> (hopefully) unique data from the fingerprint/iris scan are stored
> in a string (compareable to crypted passwords). Some kind of
> database associates the string with a user

That's not what I've been hearing from ongoing discussions about 
face-fishing and biometrics at airports.  The performance of a 
system is quantified by a grid of four probabilities:

 1. Authenticatee is person-X.		System claims he or she is not X.
 2. Authenticatee is not person-X.	System claims he or she is X.
 3. Authenticatee is person-X.		System claims he or she is X.
 4. Authenticatee is not person-X.	System calims he or she is not X.

The comparison of biometric data with ``the database'' (of training 
examples) is opaque and/or closed-source proprietary, and the biometric 
scanner absolutely does not produce unique data.  Any data that matches 
individual people 1:1 must come out of the database, and is subject to 
the four probabilities above.  Therefore there must be an opaque 
connection between the database and the scanner.

But, that should fit into the PAM framework with no problem.  Just add 
libpam_biometric.so to your pam.conf and suddenly the retinal scanner 
will work with all your PAM-enabled applications.

What a bucket of horse-shit.