Available in PaperCut MF only.

Authentication methods

Authentication (access) methods

PaperCut MF offers several methods to authenticate users. The authentication methods supported by the device are listed on the Device Details page in the External Device Settings area, under Access methods:

User authentication

  • Username and password - This is the default authentication method. Users authenticate using their domain/ network username and password as specified in an external user directory source such as Active Directory or LDAPThe Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model. (except for internal users; see Internal users (users managed by PaperCut NG/MF)).

  • Identity number - Users authenticate using their ID number. For more information, see User card and ID numbers.

  • Swipe card - Users authenticate using their registered swipe card (for example, magnetic strip, smart card, or RFID).

    The vast majority of devices have two related options: Require PIN and Enable self-association with existing user accounts, which are described below, however some devices have one or more additional options. For more information, see User card and ID numbers. Other devices might have device-specific option, in which case they are described in the devices Embedded guide.

    • Require PIN - With this method, users use their registered swipe card and the PIN associated with the card. Users can use a swipe card with or without a pre-set and associated PIN. If using a swipe card without a pre-set and associated PIN, users are prompted to set a valid PIN to associate with the swipe card.

    • Enable self-association with existing user accounts - By default, attempting to authenticate with a username and PIN when self-associating will fail. With this method, users can use a registered swipe card or a new, unregistered swipe card. If using new, unregistered swipe cards, users are prompted to complete card self-association using their username and password (that is, associating a new unregistered card with a relevant, valid user account). After card self-association is completed, subsequent use of the registered swipe card does not require users to enter their credentials. You can also use the Advanced Config Editor to set the advanced config keys:

      • ext-device.card-self-association.use-secondary-card-number

      • ext-device.self-association-allowed-card-regex

      • ext-device.card-self-association.auth.allow-password-or-pin

        When ext-device.card-self-association.auth.allow-password-or-pin is changed from N to Y, self-association with either a username and PIN or a username and password will be possible.

Guest or anonymous access

Allow guest/anonymous access - This access method lets you choose to activate guest access or anonymous access (one or the other), which enables users to be authenticated as per the user specified in the Inherit settings from user field.

  • Guest access - To activate this access method, one of the User Authentication access methods must be selected: Username and password, Identity number, or Swipe card.

  • With this access method:

    • A Guest button, which can be customized on most devices, is displayed on the device's PaperCut MF Login screen along with the other options. For more information about customization instructions on devices, refer to the individual embedded device guides or contact your Reseller or Authorized Solution Center.

    • A user who clicks the Guest button is authenticated as a guest user, as per the user specified in the Inherit settings from user field.

  • Anonymous access - To activate this access method, no User Authentication access methods must be selected. (All three checkboxes are blank.)

  • With this access method:

    • A user is authenticated as an anonymous user, as per the user specified in the Inherit settings from user field.

    • The anonymous user can view held print jobs belonging to all users.

  • Inherit settings from user: Enter the username of the PaperCut MF user’s profile that is used while authenticating users as a guest user or an anonymous user on the device.


While Anonymous access is available on all devices, Guest access is currently available only on some devices. For more information about devices that support this, contact your Reseller or Authorized Solution Center.:

Offline mode

Server or network downtime usually means that the PaperCut Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more. is unavailable and copiers cannot be used. Offline mode, if available, offers continued use of copiers without a server connection.

When the copier is working in offline mode, users can log in to the copier with a swipe card, and activity is logged against the card number. This activity is not restricted. When connection to the server is restored, the activity is logged against the user with that card number. If no user is found for the card number, the activity is logged against the username unknown (edit ext-device.unknown-offline-username to change this; see Using the Advanced Config Editor). A warning is displayed in the App.Log when this happens. If there is no account for the unknown user, one is created automatically.

It is important to note that in offline mode, the copier is not able to:

You can specify a delay between the time the copier first fails to contact the server and the copier going offline. This is useful to avoid switching to offline mode just for brief periods of server unavailability, e.g. a server reboot.

Carefully consider offline mode before it is enabled as it allows overrunning of account balances on restricted user accounts. You can configure offline mode based on the environment, including an option to set up an administrative unlock code. This allows offline mode to be set up in environments such as schools where administrative oversight is required before each activation of offline mode.

Commercial environments

You can set up offline mode for commercial environments where the tracking of print usage to users, groups or departments is important and charging is not a factor. You can configure the copier to go into offline mode automatically when it fails to contact the Application Server.

Education organizations

For added security, you can require offline mode to be unlocked before users can log in to the copier with a swipe card. Unlocking offline mode involves entering the specified code at the copier and choosing to unlock the copier for a single use or until connection to the server is restored. This is specifically useful for education organizations where a supervisor or teacher can enter this code before users can use the copier in offline mode.