Re: It very much depends on the reader
That being said, I'm not a big fan of biometrics. The data has to be stored, and once it gets compromised, you'd have to change your password biometrics to be secure. But no biggie, eyeballs grow back, don't they?
Not quite. Whoever stores your data so it can be replayed elsewhere is better off taking up gardening instead of IT. The best use of biometrics to YOUR benefit should:
a - store the biometrics locally, so they're only used for access control to whatever secret is held (which could be anything from a secure password to a digital certificate for a VPN or access control). This also means no need for central Big Brother databases that risks everyone when compromised;
b - store the biometric as a salted hash, so it's one way only and not usable when injected into another, similar device.
(edit: this is actually how iPhones implement biometrics as well, but their reader really needs to be improved).
Depending on application you can influence the hash by adding a PIN of sorts and so move to 3 factor (something you have/are/know).
The main challenge is armour for the local storage. Not only does that need to be cryptographically secure, but it also needs measures against side channel attacks and against determined people physically shaving down chips until they get to the electronics (this is how satellite cards get analysed).
However, whatever security measures you use, never forget that someone may choose to use a more direct route.
Biting the hand that feeds IT
