My friend got home a new gadget. So gracious to play with - Alexa. All the kids were so enthused and started heckling Alexa. "Alexa, play this song for me, Alexa, tell me why is the sky blue, Alexa, can you ask my dad to shut up, Alexa - can you ask my mom to cook something very special today, Alexa, please ask my bro to speak to me properly...". Now this is a household name and pass time.
Lets get to business
As software engineers; folks in my organisation started brainstorming on how this could be a business opportunity, how could this help customers? We came up with a scenario of a bank customer interacting with Alexa. To our great surprise, even our existing customers had this scenario as the first thought for Alexa. It feels great to have read customers minds.
What are your thoughts
I am sure, a lot of ideas crossed your minds by now. You are probably wanting to try some business scenarios with Alexa. If you are, then this blog is exactly for you, if you provide an extra level of security to your Alexa application. Yeah, i agree with you. Security is the most important part if we are building a highly personalised application. Who knows, Alexa might speak out some sensitive information of the user. Consider scenarios, involving payments or booking a taxi. Obviously, a scenario which is just for entertainment purpose or doesn’t deal with user's sensitive data, might not require an extra level of security.
Here's what we did
Well, we were trying to build an Alexa app which deals with user’s crucial data. And we wanted to make sure that the person conversing with Alexa is authentic. The "account linking" feature provided by Alexa came handy to us. The user before interacting with the Alexa, must complete the account linking process. However, this had an issue. Once the account linking is completed, anybody can access the user’s device and request commands. So, the account linking wasn't enough. In order to provide an extra layer of security, we were tempted to use interaction based authentication. In this blog, we will show how you can achieve interaction based authentication and make your Alexa device more secure.
Interaction based authentication
Interaction based authentication means authenticating the user in between the flow or conversation.
Let us consider a scenario that requires account linking. Your system displays the login page, grants an access token to Alexa to complete the account linking process. Now, the user is allowed to interact with your system and get some common tasks done.
Imagine the user requests a command which requires additional security to verify the user’s identity. For example, ‘Transfer three hundred rupees to my sister’, ‘what is my current balance’, etc. Here, your system won’t process the request directly, instead, it will send a one-time verification code to the user’s email address linked to the user account. The one-time code can also be sent to the user’s mobile phone number, if your system has this information.
The user will receive the code either via email or SMS and communicate the same to Alexa; which then forwards it to your system. Your system verifies the code and processes the request only if the code is valid. This makes sure that only the authorised user invokes the crucial commands.
This method just leverages the existing mechanism for multifactor authentication in businesses like banks. It even eliminates use of recorded voice, acts much like captcha in voice form. It is simple to implement, simple to test.
Conclusion and advice
Hope you liked this simple and practical method. And yes, you will have better ways to achieve authentication and authorization for your business application. Feel free to share your ideas or questions.