How to Secure Alexa Account Linking

By Yashica Gupta Jan 9, 2019

With the ongoing increase in human-device interaction, Alexa devices have found a strong place in the market. Echo devices are now placed in home and offices to control the lights, check news, get the status of a task etc with just voice command. Every user now has their private (virtual) assistant to make their life easier.

But an important part of the chain is the Alexa skill developers. His aim is to build a skill which can reduce the manual work of the user and make user’s life convenient. Though developing Alexa skill is not difficult but there are many challenges that developers face while building a skill. Especially when it requires another software/app.
Currently, an Alexa skill which requires another software/app needs an account linking feature to be enabled.
or example: to enable and use Uber Alexa skill, the user needs to link his Uber account with Alexa. Once the user links his account, Uber software sends an access token to Alexa skill as a unique key for the user and hence the account linking is complete. Next time the user invokes Uber Alexa skill, the request sends the access token to Uber software and fetches the information.

We faced the same blocker while developing an Alexa account linking skill closely integrated with Jira software. The Alexa skill is built primarily for Scrum Masters to read and write to their Jira and help them stay up-to-date with their projects.

The most challenging part of developing this skill was to allow account linking because Jira software needs both server-client authentication, i.e., to link an account every user has to manually add our Alexa skill as an authorized client in their Jira dashboard and then provide us with the access token.

The solution implemented to reduce the inconvenience was to create a custom HTML page ( hosted on S3)  for account linking. The user just needs to add his credentials - username, password and the Jira server URL, and the account will be linked successfully.

As of now, we were not using Jira directly to authenticate users via account linking but rather as a message carrier between Alexa and Jira. This makes the account linking process easy for users but possesses a high-security risk to their credentials.

To make the process secure, the following architecture was implemented in our skill. One of the key components of the architecture is that it is built completely on AWS services, namely :

  1. API Gateway

  2. S3 bucket

  3. Lambda

  4. DynamoDB 

alexa account linking

Explanation :

When a user enables the Alexa skill, he is redirected to our HTML page hostel on S3 bucket. Once the user fills his credentials and clicks on the submit button, it sends a GET request to an endpoint deployed on AWS API Gateway with query parameters.

The API Gateway then invokes a connected Lambda function and send query parameters as an event.

alexa account linking

 Using the parameters in the event sent to Lambda, it sends a GET request to Jira REST API to validate and authenticate the user. In case the user credentials are incorrect, it sends an error message or a success message with an access token created by the Lambda. In case of successful validation, the Lambda also stores the encoded user credentials in DynamoDB table with access token as the key.

def lambda_handler(event, context):
               print (event)
               username = event["username"]        
               password = event["password"]        
               server = event["server"]        
               skill = event["skill"]        
               table_name = ""        
               if skill == "skill_name":            
                    table_name = “Table_name”                

              a = validity(password,username,server)        
              b = event       

              js = {}        
              for k,v in event.items():                    
                     a = {               
                          "S" : v           
                     js[k] = a                    

              js["password"] = {            
                    "B" : encrypt(session,event["password"], "alias/alias_name")        
             accesstoken =
''.join(random.SystemRandom().choice(string.ascii_uppercase +
string.digits) for _ in range(10))        
            js["accesstoken"] = {"S" : accesstoken}                                

            item = js        
            dynamodb_client.put_item(TableName=table_name, Item=item)        
            return a

The javascript then displays “Invalid Credential” error message if an incorrect error message is received. In case of success message, the javascript then sends the access token to Alexa redirect URL and thus successfully links the account.

 alexa account linking

 The access token is the main component as it is used to identify the user.

When the user invokes our skill, Alexa sends a JSON request to Lambda function with a key carrying the access token. The lambda then queries the DynamoDB table with the access token to identify the user and fetch his credentials. Once the credentials are fetched, the lambda then sends a request to Jira REST API and based on the users intent and returns back the message to Alexa as a JSON.

The Alexa then voices the message to the user and enables the user to now use his Jira with just his voice!

Let’s start our conversation

  • Business Inquiry
  • Career
  • Others

Business Inquiry