This release includes support for biometric login of employees. Biometric login enables employees to log in using a thumbprint or fingerprint that is scanned by a special device attached to the workstation. Biometric entry is allowed wherever users are prompted for credentials (Note: Biometric login is used in the ‘live' Prism application only; it is not used in configuration areas.)
Biometrics have become increasingly important to retailers as weaknesses with the traditional username/password form of authentication have become known. Username/password combinations can be discovered via social engineering and brute force attacks, giving unauthorized users access to the network. Fingerprints, being unique to each individual, provide greater security.
Supported Biometrics Hardware
SecuGen Hamster plus model is the only biometric scanner currently supported.
Basic Steps for Biometrics
1. Plug the biometric device into the USB port. The device should be "plug-and-play" without the need for further configuration.
2. Add the Biometrics customization in the Admin Console at the Prism server.
3. Register the Biometrics with individual workstations.
4. The Biometric Login button will be added to the standard Prism login dialog. Users can click the button and then scan the designated thumb or fingerprint to login.
Important! You must enter the Customization record info correctly. Any mistakes will cause biometric log in to fail.
- In the Admin Console, click Customizations.
- Click Add New Customization.
- Enter the following information: Name: Biometrics; Version: 1.0.0; Developer ID: 001; Customization ID: 003; Control Address: 127.0.0.1; Port: 6001; Timeout: 100000; Manifest File Location: c:\Program Files (x86)\RetailPro\PrismProxy\Biometrics.exe (Path to the local biometrics executable); Manifest Type: Local; Auto Start: Checked; Auto Stop: Checked
- Save the changes and then add the customization to the workstation record, as described in the following set of steps.
- Log out. Right-click on the Proxy icon and select Reload HQ Config.
Add Customization to Workstation
- Edit the Workstation record and select HAL Settings> Customizations active.
- Click Add Customization.
- Select #001 Biometrics - 127.0.0.1:6001 choice from drop down
- In the Local Path field, enter c:\Program Files (x86)\RetailPro\PrismProxy\Biometrics.exe
- Save the changes.
Register New Fingerprint
Before a user can log in using Biometrics, the user must register the fingerprint in Employees > Change Password. To register a thumb or fingerprint, three successful scans must be entered. The final scan requires entry of the employee's password. Note: Sysadmin user is not available for this operation.
- Select Change Password from the Prism menu.
- In the Biometrics area, click the Add button.
- First scan: Enter a description (e.g. Right Thumb). Click Scan. Place your finger on the scanner and wait for the Green toast message. If a red toast message is displayed, re-scan the finger.
- Second scan: Select Scan and repeat for the second scan.
- Enter your Prism password and press scan for the third and final scan. Note: You are the only one in control of your registered fingerprints. Deleting them can be done by you only for example.
- Repeat for other fingerprints. Click Done and then save the changes.
Login using Biometric Data
When the Biometric customization is installed and registered on a workstation, whenever a login prompt is displayed, the interface will include a Biometric Login button. Click the Biometric Login button, click the Scan button and then place your thumb or finger in the biometric device. When the scan is successfully recognized, a green pop-up message is displayed.
user_name, empl_name and Employee, Biometrics tables
This section has information about the user_name and empl_name columns in EMPLOYEE and BIOMETRIC tables.
The Prism RPSODS database EMPLOYEE table includes user_name and empl_name columns. The BIOMETRICS table includes empl_name column.
- The user_name column is unique across all subsidiaries. When a user does a regular log in using user name and password, the server looks in the EMPLOYEE table and tries to find a matching record. The employee resource is a core resource and cannot be filtered or excluded from replication. As a result, you can use the user_name and password of any employee and login to Prism at any store.
- The empl_name column is unique within a single subsidiary. When a user does a biometric log in using a fingerprint, the server first looks in the BIOMETRICS table and retrieves the empl_name and sbs_sid. The server tries to match the retrieved information with a corresponding empl_name and orig_sbs_sid in the EMPLOYEE table. If a match is found, the server uses the user_name and password from the EMPLOYEE table for the login. The biometrics resource is not a core resource; therefore, you can apply a filter or simply not replicate the resource. This creates the possibility that a user may be able to log in using the username and password but the log in using the fingerprint fails.
If you want to filter your data by subsidiary but still want all fingerprints to be replicated you must create a separate profile that only includes the biometrics resource and do not apply any filter to it.
The rule is: empl_name + orig_sbs_sid from EMPLOYEE table MUST match empl_name + sbs_sid from BIOMETRICS table. Therefore when you create a biometrics record, you should pass empl_name and sbs_sid equal to empl_name and orig_sbs_sid (important! Not employee sbs_sid but employee orig_sbs_sid) of the employee who you are creating the fingerprint for.