Setting Master Admin
The Master Admin feature is designed to enhance device security by strengthening overall administrator privileges and preventing unauthorized access and configuration changes. With this feature, you must register a Master Admin on the new device, and only registered Master Admins can access the administrator menu and change device settings.
The Master Admin feature is available only on Suprema products that support user interface via LCD screen.
-
This feature is an essential policy to enhance device security.
-
The Master Admin cannot be deleted directly, and they are deleted only through factory reset.
Master Admin
Supported Products for Master Admin
The following products support the Master Admin feature:
BioStation 3 Firmware v1.4.0 or later | BioStation 2a Firmware v1.2.0 or later | BioLite N2 Firmware v1.7.0 or later | X-Station 2 Firmware v1.4.0 or later |
Registering Master Admin in BioStar 2
When you boot a new device for the first time after connecting it, the Master Admin registration screen appears. The new device must register a Master Admin, and if not registered, the use of the device will be restricted.
You can register and manage Master Admin in BioStar 2 without registering Master Admin on new devices.
-
The Master Admin feature is supported from BioStar 2 v2.9.11 onwards.
-
For existing devices with upgraded firmware, the Master Admin menu does not appear in BioStar 2 device settings.
Existing devices upgraded via firmware do not provide Master Admin settings, but you can enhance administrator security by enabling the Two-step Authentication option. For Two-step Authentication settings, refer to the following.
-
To register Master Admin in BioStar 2, go to the Device menu, click the desired device, and enter the device detail page.
-
In the Advanced → Administrator → Master Admin menu, select and enroll two types of desired credentials.
Credentials that can be enrolled for Master Admin are as follows:
Credential Type Max Quantity Details Card Up to 4 Supports CSN and Wiegand type only
No duplicate enrollment within the same typeFace Up to 2 Available only on devices with the same algorithm Fingerprint Up to 2 - PIN 1 Minimum 8 digits Enrollment Conditions
-
At least two different types of credentials must be enrolled.
-
The same conditions apply to both new and firmware upgraded devices.
-
All credentials supported by the device can be used for authentication.
-
-
After enrolling at least two types of credentials, press the Apply button to finish Master Admin registration.
Managing Master Admin in BioStar 2
Registered Master Admin can be managed in BioStar 2. To manage Master Admin, follow these steps:
-
Go to the Device menu, click the desired device, and enter the device detail page.
-
Advanced → Administrator → Master Admin menu, you can view enrolled credentials and add, edit, or delete them.
-
Click the Apply button to apply your changes.
Batch Editing Master Admin
You can batch edit Master Admin credentials. Use the Batch Edit feature to enroll or modify master administrator credentials for multiple devices simultaneously.
-
Go to the Device menu,
check the devices you want to batch edit in the left checkboxes, then click
at the top.
-
Click
for Master Admin to switch to edit mode, then you can enroll, edit, or delete the desired credentials.
InfoYou can enroll face, fingerprint, card, and PIN credentials, and at least two different types of credentials must be enrolled.
-
Click the Apply button to apply your changes.
Info-
Batch editing overwrites with the enrolled credentials.
-
If the selected device is not a new device or does not support the configured credentials, the settings will not be applied to that device.
-
Two-step Authentication
Existing devices upgraded via firmware do not provide Master Admin settings, but you can enhance administrator security by enabling the Two-step Authentication option.
-
The Two-step Authentication option appears only when the firmware has been upgraded to the latest version on existing devices.
-
The default value for Two-step Authentication is single-step authentication.
-
Two-step Authentication can be activated only if all registered administrators have at least two types of credentials.
-
The firmware upgrade device cannot be downgraded to a lower version after upgrading the firmware.
Setting Up Two-Step Authentication in BioStar 2
-
To setting Two-step Authentication in BioStar 2, go to the Device menu, click the desired device, and enter the device detail page.
CautionIf no full administrator is configured on the device, the following popup message appears. Add an administrator to All in the Advanced → Administrator tab.
-
Activate Two-step Authentication by setting it to Use in Advanced → Administrator.
-
Click the Apply button to activate Two-step Authentication.
InfoIf not all administrators have at least two types of credentials, activation will fail and an error message will appear.
Enroll at least two types of credentials for all administrators, and then try again.WarningIf you activate Two-step Authentication and then delete credentials so that all administrators have fewer than two types, you will not be able to access the administrator menu if BioStar 2 connection is also unavailable. Therefore, exercise caution when deleting administrator credentials.
Batch Editing Two-Step Authentication
You can batch edit Two-step Authentication. Use the Batch Edit feature to enable or disable Two-step Authentication for multiple devices simultaneously.
-
Go to the Device menu,
check the devices you want to batch edit in the left checkboxes, then click
at the top.
-
Click
for Two-step Authentication to switch to edit mode, then you can enable or disable Two-step Authentication.
CautionWhen enabling Two-step Authentication, administrators with insufficient enrolled credentials may be unable to authenticate. Therefore, before enabling Two-step Authentication, ensure that all administrators have at least two types of credentials enrolled.
-
Click the Apply button to apply your changes.
Additional Information
-
Manual Device Hash Key Change
- When manually changing the device hash key, a warning message will indicate that Master Admin PINs will be deleted. Please confirm the message before proceeding.
-
RS-485 Biometric Image Transmission Restriction
- Biometric credential images are not transmitted over RS-485 communication, so substitute images appear when viewing the registered Master Admin face on slave devices.