Amazon One Now Lets You Scan Your Palm With Your Phone

Good news for folks who like to store their biometric data on somebody else’s computers. Amazon One now has a palm-scanning app to make it even easier to give that stuff away.

Amazon users can now use their phone cameras to scan their palms and upload them to the cloud. They can then use their palm to pay at the checkout in Whole Foods stores, “several” Amazon stores, plus a bunch of participating third-party locations like sports stadiums and corner stores. Previously, you had to scan your palm using Amazon’s machines, but apparently, now it can be done just as securely using your phone, thanks to—you guessed it—AI.

“Uploading your biometrics to the cloud. What could possibly go wrong?” says Obdev, the developer of Mac security software Little Snitch, in a post on Mastodon.

Face Palm

Amazon One lets you use your palm to identify yourself, just by hovering your hand over the scanner. Aside from being used to check out in Amazon’s physical stores, and over 500 branches of Amazon-owned Whole Foods, you can use it to enter venues and to identify yourself.

Usually, you will sign up for the service the first time you use it, scanning your hand-print on one of the same devices that will read it in the future. But Amazon’s new app, available from the Apple App Store or Google Play Store, is a triumph of convenience, letting you do the initial scan with your phone’s camera.

How can a photo of your palm be trusted? That’s where AI comes in. Amazon uses machine learning to try to match the accuracy of your phone camera’s image with a scan made by the infrared scanners in stores.

“Amazon One was developed using generative AI to create synthetic palm images, which were critical in training our machine learning models. AI also powers our latest innovation—the ability to match a camera phone photo with near-infrared imagery from an Amazon One device,” said the VP of Amazon Web Services Dilip Kumar in a statement provided to Lifewire via email.

Your actual photo is not uploaded. Instead, the image is combined with a map of the visible vein structure in your palm, and these numbers are crunched to create a unique “vector.” This vector is then uploaded and stored, ready to be compared to a newly generated vector that’s created every time you scan your palm to identify yourself.

Bio(metric)hazard

It might strike you that this seems like a bad idea, and you would be right. The problem is not necessarily the camera tech or even the idea of using your palm to identify yourself. The problem is that you are submitting your biometric data to a third party every time you use your hand to pay for something, to enter a venue, and so on.

To see why, let’s compare this with something like Apple Pay, or Google Pay, where you use a face-scan or a fingerprint to pay in stores. Isn’t this the same thing? It is not.

With Touch ID, for example, you scan your fingerprint into your phone and only ever use it to identify yourself to your own phone. The fingerprint image is not stored—like Amazon One’s scan, only a mathematical representation of your fingerprint is kept. But even if it was, it would be locked away in your phone’s secure enclave, an impregnable annex separated from the rest of your iPhone’s computer brain. It would not be stored in the cloud. It never leaves the phone.

When you use your iPhone to pay for something, your fingerprint is only scanned by your phone so the phone can authenticate you. Any further transactions are done the old-fashioned way. In this case, your phone provides a credit card number to the merchant’s credit card machine or web store. You only ever use your biometrics to authenticate yourself to your iPhone.

Amazon One, instead, requires that you submit your biometrics to authenticate yourself every single time. And this is in addition to storing the vector of those biometrics in its cloud.

This seems like a small distinction, but it’s huge. If your iPhone’s payment is compromised, then all it needs to do is change to a new credit card number. If something goes wrong with a system like Amazon One’s direct palm scan, then your only option is to change your palm print. Once your data is out there, it’s out there.

And even if your biometrics remain safe in the cloud forever, it only takes one rogue in-store scanner to steal your actual palm print. By normalizing the scanning of your palm into public devices, Amazon One could actually make this more likely.

In the game of convenience vs security, then, this move looks like it might have gone one step too far. If you want to use Amazon One, you might like to do a little research first. Or just stick to options that are, frankly, hardly less convenient, like looking at or touching your phone to pay for something.