AWS brings Amazon One palm-scanning authentication to the enterprise

Amazon’s cloud computing subsidiary AWS (Amazon Web Services) has lifted the lid on a new palm-scanning identity service that allows companies to authenticate people when entering physical premises.

The announcement comes as part of AWS’s annual re:Invent conference, which is running in Las Vegas for the duration of this week.

Amazon One Enterprise, as the new service is called, builds on the company’s existing Amazon One offering, which it debuted back in 2020 to enable biometric payments in Amazon’s own surveillance-powered cashierless stores. Visitors to Amazon Go stores can associate their payment card with their palm-print, allowing them to enter the store and complete their transaction by hovering their hand over a scanner.

While the technology has raised concerns over how Amazon manages and processes biometric data, in the intervening years the company has doubled down on the technology, offering cash incentives to entice customers to enroll their palm-prints, expanding the service to all of its Whole Foods stores in the U.S., and forging partnerships with third-party retailers.

Amazon One Enterprise seems a natural extension for this technology, given Amazon’s role in the enterprise software stack and dominance in the cloud infrastructure market. Despite the remote work revolution, companies still want their workers in the office, at least some of the time. And with Amazon One Enterprise, they can deploy contactless authentication devices wherever people flow, be that office foyers, universities or airports — and everywhere in between.

Moreover, Amazon says the technology can also be used to control access to certain restricted software, perhaps where financial or HR data resides. This effectively positions Amazon One Enterprise as a potential replacement for multiple forms of identification, such as badges and fobs that are typically used to access buildings, and passwords and PINs used to access software.

Companies wanting to install Amazon One Enterprise have the choice of two scanning devices — a standalone contraption that they can embed wherever they need it such as a doorway or barrier, and one that comes mounted on a pedestal that can be placed anywhere. From there, workers will have to enroll in Amazon One Enterprise using their physical badge before associating their palm-print with their profile. Or, if the normal authentication method is a password or PIN, as is more likely to be the case with software, they can also associate their palm-print with such credentials during the enrolment phase.

Distinct

While Amazon’s new enterprise palm-scanning service is clearly based on the same technology and infrastructure as its consumer offering, the company is keen to stress that it’s distinct from the system that people use to authenticate themselves at retail stores. Enterprise-grade data privacy, and all that.

“You will not be able to use your palm to pay at a Whole Foods Market or other Amazon One-enabled locations even if you enroll at an enterprise,” the company notes in a FAQ. “This is because, with Amazon One Enterprise, we offer a private collection of palm signatures for each enterprise resulting in strong data isolation and security.”

The company says that it stores users’ palm-print and badge ID on AWS Cloud, though they can delete their biometric data through an Amazon One enrollment device similar to the one they originally used to sign up. Amazon also says that it will automatically delete users’ data if they don’t interact with an Amazon One Enterprise device for two years.

Amazon One Enterprise is available in preview for U.S. customers now.