Comment 3 for bug 235297

I guess I had it coming... This bug has nothing to do with the fact we're talking about a fingerprint reader here, it is the equivalent of passwd(1) not asking for the old password when setting a new one, which would obviously be a bad idea. A fix is also just as easy: Just move the fingerprints to a secure location, so that you have to be root in order to enroll a new fingerprint (and maybe create a SUID root program to so that users not in the group adm can set their fingerprint, but I doubt that would be necessary in most usage scenarios).

That said, I do wonder about about this knee-jerk bashing of fingerprint readers. I'd argue that, for the average user, they actually provide a level of security at least comparable to good old fashioned passwords -- if not better: all the attacks on fingerprint readers I've seen described require a much higher level of sophistication than looking over someone's shoulder while they're typing in their password or maybe buying and installing a hardware keylogger. And if someone determined enough to create a device emulating the fingerprint reader has physical access to my machine, I'm pretty much screwed anyway (never mind that it would probably much easier to get a hold of my password for them, too).