Are fingerprint scanners easy to bypass?
Fingerprints can be viewed as a fuzzy source of data. Given the same finger, a reader might never read exactly the same print. That is why most readers require the user to scan a finger multiple times during the registration phase.
During the authentication phase, the system tries to determine if the scan it just acquired is "close enough" to the trained data to allow access. This leads to two problems.
Remote authentication
Keeping biometric private
Remote Authentication
Assume I keep my biometric private (we'll deal with that problem later). Can I give another party enough information to correctly authenticate me without requiring them to store enough information to impersonate me (i.e., if someone steals the database, I don't want them to be able to impersonate me)?
It turns out you can. The functions needed are called secure sketches and fuzzy extractors. A secure sketch (SS) is given some data (w) and returns string (s) in other words SS(w)=s. A secure sketch also has a recovery function (Rec). Rec takes as input w' (a noisy copy of w) and s. If w' is sufficiently close to w (where closeness is measured by some distance metric such as hamming distance), then Rec(w',s)=w. Now the server and I share a secret value (namely w) which we can each prove knowledge of to authenticate each other (mutual authentication).
The cool thing about this is that even if someone steals s, they won't be able to impersonate me. There are a few problems with this, however. What if the attacker modifies the copy of s that the server is storing. Could they do that in such a way that w is leaked? In the original work, there were no guarantees that this couldn't happen. Later research, however, removed this restriction by developing what is called a robust secure sketch, which is secure even in the presence of an active adversary (i.e., an adversarial controlled channel).
Keeping biometric private
The above ideas all assumed that w (and w') were kept private. This is probably not a good assumption as seen on MythBusters. So, researchers went back to the drawing board and said "Hey what if my fingerprint was my public key" and thus Fuzzy Identity-Based Encryption (FIBE) was born.
Closely related to this is Identity Based Encryption, where my identity (e.g., email address) is my public key. Someone uses my email address to encrypt a message. I then prove to a third party that I own the email address, whereupon I am able to retrieve the corresponding private key and decrypt the encrypted message. It is important to note that the sender only needs some public information from the third party to enable her to encrypt messages to any identity. The receiver must at some point (either before or after the encrypted message is actually sent) retrieve his private key.
FIBE builds upon this idea for fuzzy identities. You read my fingerprint (w), I use w' to get my private key and as long as w and w' are close enough, I am able to retrieve the message you send to me (I still have to contact the third party at some time though). An authentication protocol could be built on this so that I need not keep my biometric private.
The major problem with this system (and IBE in general) is the requirement of a third party and the fact that that third party can impersonate me once they have seen a copy of my biometric. The latter problem can be removed by having multiple third parties who all contribute to the process. Thus, no single one can impersonate me. But, then I have to contact multiple people in order to encrypt or decrypt messages.
Application
I'm not sure if any commercial products implement these ideas. So, I cannot speak to commercially available products, but if you are not limited to commercially available products, you could implement these systems yourself and they would probably be pretty secure.
Unfortunately, yes, they are. It's quite trivial, in fact, using a bit of scotch tape.
Fingerprints are actually more akin to usernames than passwords. Fingerprints can be used to identify you, but not authenticate you.
The proper operation of a fingerprint reader in a computer operating system should be to identify the user and chose their username from the list, rather than replace a password.
A fundamental issue when using certain biometrics is the simple logic using something that the user leaves behind himself all over the place all day long as being quite unique. We can take pictures of faces, mimic sounds using a synthesizer and capture fingerprints quite easily. This brings us to the second major pitfall of biometrics.
Most biometric fingerprint scanners work like this: A device records a fingerprint and compares the ridges and valleys with a picture it already has. Certain points that may be considered unique are given a mathematical value, or score. If the score of this print is within an acceptable threshold - compared to the original score of the original print - access is granted.
This means that an attacker can simply raise the threshold margin to gain access. If usually two fingerprints have to be within 20 points to allow access, but an attacker gains access to the system and changes the threshold to 10000 points, then any fingerprint would allow him access to the system. In a business environment, most staff members wouldn't notice this, because the change affects false positives, not false negatives.
As far as I know, this trait is unique to biometrics.