Setting Master Admin

The Master Admin feature is designed to enhance device security by strengthening overall administrator privileges and preventing unauthorized access and configuration changes. With this feature, you must register a Master Admin on the new device, and only registered Master Admins can access the administrator menu and change device settings.

The Master Admin feature is available only on Suprema products that support user interface via LCD screen.

Info

• This feature is an essential policy to enhance device security.

• The Master Admin cannot be deleted directly, and they are deleted only through factory reset.

Master Admin

Supported Products for Master Admin

The following products support the Master Admin feature:

BioStation 3 Firmware v1.4.0 or later	BioStation 2a Firmware v1.2.0 or later	BioLite N2 Firmware v1.7.0 or later	X-Station 2 Firmware v1.4.0 or later

Registering Master Admin in BioStar 2

When you boot a new device for the first time after connecting it, the Master Admin registration screen appears. The new device must register a Master Admin, and if not registered, the use of the device will be restricted.

You can register and manage Master Admin in BioStar 2 without registering Master Admin on new devices.

Info

• The Master Admin feature is supported from BioStar 2 v2.9.11 onwards.

• For existing devices with upgraded firmware, the Master Admin menu does not appear in BioStar 2 device settings.
  Existing devices upgraded via firmware do not provide Master Admin settings, but you can enhance administrator security by enabling the Two-step Authentication option. For Two-step Authentication settings, refer to the following.

1. To register Master Admin in BioStar 2, go to the Device menu, click the desired device, and enter the device detail page.

2. In the Advanced → Administrator → Master Admin menu, select and enroll two types of desired credentials.

   

   Credentials that can be enrolled for Master Admin are as follows:

   Credential Type	Max Quantity	Details
   Card	Up to 4	Supports CSN and Wiegand type only No duplicate enrollment within the same type
   Face	Up to 2	Available only on devices with the same algorithm
   Fingerprint	Up to 2	-
   PIN	1	Minimum 8 digits

   Enrollment Conditions

   • At least two different types of credentials must be enrolled.

   • The same conditions apply to both new and firmware upgraded devices.

   • All credentials supported by the device can be used for authentication.

3. After enrolling at least two types of credentials, press the Apply button to finish Master Admin registration.

Managing Master Admin in BioStar 2

Registered Master Admin can be managed in BioStar 2. To manage Master Admin, follow these steps:

1. Go to the Device menu, click the desired device, and enter the device detail page.

2. Advanced → Administrator → Master Admin menu, you can view enrolled credentials and add, edit, or delete them.

   

3. Click the Apply button to apply your changes.

Batch Editing Master Admin

You can batch edit Master Admin credentials. Use the Batch Edit feature to enroll or modify master administrator credentials for multiple devices simultaneously.

1. Go to the Device menu, check the devices you want to batch edit in the left checkboxes, then click at the top.

2. Click for Master Admin to switch to edit mode, then you can enroll, edit, or delete the desired credentials.

   

   Info

   You can enroll face, fingerprint, card, and PIN credentials, and at least two different types of credentials must be enrolled.

3. Click the Apply button to apply your changes.

   Info

   • Batch editing overwrites with the enrolled credentials.

   • If the selected device is not a new device or does not support the configured credentials, the settings will not be applied to that device.

   

Two-step Authentication

Existing devices upgraded via firmware do not provide Master Admin settings, but you can enhance administrator security by enabling the Two-step Authentication option.

Info

• The Two-step Authentication option appears only when the firmware has been upgraded to the latest version on existing devices.

• The default value for Two-step Authentication is single-step authentication.

• Two-step Authentication can be activated only if all registered administrators have at least two types of credentials.

• The firmware upgrade device cannot be downgraded to a lower version after upgrading the firmware.

Setting Up Two-Step Authentication in BioStar 2

1. To setting Two-step Authentication in BioStar 2, go to the Device menu, click the desired device, and enter the device detail page.

   Caution

   If no full administrator is configured on the device, the following popup message appears. Add an administrator to All in the Advanced → Administrator tab.

   

2. Activate Two-step Authentication by setting it to Use in Advanced → Administrator.

   

3. Click the Apply button to activate Two-step Authentication.

   Info

   If not all administrators have at least two types of credentials, activation will fail and an error message will appear.
   Enroll at least two types of credentials for all administrators, and then try again.

   

   Warning

   If you activate Two-step Authentication and then delete credentials so that all administrators have fewer than two types, you will not be able to access the administrator menu if BioStar 2 connection is also unavailable. Therefore, exercise caution when deleting administrator credentials.

Batch Editing Two-Step Authentication

You can batch edit Two-step Authentication. Use the Batch Edit feature to enable or disable Two-step Authentication for multiple devices simultaneously.

1. Go to the Device menu, check the devices you want to batch edit in the left checkboxes, then click at the top.

2. Click for Two-step Authentication to switch to edit mode, then you can enable or disable Two-step Authentication.

   

   Caution

   When enabling Two-step Authentication, administrators with insufficient enrolled credentials may be unable to authenticate. Therefore, before enabling Two-step Authentication, ensure that all administrators have at least two types of credentials enrolled.

3. Click the Apply button to apply your changes.

Additional Information

• Manual Device Hash Key Change

  • When manually changing the device hash key, a warning message will indicate that Master Admin PINs will be deleted. Please confirm the message before proceeding.

• RS-485 Biometric Image Transmission Restriction

  • Biometric credential images are not transmitted over RS-485 communication, so substitute images appear when viewing the registered Master Admin face on slave devices.

Frequently Asked Questions

Q.What happens if you do not register a Master Administrator?

A new device without a registered Master Admin cannot perform authentication or change settings. However, you can connect the new device to BioStar to register a Master Admin.

Q.Is Master Administrator configuration supported on devices upgraded with firmware from existing devices?

No. Devices upgraded with firmware from existing devices do not support master administrator configuration. However, you can enhance device security by strengthening the permissions of all administrators through the Two-Step Authentication option. For details about the Two-Step Authentication option, see the following document.

Q.Can you register a Master Administrator on a slave device?

Yes. You can register a Master Administrator on a slave device.