Re: Read the specs
* You authenticate using a cryptographic private key. The fingerprint just unlocks the private key on the local machine (like a screen unlock on an iPhone)
That is even worse!
For the private key to be stored securely, it must be encrypted with a key. This key needs to be provided identically each time the system decrypts the private key.
Unlike a password, each presentation of biometric data is slightly different each time the fingerprint (or whatever) is scanned. Confirmation of the print is based on a 'near enough' match of the stored biometric data (which is why you have the risk of false positives and flase negatives). Therefore the key to decrypt the private key cannot be reasonably derived from the biometric data provided at the point of 'aithentication'.
The only way I can see it working is that the key needed to decrypt the private key is actually stored on the system (presumably in some sort of obfuscated fashion) and that the software only chooses to use it to gain access to the private key after a successful biometric authentication event. It may as well be stored in the clear and hope for the best.
Biting the hand that feeds IT
