Home/Access/Guides/SAFR SCAN Admin Guide

1 Overview

SAFR SCAN integrates easily into existing physical access control systems (PACS). It can replace or augment existing door hardware and integrate into PACS software and panels to use your face in place of or in addition to a physical access card. It does this by leveraging standards-based access control protocols (Wiegand or OSDP) to pass credentials to the panel. SAFR SCAN makes it easy to deploy by integrating into your PACS software to download face images and credentials and using them to authenticate card holders.

Graphical user interface Description automatically generated

The SAFR SCAN reader uses IP networking to connect to your PACS software and download face images and access credentials. SAFR SCAN uses the face image to match people approaching the device. Users are quickly recognized and using 2 dimensional and 3 dimensional sensors to protect against spoofing with printed or digital photos or videos. Once authenticated, the user's credentials are sent to the panel for authorization.

SAFR SCAN can operate as a standalone device, or as part of a full SAFR system.

1.1 How it works

This section outlines the process for typical single factor face authentication with SAFR SCAN. The process begins with faces being enrolled from the physical access control system and loaded into SAFR SCAN. This is a one-way sync that is facilitated through SAFR Software running on a PC. Once faces are loaded, the system is functional and the sequence below demonstrates how SAFR performs authentication, sends the person credentials to the access control panel which in turn unlocks the door as long as the person is authorized.


Diagram Description automatically generated


Diagram Description automatically generated with low confidence


Graphical user interface Description automatically generated with low confidence


Graphical user interface Description automatically generated with medium confidence


Timeline Description automatically generated


Timeline Description automatically generated with medium confidence


A picture containing text Description automatically generated

1.2 SAFR SCAN Capabilities

1.2.1 Key Advantages

  • Integrates easily with standard Access Control Systems
    • Import faces from access control systems without re-enrollment.
    • Connects to Panel via Wiegand and OSDP / Relay to open locks directly.
      • Wiegand and OSDP Inputs and Outputs to transmit credentials.
      • TTL Input/Output for controlling LEDs.
      • Relay for closing/opening circuit on locks or other hardware.
  • Enroll from an image file or webcam
    • No need to enroll 3D face images on the device.
    • Unique approach to liveness verification using a combination of 2D (texture and context) and 3D (face structure) technologies.
  • Low Bias / High Accuracy matching
    • Least variation across race and gender (bias) in NIST FRVT Part 3 Demographics.
    • 99.87% LFW (labeled faces in the wild) matching accuracy / 99.85% for masked faces.
  • Fastest and smallest model in NIST FRVT
    • 20ms detection time / 200ms match time
  • Works indoors and outdoors in extreme lighting and environmental conditions.
    • Strong backlight – Applies face prioritized exposure. SAFR SCAN's direct control over camera and fast detection times allow it to adjust exposure in real time to get proper exposure on face.
    • Low / Zero light – SAFR SCAN use a combination of strategies to handle low light.
      • Applies IR illuminator to perform face recognition in low light for face detection.
      • Gradually fades in white light on front panel to illuminate the face for matching.

1.2.2 Noteworthy Features

  • Self-contained
    • Unlocks door even if network offline.
    • Stores identities and performs face matching on-board.
    • Embedded algorithm for fast and accurate operation.
  • Mobile credentials via SAFR Key App
    • Allows 2 factor authentication: Face + phone (or card)
    • Phone stays in pocket / transparent to end user
  • RTSP Output for integration to VMS
    • SAFR SCAN camera can be added to VMS and other DVR systems to augment the existing video surveillance system.
  • Works with masks
    • Enroll once (without mask). Match with and without mask.
  • Multifactor Authentication
    • Authenticate via Face, Card, Mobile, PIN* or 2-way Audio*
  • Dual redundant power supply
    • Power via PoE, AUX 12-24 VDC power, or both

* Feature to be released with firmware update

1.2.3 Other Features

  • Tamper detection (motion and shock)
  • High throughput (30 people/min)
  • 50,000 user capacity on device
  • 10,000 event capacity on device
    • Events are cached in case of loss of network
    • When network restored, all events sent to server which is limited only by disk capacity
  • Unlimited user capacity on server for both people and events
  • Scalable from 1 door to 1000+ doors
  • Option for On-Premises or Cloud hosted solution
  • Desktop and Mobile apps for easy enrollment and management
  • RESTful APIs for integration to external identity management and incident management systems

1.2.4 Flexible Enrollment options

  • Synchronize faces and credentials from access control system
  • Enroll face or card on device
  • Import from image file
  • Bulk import image files
  • Mobile App enrollment
  • Enrollment Kiosk
  • Remote enrollment
  • RESTful APIs

1.2.5 Advanced Analytics

  • Persons of interest/Watchlist monitoring and alerting
  • Tailgating detection and alerting
  • People counting and reporting*
  • Occupancy counting and alerting*
  • Audio intercom*

* Feature to be released with firmware update

1.2.6 Security

  • SAFR SCAN is designed, built, maintained, and regularly updated with security in mind.
    • End-to-end data encryption.
    • Cyber security protocols
  • Customer data, and access to it, is isolated at the customer premises.
    • Cloud hosted options exist, but on-premises solution puts customer in total control of their data.
  • Data Security (Data-at-Rest Security)
    • Data is encrypted at rest (on disk) with AES-256 and RSA-2048 ciphers.
    • No biometric data leaves the device for processing.
    • Optional configuration allows for zero PII to be stored or used at the edge.
      • No name or pictures are sent to SAFR SCAN.
      • Only biometric signature and credential number are stored at edge.
  • Network Security (Data-in-Transit Security)
    • Data is encrypted in transit (network) using TLS (https) to encrypt all transactions.
    • Any request to access data must be authenticated using role-based credentials.
    • All access is logged and available for auditing.
  • Device Security (Data-in-process Security)
    • Device has a secure boot that prevents rogue OS loading / tampering.
    • SAFR SCAN prevents access to the device firmware by isolating its operation, protecting it from inspection and ensuring that the boot process is secure.

Fast and accurate face recognition - SAFR SCAN uses SAFR’s exceptionally accurate AI-powered facial recognition algorithm.

Up to 50,000 enrollment capacity - Up to 50,000 people can be enrolled in SAFR SCAN’S Person Database.

Individual people enrollment - People can be added to SAFR SCAN’s Person Database individually. (i.e. one by one)

Mass enrollment - Large numbers of people can be enrolled at once by submitting their photos to a full SAFR system and then syncing your SAFR SCAN’s Person Database with the SAFR system.

Single- or dual-factor authentication - See the Authentication section below.

Mask detection and recognition - SAFR SCAN is able to detect when people are wearing masks, and it can continue identifying faces even when they’re wearing masks.

Wiegand and OSDP support - SAFR SCAN supports both Wiegand and OSDP connections for both access control devices (e.g. relays, physical access panels (PACs), etc.) and authentication devices (e.g. badge readers, fingerprint readers, etc.).

Indoor/outdoor - SAFR SCAN is able to successfully operate in both indoors and outdoors lighting and environmental conditions.

Anti-spoofing - Structured lighting can be used to test camera image liveness.

1.3 Authentication

SAFR SCAN's primary function is to authenticate a person attempting to gain access to one a resource. SAFR SCAN offers the following types of authentications.

1.3.1 Single Factor Authentication - Face Authentication

SAFR SCAN can grant access using people’s faces as their credentials. The faces must pass a liveness check which SAFR SCAN automatically executes before access is granted. Credentials are sent out either via Wiegand, OSDP, or an electronic locking mechanism triggered via a relay connection.

1.3.2 Single Factor Authentication - Various Authentication Types

SAFR SCAN can also be configured to grant access when any one of a number of authentication types is presented. The most common two types of authentications that are used are face authentication and badge. But SAFR SCAN can use the Wiegand or OSDP inputs to integrate with and accept other authentication types such as fingerprint or iris. If one of the configured authentication types are presented, credentials are sent out either via Wiegand, OSDP, or an electronic locking mechanism triggered via a relay connection.

This method is useful for providing users the choice of authentication method.

1.3.3 Two Factor Authentication

Finally, SAFR SCAN can be configured to grant access only if a person presents two forms of authentication: face and one other type. SAFR SCAN supports Badge or SAFR Mobile Credentials internally, but you can use the Wiegand or OSDP inputs to enable other authentication types. The order the authentication types are presented is unimportant. When one of the authentication types is presented, SAFR waits a configurable time for the second authentication type to be presented. If both authentication types are presented within the configured time frame, credentials are sent out either via Wiegand, OSDP, or an electronic locking mechanism triggered via a relay connection.

1.4 SAFR Applications

This section provides an overview of the SAFR Applications for managing SAFR SCAN.

1.4.1 SAFR SCAN Web Console

The SAFR SCAN Web Console is a web-based interface for administering a single reader. On first boot, SAFR SCAN Web Console is used to setup system login. In provides full administration capabilities for SAFR SCAN when not connected to SAFR Server and when connected to SAFR Server is used for a subset of system administration capabilities.

  • Live View - Provides live monitoring of a single SAFR SCAN displaying video preview and real time events.
  • People - Add, update, or delete persons and credentials.
  • Operation - Device configuration for operation settings
  • System - Device configuration for system settings.

1.4.2 SAFR Server

A background service that runs on Windows or Linux to manage multiple SAFR SCAN on the local network. Support VM or bare metal operation and performs the following functions:

  • Device Configuration - Configure settings of one or more devices from a single location.
  • Identity Synchronization - Performs a 1-way sync from PACS or external user directory sources.
  • Person Synchronization - Synchronize person records between SAFR Server and all connected readers.
  • Event Aggregation - Aggregate store events from all readers into a single location to enable reporting and act as a proxy for 3rd party applications getting events either real time or on demand thru REST APIs.
  • Reports - SAFR Server uses its event database to generate a variety of reports.
  • SMS/Email Alert Notifications - Generate SMS or email for events matching specific parameters.

1.4.3 SAFR Desktop

A modern Windows user interface with a rich feature set that offers a number of tools to manage and monitor SAFR SCAN and the person database. Includes powerful tools to manage all aspects of access control.

  • Device management - Centralized configuration of all readers – one at a time or as a group.
  • System Configuration - Configure system level settings like connecting to external.
  • Person management - View, Add, update or delete person records.
  • Event Viewer - View, filter or export events data.
  • Operator Console - Unified view of activity in a single window containing aggregated view of events, alerts, and video feeds.
  • Forensic search - Use image file or person characteristics to search event history or person database.

1.4.4 SAFR Mobile App

Mobile Apps for enrollment and monitoring on the go. The SAFR Mobile app runs on iOS or Android and performs many of the administration features of SAFR Desktop. The mobile applications can also be configured as a registration kiosk or as a portable recognition tool. Real time alerts thru SMS or Email can be triggered. Alerts can include a link that loads the person record of the match person and provides a view of recent events for that person.

1.4.5 SAFR Server Web Console

Web Browser for quick access w/o desktop pre-installed. The web-based interface that provides most of the same features as SAFR Desktop to enable portable management of the SAFR Server. Includes Device Management, System Configuration, People Management and Event Viewer.

1.4.6 SAFR Key

Mobile application facilitates the SAFR Mobile Credentials feature. See Mobile Credentials for more information.

1.4.7 SAFR Actions

SAFR Actions is used to create and manage actions based on event triggers. Actions can be written in Python and can be deployed for wide range of IFTTT scenarios. Actions can unlock a door, turn on a light, send an alert, record data for reporting, or any number of actions depending on the use case.

1.5 SAFR License Accounts

SAFR Applications require a license to run. This section describes SAFR Licensing and how it applies to SAFR SCAN.

1.5.1 License Types

SAFR offers two types of products with overlapping capabilities and use cases.

  • SAFR for Security – Use facial detection and recognition to for watchlist alerts.
  • SAFR for Access Control – Use facial detection and matching for physical access control.

SAFR for Security can be further divided into two license type depending on the type of camera used.

  • SAFR Camera – SAFR Camera performs both detection and recognition on the device. A SAFR Software On-Premises license is included with each SAFR device licensed as long customer is hosting the on-premises solution. A subscription license can be purchased for SAFR Cloud. SAFR Software allows for camera management, watchlist management, event aggregation and reporting.
  • 3rd party cameras – SAFR Software performing both detection and recognition on a Windows or Linux server. SAFR Software is licensed on a per-camera basis as either subscription or perpetual licenses. Options exist to license SAFR Software for 3rd party cameras as either on-premises (subscription or perpetual) or cloud hosted subscription.

SAFR for Access Control

  • SAFR SCAN also performs both detection and face matching on the device. A SAFR Software On-Premises license is included with each device. A cloud hosted subscription can be optionally purchased.

How to get a license

A SAFR Software license is associated with a SAFR Account. Visit http://safr.real.com/portal to create a SAFR Account and request a license. Once approved, the SAFR Software license is activated by signing into the SAFR Software with your SAFR Account. The license will be automatically downloaded from SAFR Cloud or you can perform the offline licensing process to apply your SAFR License to your On-Premises server.

1.5.1.1 SAFR Cloud vs. SAFR On-Premises

SAFR On-Premises Software runs entirely on the customer site. The software connects to either 3rd party cameras, SAFR Camera or SAFR SCAN and provides a mechanism to manage configuration across all devices, manage the identity database, view and filter events, generate reports, and general administration.

SAFR Cloud has the same capabilities, but the core services are hosted by SAFR. A SAFR Cloud customer may choose to run SAFR Desktop or use SAFR Web Console to manage and interact with the services.