Amazon's Palm Payments Are Convenient, But Are They Safe?

You can replace a stolen credit card, but you can’t replace your fingerprint

  • Amazon will bring palm payments to Whole Foods stores across California 
  • Palm scanning is barely more convenient than tapping a credit card. 
  • Biometrics are hard to fake but can never be replaced.
Someone using the Palm Payment option at a Whole Foods store.


Paying for your groceries just by scanning your palm on the way out sounds pretty convenient, right? But what if your palm print gets stolen?

Amazon is adding its Amazon One palm payments to more than 65 of its Whole Foods stores across California. To pay, you just need to hover your palm over the reader, and you're done. It's supposed to be convenient, but the downsides may outweigh the advantages—especially as it's not really all that convenient. 

"A palm print adds convenience to the payment because it is unique to you, it is (hopefully) unlikely to be lost or stolen, and you have it with you at all times," financial tech expert and advisor David Shipper told Lifewire via email. "So it scores very high from a convenience standpoint. However, there is always a risk to handing over personal biometric information to a third party. From a risk standpoint, storing that information encrypted on a personal device is likely more secure."

Convenience Isn't Everything

To use Amazon One, you must first associate your palm print with your credit card and provide your phone number. Then, you just scan your palm instead of your credit card to pay at checkout. 

Amazon bills this as extra convenient, but it really isn't. Paying with a credit card is as easy as tapping or waving it over a contactless reader, and it's even easier if you use Apple Pay and your Apple Watch. It's almost the same as waving your palm, with one added double-click beforehand. 

A closeup of someone's hand over the Amazon Palm Scanner.


None of this would matter if it weren't for the problems with using biometrics as authentication. It sounds good at first. Amazon makes the case on its Amazon One page: "Your palm is a unique part of you. It doesn't go anywhere you don't and can't be used by anyone but you."

It is possible to do all this without storing your palm print. Instead, when it's first scanned, the system converts the scan cryptographically into a hash or a code that cannot be reversed to recreate your palm print. When you pay, the scanning machine does the same thing again. It scans, creates a hash, and compares the hash to the one it has on file. If they match, you can pay. 

Biometric Dangers

But there are multiple problems that accompany using and storing biometrics. One is that sometimes they can be stolen. In 2015, the US Office of Personnel Management was hacked, and the hackers stole the personnel data records of 20 million US government employees, including fingerprint files for 5.6 million

And there’s nothing anyone can do about that. If your credit card is stolen, you can change the number, but none of those 5.6 million people can change their fingerprints.

And it works the other way too. "Passwords can be backed up, but if you alter your thumbprint in an accident, you’re stuck,” writes security expert Bruce Schneier on his blog

Someone using their thumbprint on a biometric scanner, as seen from inside the scanner.

Kittiporn Kumpang / Getty Images

However, it’s not all bad news for biometrics. Apple’s Face ID and Touch ID take a different approach. They store your face scan or fingerprint details in a 'Secure Enclave'—a separate hardware vault that is not accessible from the rest of the phone. When the phone scans your face, it asks the Secure Enclave if the scan matches, and the answer is either 'Yes' or 'No'. Even if an attacker has access to your phone, they cannot extract a fingerprint or face scan. 

Once the authentication is done on the device, the phone makes a regular credit card payment. It’s much safer and just as convenient. 

And who knows where your data will end up, even if it isn’t stolen?

"As we’ve seen with the online behavioral advertising and the data broker industries, every bit of data about us that is surrendered to tech companies—online or in real life—is shopped around for the convenience and profits of the companies,” Sharon Polsky, president of the Privacy and Access Council of Canada, told Lifewire via email. “And the proliferation of unregulated digital and surveillance systems, and the shifting public policy to collect data ‘for good’, it’s not unlikely that the biometrics we use to purchase groceries will soon be able to be used against us.” 

If there’s one thing we’ve learned from the internet, it’s that companies cannot be trusted not to exploit these valuable troves of data. So, think very carefully before giving up your biometrics, because you may never be able to get them back.

Was this page helpful?