Re: Salt free
Guys, you're all thinking about this in entirely the wrong way.
The scanner scans the fingerprint and uses some sort of algorithm to create a unique value. It should then be checking that against a local database to say, yep this is Person X. Boom the scanner has done its job.
If it needs to send details that person X has clocked in or out somewhere else, why is it sending anything related to the fingerprint. It can safely send an employee ID number with the details clock in/out time and it has done its job. Encrypt that Employee ID number for sure, but an ID number is not a password so hashing/salting is not particularly required.
The only reason, other than laziness, which I can think of for sending the data elsewhere is that the scanner cant actually do the processing locally (massive failure - means it is sending the fingerprint data externally) or the scanner cant do a simple database look up (equally stupid failure) to assign the ID to the fingerprint value. Neither of which is acceptable.
There is nothing particularly wrong with using a fingerprint for timekeeping in my view, easier than carrying a badge (although not necessarily more secure), but under no circumstance should anything related to that fingerprint or the algorithm value it generates be leaving the scanner. If it does, then that is extremely poor and well worth the company getting a kicking for putting its staff's biometrics at risk...