A – TWO factor Authentication PLEASE! GATTACA’s DNA test with immediate apprehension is okay for single factor, but anything less is not suitable for ‘secure’ networks. NTFS logons have both user and system credentials for two factors.
B – A scanner that encrypts the fingerprint so that it is a different hash for each submission would be a good thing. [Anything on the USB bus can query time and date which with component ID lends itself to a onetime hash.] A scanner with thermistor to verify the finger is warm is a good thing. A USB recorder to capture packets is conceivable, but replaying to fool the reader’s softare would not be trivial. Since they have physical access probably not you most important worry. A scanner that does NOT try to image the fingerprint is a good thing.
C – In amplification of the last statement preceding – The database of scanned fingerprints should NOT be evidentiary. Our job is authenticating users and protecting the network and its data. NOT collecting fingerprints for what ever government agency shows up with a warrant.