The scanners must be certified because encryption of the fingerprint is done inside the sensor. When a user swipes a finger, the recognition data is compressed and encrypted, then sent to a TrueMe server, which handles authentication. If the user is allowed to visit the website or resource in question, the server sends the verified identity directly to the site.Given the way that crooks have attacked traditional two-factor authentication systems, will fingerprints prove to be more secure? Hopefully. The TrueMe system also records the device ID of the fingerprint scanner used in the authentication attempt, potentially making it easier to spot fraud and to track down malicious users. We imagine that the technology could also be used by businesses to restrict employee access to sensitive internal websites to certain company-supplied PCs, though Pay By Touch says nothing about the way that the ID check will be used.
Read this article from Ars