From that data point, how can you be sure that every single finger pressed to the reader doesn't identify as OP? You are assuming OPs low false negative rate has implications about false positives.
Edit: this type of reasoning is probably what lead to the recent authentication bypass flaw in Intel's AMT code. It just accepts anything passed to it as a valid password hash. That test is probably still passing in their CI system...
. . . because the gym still uses the system? If it didn't accurately distinguish between their customers, why would they still use it?
This is 100% not the same type of reasoning. We have reason to believe that the fingerprint accurately distinguishes between 1000 different options. False positive and false negative aren't meaningful terms here, because we're no longer dealing with yes/no results.
"If this authentication system didn't work nobody would use it" is literally the reasoning I mentioned above.
> we're no longer dealing with yes/no results
That's exactly what we're dealing with. Iterate through the list of fingerprints in the database, does provided == stored.
You might be interested in reading about CER (crossover error rate). It's the term used for discussing the trade-off between type 1(false positive) and type 2 (false negative) in biometric systems especially.
You really think the gym would use a system where a large portion of fingerprints match as OP? No, we're not dealing with yes/no. We're dealing with "which fingerprint matches the given data best", not "does the given data match a given fingerprint well enough". The scanner doesn't return "is this person OP", it returns "which person is this".
Edit: this type of reasoning is probably what lead to the recent authentication bypass flaw in Intel's AMT code. It just accepts anything passed to it as a valid password hash. That test is probably still passing in their CI system...