A biometric authentication method and system may be implemented in a client server architecture to provide substantial access control security and ease of administration. Users are enrolled in the system by providing multiple biometric measurements which are stored in a database as part of the user's biometric profile. Upon attempted access of a computer, the biometric authentication engine determines which biometrics are required and what the biometric matching criteria are based on the location of the computer, time of day and other security conditions. If the user is determined not to be authentic, a security policy may cause an action to occur such as revoking the user's access privileges or causing the login attempt to appear to be successful while the authorities are summoned.