<SpecificationName>

1. Credential – Biometric

1.1. The requirement for biometric authentication will be specified in accompanying

documents. When required the following specifications shall be met.

1.2. The ISMS shall be capable of providing biometric authentication via fingerprint
identification.

1.3. The ISMS shall be capable of providing biometric authentication via finger vein
identification.

1.4. The biometric readers and associated technology shall be fully integrated into the
system. All biometric enrolment and template management user interfaces shall be
provided seamlessly in the standard central control system user interface.

1.5. The operator shall not have to access a separate biometric template database to
manage biometric templates.

1.6. The identification time (time to identify a presented biometric from the database) shall
be less than 2 seconds.

1.7. The reader shall have tamper protection against removal of the reader from the wall,
and removal of the reader facia from the base.

1.8. Enrolment shall be carried out at a USB capable enrolment reader specifically provided
for this purpose.

1.9. The enrolled biometric templates shall conform to the following:

1.9.1. Each template shall be based on three separate presentations to obtain the
best template.

1.9.2. A second template associated with a second biometric (in case the primary
biometric temporarily cannot be used for any reason) shall be enrolled.

1.9.3. Two optional duress biometric templates shall be able to be captured and
stored in the reader.

1.9.4. The enrolment user interface shall provide visual and audible guidance for
correct biometric presentation during enrolment.

1.9.5. The enrolment user interface shall display a quality score associated with
the biometric capture and warn the operator if the quality of the template is
low.

1.9.6. The enrolment user interface shall provide an indication of the enrolment
quality of the presented biometrics. The level of quality threshold for
accepting presented biometrics shall be adjustable by the operator.

<SpecDate> Page 1
 <SpecificationName>

1.10. When identification mode (1 to many, or 1:N) is specified:

1.10.1. The enrolment reader shall read the biometrics and store them as biometric
templates in a central database.

1.10.2. The biometric templates defined above shall be a subset of the cardholder
record.

1.10.3. During the biometric read process, the presentation of a biometric at a

reader shall initiate a database inquiry at the reader. If the biometric is
determined to be of a valid cardholder, the associated access will then be
verified by the access controller before access is granted.

1.11. When verification mode 1 to one, or 1:1 is specified:

1.11.1. The enrolment reader shall read the biometrics and store the template data
onto a Mifare Classic, Mifare Plus, or DESFire card.

1.11.2. When the card is to be encoded, the user shall be prompted to enrol the
biometrics and the card shall then be encoded with both the system
identification data and the biometric data.

1.11.3. There shall be a configurable option whether to save cardholder biometrics

to the central database or discard after encoding to card.

1.11.4. During the biometric read process, the biometric read at a reader shall be
compared with the template data read from the card. If the biometric is
determined to be a match, then the associated access will be verified by the
access controller before access is granted.

1.11.5. An authorised system operator shall be able to generate and download a

Mifare A key to all readers in the system.

1.11.6. The A key shall be either generated automatically as a random hexadecimal

key, or manually entered.

1.11.7. On a Mifare Classic or Mifare Plus card, the Mifare sectors where the
biometric template data is to be stored shall be user definable.

<SpecDate> Page 2