CISO Update #42
Amazon One

Amazon recently launched a new product, called Amazon One, that claims to simplify the everyday shopping experience by putting your payment method quite literally in the palm of your hand. Walk into any one of several Amazon four-star locations around the country to set up this service—all you need is your hand, a mobile number, and a credit card—and you’re all set to start paying for things with your palm print (currently limited to Amazon stores).

Biometric authentication (fingerprints, eye scans, facial recognition, and palm scanning) has been used for decades for credentialing users and granting them access to systems and locations. Most updated smartphones and the apps installed on them can use face or fingerprint scans instead of passcodes.  So why is Amazon One raising security and privacy concerns?

  1. Face ID data is used locally on a smartphone, typically stays on the phone, and is never uploaded to the cloud; Amazon is going to upload the biometric data.

  2. Biometric authentication is usually the first or second factor of a multi-authentication process. Two-factor authentication (2FA) needs to include two of the following to meet the security standard of 2FA:

    1. Something you have (ex: keys, fob, ID card) 

    2. Something you are (ex: face ID, palm print, fingerprint)

    3. Something you know (ex: passcode, pin, mother’s maiden name)

So, to access data via your phone, you need your finger or your face AND your phone.

What do security experts have to say about this service?  
Vir Phoha, professor of electrical engineering and computer science at Syracuse University expressed concerns stating, “Privacy and security will be an issue because there is a lot of overlap in the structure of hands of different people, so this biometric is easy to spoof—identity theft may be a bigger problem as compared to a face biometric—it will be relatively easy to spoof or claim the identity of an individual. It can be a concern if the palm biometric is linked to credit cards and the information is stored on the cloud. And the cloud is under the control of Amazon.” Read more of this interview here.

Amazon is breaking an important security standard that has held up for decades of using only biometric data when it is one of two (or more) methods of authentication. It might be providing an easier and more convenient way to pay for things, but will it also be an easier way for the bad guys to steal your identity? This is a balancing act that will be debated for years to come.

What can you do?
More and more, two-factor authentication is the best way to fortify your identity and keep your information safe. Enable two-factor authentication on all your important accounts. At FIT you can enable 2FA for Google (Google refers to it as “two-step verification”) by following these instructions. If a service or online account doesn’t offer a way of turning on 2FA, you may want to reconsider using it. 

Guest Post by Patricia Krakow, IT Security Systems Specialist

About Cybersafe
The Division of Information Technology is dedicated to informing the community of the latest cybersecurity threats. Visit and stay tuned for emails from for the latest from the Cybersafe campaign at FIT. Read past issues here.