Amazon Web Services Inc. Monday announced an expansion of its palm-reading technology called One for enterprise identity management purposes.

The service, announced at the AWS re:Invent conference in Las Vegas, is now available for preview in the U.S. only. The enterprise version is based on the existing One technology that has been deployed in hundreds of retail stores across the country, including its Whole Foods and other groceries, as well as in airport and ballpark convenience stores. Let’s refer to this as One for consumers to distinguish the two, because there are significant differences.

Amazon’s One is just one part of a series of other tools to make access and authentication easier and more secure. Those same retailers have deployed what it calls JustWalkOut technology that installs dozens of video cameras that watch while customers roam the aisles and shop.

There is also Amazon’s Go contactless payment app for smartphones, working like the Google and Apple payment apps and is used to enable the walk out method. A post from three years ago about one reporter’s shopping experience at Newark Airport is worth reviewing and shows the extent of the video surveillance.

The One press announcement also mentioned several early customers using the service, including Amazon itself, which uses it for controlled access to its own data centers. Kone, an elevator and escalator vendor, is using it for controlled access in smarter buildings, where elevators don’t stop on every floor. Boon Edam, which literally makes doors, is also using it for controlled access, and Paznic is using the technology for access to bank safe deposit boxes.

The One Enterprise system has several component technologies that work in concert:

• A palm reader device, shown above, which looks like the type of scanner used to read a passenger’s boarding pass at airport gates. But instead of looking at a QR code, it reads one’s palm as it is scanned. This is the same device that has been installed in hundreds of retail locations, but there are caveats.
• An in-place identity standard used by the enterprise. Currently, it supports enrollment using an employer provided RFID badges only.
• An AWS special-purpose database that associates each palm scan and each ID with a unique identifier linking the two elements. When a user scans their palm, this identifier is what completes the access control transaction.
• Some physical barrier that is used to control entry and egress, such as to a data center or building entry. An alternative is controlled access to various digital resources, subject to some limitations.
• Extensions to an identity management service to handle access controls and connect the palm data abstractions with the controlled resource, using the Open Supervised Device Protocol. This is an industry standard that has been adopted by many physical access vendors over the past couple of years.

Amazon claims its “palm and vein imagery for biometric matching” methods are extremely accurate, and don’t encode racial or gender information of the person’s palm. It also claims that “the palm signature is a unique numerical vector created from the user’s palm image that cannot be replicated or used for impersonation.” In addition, this numerical abstraction is further encrypted in separate private datastores per each enterprise.

That’s all good news, but the implementation will rest on several limitations.

First, the palm scanner may be the same device as you can see in your local Whole Foods, but the One Enterprise service uses a different data store than the consumer One, and employees who are already using the consumer scanners will have to rescan their palms for their corporate uses on their own palm readers.

Another difference between the consumer and corporate One service is that the former needs to be associated with an Amazon account, but not the latter. The Amazon account requirement has been an issue for privacy advocates in the past.

Palm scans have become increasingly used by law enforcement: the FBI has collected many millions of them for the past decade in this database. And Apple and Android phones have been using facial and fingerprint scans for many years. The difference is that Apple keeps biometric data on a user’s phone and doesn’t store any data in the cloud, unlike what Amazon is doing with its palm biometrics.

Tristan Louis, president of SaaS-based software Casebook PBC in New York City, told SiliconANGLE that “ultimately, the palm data all ends up in the same cloud storage, even if they are broken down into separate tenants. I suspect whether they are stored in one instance on Amazon or multiple instances only somewhat mitigates the extent of the damage if a hacker finds their way to break into the data.”

Next, though Amazon imagines a scenario where the palm scans can secure digital accounts, the sheer physical size of the palm scanners will mean some careful planning where they are located around a corporate office and forget about using them with mobile devices.

Amazon wasn’t clear on the various digital processes and services that would be ultimately or even initially supported by the One Enterprise system, or how to develop One-based applications and authentications for general apps. Also announced this week in conjunction with the conference was a series of blog posts on how to better audit and manage identity assignments, and other automation routines using its identity services. The preview materials took some effort to describe how the palm data can be deleted, say when an employee leaves a company. That is a start, to be sure.

Amazon views One as a replacement for key fobs and other multi-factor authentication devices, which could happen as the cost and size of the palm scanners drops. But getting to the size of the average fingerprint scanner, which fits inside a cellphone button, is a long way off. Nonetheless, the hotelier IHG is using it for controlling employee access to digital resources, but I would imagine that implementing such a system would be difficult in a sprawling corporate campus or a large office complex.

Finally, there is the whole issue of data privacy. Mark Hurst, who consults on product usability and design as Creative Good’s CEO, told SiliconANGLE that “Amazon isn’t satisfied with spying on us online, it wants to surveil our physical bodies. These palm readers are intended to normalize the act of giving up your biometric data anywhere, any time. And what happens if the palm data — like so many other ID systems — gets hacked? Good luck finding a new palm.”

Louis also has privacy concerns. “In a world where our fingerprints, faceprints, and even DNA are stored in corporate databases, the question of whether the public will accept another biometric system is yet to be settled,” he said.

Still, using one’s palm has its advantages. Louis envisions a time when users “won’t even need to have their phones or smartwatches to make payments. They’ll just need their hand, which is not likely to be left behind.” Louis says that “palm vein recognition is widely adopted using the WeChat payment app in Asia and Amazon One is leading the charge to make it a reality in the United States.”

Image: Amazon