"With no crypto, one will not even need a gelatin finger," he said in his presentation notes.
Microsoft licenses the underlying technology for its reader from Redwood City, Calif.-based Digital Persona; that company's U.are.U 4000 reader does encrypt image data.
But sans encryption, Kiviharju said, Microsoft's implementation of Digital Persona's technology exposes some of the latter's security methods to hackers.
"MSFR unencryption reveals some anti-forgery strategies used by Digital Persona elsewhere," said Kiviharju in an accompanying white paper. Among them: Digital Persona's use of a checksum.
Vance Bjorn, Digital Persona's chief technology officer, denied that any sensitive information about the technology had been disclosed to potential attackers by Microsoft's lack of encryption.