Alexa, Lambda & One Time Passwords – A match made in heaven

  • 0

Alexa, Lambda & One Time Passwords – A match made in heaven

Category : Tech Blog

By now, you must have heard of the amazing Amazon Echo devices; echodotsmart speaker/microphone devices backed up by the Alexa voice service.

Now, the cool thing is you can build your own skills quite easily. Register as a developer and start building your custom skill so your Echo reacts to things like “what’s up for dinner?” or maybe something more useful. Your custom skill does require some programming but where to host this? Sounds event-driven… And yes, your custom skill can be implemented as a Lambda function running on AWS; reliable, scalable and only consuming resources when actually invoked.

So what shall we build? Since we are well into AWS anyway, we’ve choosen to build a skill that can interact with AWS itself:

You                      Alexa responds
Alexa, open easytocloud  <welcome tune>Welcome
List instances           You have the following instances..
Describe kinesis shards  You have a four shard Kinesis stream in Ireland

Now, we would like to be able to actually modify resources as well. This, however, would be rather unsafe. Anyone in the same room as the Alexa Echo can now stop and start our EC2 instances (i.e. ‘splunk‘) We need authentication:

You                      Alexa responds
Start splunk             You need to authenticate

Speaking the password out loud would not make sense:

You                     
Authenticate secret123

Luckily, AWS is a very secure place and it’s IAM users can be authenticated by both a password and a one time token; multi-factor authentication or MFA. We are already using the following devices for secure access to AWS:gemalto

You can validate a token from your Lambda skill by using the AWS SDK and make a call to the AWS STS service requesting a ‘session token’. Don’t worry; we are not really interested in this ‘session token’ but it is a neat trick to leverage the existing AWS MFA integration for your own use 🙂

So now we have (supposing the OTP device is displaying 123456):

You                      Alexa responds
Start splunk             You need to authenticate
Authenticate 123456      Access granted
Start splunk             I have started splunk

Done already? Not just yet… If you don’t not have an MFA device you can use a virtual MFA application on your phone instead. But AWS can offer something cooler. Remember the AWS notification service SNS; it can send messages to a variety of destinations; email, webserver, SQS and it also supports text messaging (SMS). And that’s what we are going to use. By indicating ‘text’ we request the skill to send a one-time-password to our phone. Then, we use that code to authenticate:

You                      Alexa responds
Authenticate text        I've sent the code to your phone

Almost instantly, your phone displays how to proceeed:

smsexample

You follow instructions and gain access:

You                      Alexa responds
Authenticate 5143        Access granted
Start splunk             I have started splunk

In reality, there is much more around the solution then explained in the previous steps. To name a few;

  • DynamoDB to store user profiles (including phone numbers)
  • API Gateway with a second Lambda function for a re-usable implementation of the MFA-authentication service
  • Logging into CloudWatch Logs

Feel free to contact us by email for more detailed instructions.