbs so that is can be operated with one hand, but any finger
can technically be enrolled.
Troubleshooting Level 5
57 11.08.07
Privaris plusID Manager Operators Manual V1.1
Approximately 1 % of the population is unable to use fingerprint biometric
technologies. If enrollment and verification is failing for all fingers after trying
Troubleshooting steps 1 - 5, then the user should be issued a non-biometric means for
access.
58 11.08.07
Privaris plusID Manager Operators Manual V1.1
Appendix B
Overview of plusID Device Light Behavior
The plusID device has four indicator lights: green (top left), yellow (bottom left), red (top right), and
blue (bottom right).
Green, Yellow, Red and Blue…appear all at once for an instant.
The device is powering on.
Green, Yellow, Red and Blue…blink four times
The device is powering off.
Green, Yellow, Red and Blue….then solid red and device powers off
Indicates a non-enrolled device. If the device is enrolled, it indicates a function button that
has not been programmed with an access credential.
Blinking Green
The device is requesting a verification (fingerprint swipe).
Solid Yellow
The fingerprint sensor is processing a verification (fingerprint swipe).
Solid Green
Any successful fingerprint operation. During verification, solid green indicates a successful
fingerprint match. During enrollment, solid green indicates a completed enrollment.
Solid Red
A failed fingerprint operation or a dead battery. During verification, solid red indicates that
the device cannot match the live fingerprint placed on the sensor with the authorized users’
stored fingerprint template. During enrollment, solid red indicates that the device was not
able to capture enough data to successfully complete enrollment.
A solid red light after powering on the device, followed by the device automatically shutting
off, indicates that the battery has been depleted and needs recharged immediately.
Brief solid red…then blinking Green
During enrollment, the sensor did not get sufficient information from the fingerprint to
process the swipe. This often happens if the sensor is touched before a swipe is begun, as
opposed to placing the finger and swiping in one continuous motion. When the device blinks
green, try again.
Blinking Yellow
When disconnected from a computer, blinking yellow indicates a low battery (below 15%).
The device needs recharged. When connected to a computer, blinking yellow indicates that a
device with a low battery (below 15%) is being recharged. The blinking yellow will turn off
when the battery is fully charged.
Blinking Red
Battery level is critically low (below 8%). Recharge device immediately.
59 11.08.07
Privaris plusID Manager Operators Manual V1.1
Blinking Blue
Indicates device is connected via USB to a power source other than a computer (a wall or car
outlet). If connected to a computer, a brief blinking blue light indicates device is attempting
to establish a connection. A continuously blinking blue light when connected to a computer
indicates a USB driver problem.
Solid Blue
Indicates that device has successfully established a connection to a computer via USB. The
blue light will stay on as long as the device is connected.
Cycling Green, Red, Yellow, and Blue
The device’s software is being upgraded. Wait until the cycling stops before turning off or
unplugging the device from your computer.
60 11.08.07
Privaris plusID Manager Operators Manual V1.1
Appendix C
plusID Battery Recharge Instructions
The plusID device is powered by a rechargeable battery. A single battery charge is good for approximately
1,000 uses/verifications. plusID models that include an LCD have a battery charge indicator (0 - 3 bars).
How to Charge
Connecting to a computer is the preferred method of charging. Insert the smallest end of
the mini-USB cable (packaged with device) into the base of the plusID and the largest
end into the computer’s USB port.
! A high power USB port is required for charging. Some hub and keyboard USB ports are
incapable of charging plusID devices.
plusID can also be charged with some wall outlet or car chargers that have a mini-USB
connector output. Contact Privaris for a list of approved chargers. Using an unapproved
charger can cause permanent damage and void the warranty of a plusID device.
How Long to Charge
A blinking yellow light indicates a low battery and a blinking red light indicates a critically low
battery. Both require a recharge of approximately 90 minutes. The yellow light blinks while
charging and turns off to indicate a full charge. If the battery is fully depleted, it may need
recharging for two hours or more and may not power on during the first 20 – 30 minutes.
If the battery is too low for the device to function properly, it may simply not power on, or it may turn on,
display a solid red light and then immediately power off. In this state, a recharge of two hours or more
may be required and the device may not exhibit any signs of life for the first 20 – 30 minutes of charging.
Note: A dead battery has no affect on the data that is stored on the plusID device
61 11.08.07
Privaris plusID Manager Operators Manual V1.1
Appendix D
plusID Button Operation
The plusID has four function buttons on the face of the device that during enrollment can be
programmed with physical access credentials (card formats) for various doors and facilities.
Power On
Press any button that is programmed with an access credential. All four lights will appear for an
instant and then blink green to request a verification (fingerprint swipe). If a solid red light
appears instead of a blinking green light, the button does not have an associated access credential.
Restart
With the device powered on, pressing any other button with an access credential will restart the
device.
Power Off
Press the same button used to turn on the device, or any button without an access credential. All
four lights will blink four times as the device powers off. The device will turn off automatically
after a pre-determined number of seconds (as configured under “Default Device Settings” in the
plusID Manager).
62 11.08.07
Privaris plusID Manager Operators Manual V1.1
Appendix E
Using plusID Devices for Logon in a Microsoft® Domain Environment
Introduction
plusID biometric devices can be used to log users onto a domain, via two or three-factor
authentication. The plusID device is ISO 7816 Part 3 smart card compliant, and as such enumerates
itself to a computer exactly like a smart card, allowing for rapid enterprise integration of plusID
devices across Microsoft® systems that support smart cards.
System requirements
The following are the smart card related system requirements for deploying Privaris plusID biometric
devices into a Microsoft
®
environment for user authentication/logon:
1. Microsoft Windows domain environment
Microsoft Windows 2000 Server, and later, natively support smart card authentication as a means
of logging users onto a domain environment. In a domain environment, users and their access
permissions are stored and managed in a central location, referred to as the Active Directory.
Once a server is configured to act as a domain controller, smart card authentication via
plusID biometric devices is automatically enabled on all client machines that are a member of
the domain. For details on server configuration, see “Additional Information” below.
2. Microsoft certificate services
Smart card authentication relies on the public key infrastructure (PKI) to authenticate
users to the domain. The Microsoft Certificate Services are the server component that
provides the infrastructure to support PKI and is responsible for issuing credentials
(certificates) that can be used for a variety of purposes, including secure email and user
authentication.
In security-conscious environments, these credentials are stored on a secure device such as the
Privaris plusID so that they may not be tampered with or used without authorization. The
Microsoft Certificate Services include a web-based interface through which an administrator can
generate credentials for a user and securely store them on the user’s plusID. For details on
downloading certificates, see “Additional Information” below.
3. USB port
The plusID device connects to the client machine using the Universal Serial Bus (USB). Each
client machine must have at least one USB port available in order to connect to the device. The
plusID device works with both high-power and low-power USB ports, though a high-power port
is recommended in order to recharge the plusID’s internal battery.
4. Device Driver Software
Client machines must be configured before they are able to make use of a plusID. This
includes the installation of device driver software, which consists of a CCID driver and a
plusID device minidriver. The CCID driver is a standard driver provided by Microsoft for
63 11.08.07
Privaris plusID Manager Operators Manual V1.1
working with smart card devices such as the plusID and can be obtained via Windows
working with smart card devices such as the plusID and can be obtained via Windows
Update when the plusID is first connected to the client. The device minidriver is a small
Update when the plusID is first connected to the client. The device minidriver is a small
software library provided by Privaris that allows Windows to interact with the plusID. The
software library provided by Privaris that allows Windows to interact with the plusID. The
minidriver is included on the same CD-ROM as “plusID Manager” (the device enrollment and
minidriver is included on the same CD-ROM as “plusID Manager” (the device enrollment and
configuration software) and must be installed on each client machine.
configuration software) and must be installed on each client machine.
How plusID Interfaces with Microsoft’s Smart Card Architecture for Logon
Blocks in red supplied by Privaris. Yellow = Microsoft software White = hardware
WINLOGON
Microsoft
Windows
Smart Card
Architecture
™
Smart Card
Base CSP
Smart Card
Minidriver
PC/SC Smart Card Resource Manager (SCRM)
(WinSCard)
Chip Card Interface Driver
(CCID)
Additional information Additional information
Microsoft’s “Smart Card Deployment Cookbook” is an excellent resource covering all aspects of
Microsoft’s “Smart Card Deployment Cookbook” is an excellent resource covering all aspects of
smart card deployment, from general information to detailed installation and configuration
smart card deployment, from general information to detailed installation and configuration
information. It can be accessed online at:
READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT (“AGREEMENT”)
CAREFULLY BEFORE SELECTING THE “I ACCEPT” BUTTON BELOW. THE SOFTWARE
APPLICATIONS AND THE ACCOMPANYING USER DOC UMENTATION CONTAINED ON THIS
MEDIA ARE COPYRIGHTED AND ARE LICENSED (NOT SOL D) T O YO U IN AC CORD ANCE WITH
THE TERMS OF THIS AGREEMENT. BY SELECTING THE “I ACCEPT” BUTTON BELOW, YOU
MANIFEST YOUR ASSENT TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT
ASSENT TO BE BOUND BY THE TERMS OF THIS AGREEMENT, THEN YOU MUST SELECT THE “I
DO NOT ACCEPT” BUTTON BELOW AND PROMPTLY RETURN THIS MEDIA, IN UNALTERED
FORM, AND YOU WILL RECEIVE A REFUND OF YOUR MONEY.
1. Generally. This Agreement represents the entire agreement between you, the end user
(either in your individual capacity or as an authorized agen t of an otherwise legally-recognized organization),
and Privaris, Inc. (“Licensor”) relating to the software that is made available to you on this media by Licensor
and intended for installation on certain hardware product(s) (“Hardware”) sold to you by Licensor or its
authorized resellers and/or authorized licensees, as well as all documentation related thereto (collectively, the
“Software”). This Agreement supersedes any prior proposal, representation, or understanding between you and
Licensor related to the Software. This is a legally-binding agreement and governs the conditions under which
you and/or your organization may use the Software.
2. Term. This Agreement is effective on your selecting the “I Accept” button below and
shall continue until terminated as set forth in this Agreement. You may terminate this Agreement at any time by
uninstalling the Software and returning the Software and all copies of the Software to Licensor. Licensor may
terminate this Agreement on the breach by you of any term of this Agreement, including without limitation your
failure to pay any applicable fees described in this Agreement. On any such termination, you shall uninstall the
Software and return to Licensor the Software and all copies of the Software.
3. Grant of Licenses. Licensor grants you the personal, nontransferable, nonsublicensable
and nonexclusive right and license to install and execute the Software (in its executable, objectcode form only)
on the Hardware for the sole purpose of serving your per sonal needs or the internal needs of your business. You
shall not assign, sublicense, transfer, pledge, lease, rent, or share your rights under this Agreement, whether by
contract, operation or law or otherwise. Any use, copying, or distribution of the Software not expressly
authorized by this Agreement shall automatically terminate your right and license hereunder. This gr ant shall be
limited to use of the Software with the Hardware in accordance with the terms of this Agreement.
4. Trade Secret Protection. The Software contains substantial trade secrets of Licensor, and you shall employ
reasonable security precautions to maintain the confidentiality of such trade secrets. You shall not "unlock,"
decompile, or reverse-assemble the binary or object code portions or versions of the Software, as the terms are
generally used in the computer industry.
5. Fees. The fees for the use of the Software in accordance with this Agreement consist of
the periodic license fees that are based on the number of devices purchased by you as such periodic license fees
may be modified from time to time by Licensor. The dollar amount of such fees and the terms of payment are
specified in the product invoice separately furnished to you. You shall pay such fees to Licensor in accordance
with the terms of such product invoice.
6. Limited Warranty. Licensor warrants that the Software will, for a period of one (1) year
following its delivery to you, be in good working order and will conform in all material respects to Licensor's
published specifications. Licensor does not warrant that the operation of the Software will be uninterrupted or
error-free, or that the functionality of the Software will meet your individualized requirements. The foregoing
warranty does not cover repair for damages, malfunctions, or service failures caused by (1) actions of any nonLicensor personnel, your failure to follow Licensor's installation, operation, or maintenance instructions, (3)
attachment to or incorporation in the Software of n on -Li censor products not supported or other wis e aut h ori zed
by Licensor, or (4) or any factor beyond Licensor's control, including fire, explosion, lightning, pest damage,
65 11.08.07
Privaris plusID Manager Operators Manual V1.1
power surges or failures, strikes or labor disputes, water, acts of God, the elements, war, terrorism, civil
disturbances, acts of civil or military authorities or the public enemy, transportation facilities, fuel or energy
shortages, or acts or omissions of communications carriers.
EXCEPT FOR THE WARRANTIES SET FORTH IN THIS SECTION 6, THE SOFTWARE IS LICENSED
"AS IS," AND LICENSOR DISCLAIMS ANY AND ALL OTHER WARRANTIES, WHETHER EXPRESS
OR IMPLIED, INCLUDING, WITHOUT LIM ITATION, ANY IMPLIED WARRANTIES OF
MERCHANTABILITY, QUALITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, OR
INTERFERENCE WITH YOUR ENJOYMENT OF THE SOFTWARE OR OF NON-INFRINGEM ENT.
YOUR SOLE REMEDY AGAINST LICENSOR, ITS AFFILIATES, SUBCONTRACTORS, AND
REPRESENTATIVES FOR LOSS OR DAMAGE CAUSED BY ANY FAILURE OF THE SOFTWARE TO
OPERATE IN CONFORMITY WITH THIS WARRANTY, REGARDLESS OF THE FORM OF ACTIO N,
WHETHER IN CONTRACT OR TORT, INCLUDING NEGLIGENCE, STRICT LIABILITY OR
OTHERWISE, SHALL BE (1) THE REPAIR OR REPLACEMENT OF THE SOFTWARE, PROVIDED
THAT SUCH SOFTWARE IS RETURNED IN ACCORDANCE WITH THE CONDITIONS PROVIDED
HEREIN OR (2) IF SUCH REPAIR CANNOT BE MADE OR AN EQUIVALENT REPLACEMENT
CANNOT BE PROVIDED, THE REFUND OF AMOUNTS PREVIOUSLY PAID BY YOU BETWEEN
DISCOVERY OF THE FAILURE OF THE SOFTWARE TO OPERATE IN CONF ORMITY WITH THIS
WARRANTY AND THE RETURN OF THE SOFTWARE AS REQUIRED BY THIS AGREEMENT.
7. Limitations on Liability. IN NO EVENT SHALL LICENSOR BE LIABLE FOR
INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES, OR FOR LOST
PROFITS, SAVINGS, OR REVENUES OF ANY KIND, OR FOR LOST DATA OR
DOWNTIME, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. THE CUMULATIVE LIABILITY OF LICENSOR TO
YOUR ORGANIZATION FOR ALL CLAIMS RELATING TO THE SOFTWARE OR THIS
AGREEMENT, REGARDLESS OF THE FORM OF ACTION, WHET HER IN C O NT RACT
OR TORT, INCLUDING NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE, SHALL
NOT EXCEED THE TOTAL AMOUNT OF ALL FEES PAID TO LICENSOR HEREUNDER.
8. Miscellaneous. The provisions of Sections 4, 6, 7 and this Section 8 shall continue to
apply in accordance with their terms, notwithstanding the termination of this Agreement.
References to "your organization" or "you" herein, for purposes of establishing the permitted use of the
Software, shall include the operations of any direct or indirect parent or subsidiary company or of any direct or
indirect subsidiary company of any such parent company. This Agreement and the rights and obligations of the
parties with respect to the Software shall be governed by Virginia law, as it applies to a contract negotiated,
executed, and performed in that state and without giving effect to principles of conflicts of law. Any legal action
or proceeding arising under this Agreement shall only be initiated in the courts of the Commonwealth of
Virginia. Execution and delivery of this Agreement by the parties indicates their intent to submit their disputes,
their persons and their property, generally and unconditionally, to the jurisdictio n of such courts. Venue shall be
proper in any such court. If any action is brought by either party to this Agreement against the other party
regarding the subject matter of this Agreement, the prevailing party shall be entitled to recover, in addition to
any other relief granted, reasonable attorney fees and expenses of litigation.
YOU ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT AND
UNDERSTAND THIS AGREEMENT AND THAT BY OPENING THIS PACKAGE,
YOU MANIFEST YOUR ASSENT TO BE BOUND BY ITS TERMS AND CONDITIONS.
[ ] I ACCEPT
[ ] I DO NOT ACCEPT
This product includes software developed by XHEO INC (http://www.xheo.com).
66 11.08.07
Privaris plusID Manager Operators Manual V1.1
(c) 2000 - 2007 The Legion Of The Bouncy Castle (http://www.bouncycastle.org)
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The Privaris plusID device complies with part 15 of the FCC Rules. Operation is subject to the following two
conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference
received, including interference that may cause undesired operation.
Changes or modifications not expressly approved by the party responsible for compliance could void
the user’s authority to operate the equipment.
NOTE: The manufacturer is not responsible for any radio or TV in terference caused by unauthorized
modifications to this equipment. Such modifications could void the user’s authority to operate the
equipment.
67 11.08.07
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.