Security Testing for Connected Vehicles
Skill requirements for users to unlock or disarm connected vehicles
If your skill lets the user unlock or disarm their connected vehicle, you must require them to use their Alexa profile PIN or one-time password (OTP). The Alexa profile PIN or OTP requires voice ID setup on the Alexa app. For OTP, the user also must set up a mobile phone number. For details, see Alexa user identification. Use authentication confidence levels to help you understand the different levels of confidence Alexa can obtain in the identity of a user.
As an alternative, you can allow the user to unlock or disarm their connected vehicle by first requiring them to set up an OEM-managed PIN with at least four digits. For implementation details, see Alexa.AuthorizationController Interface.
If your skill allows the user to unlock or disarm their vehicle remotely, you must secure the action with an authentication confidence level of
400 or higher or an OEM-managed PIN to correspond with that action. For all other skill interactions, you can decide the level of user authentication.
After the user has established an OEM-managed PIN, you can provide an opt-out option on your app. For users who don't set up an OEM-managed PIN or voice ID, you can also provide the user with reduced functionality of your skill. For users who opt out of the voice ID prerequisites, you must remind them to enable the prerequisites or have them exit the skill in a controlled manner.
Testing your skill for Alexa voice ID implementation
Complete the voice ID tests listed in the following table.
|1||Test the behavior of your skill when a user new to the Amazon household interacts with the skill. If you don't have a new user, you can delete a user's voice ID, and then proceed to have that user interact with the skill.||The requests to unlock or disarm the connected vehicles aren't run. Instruct the user to set up a voice ID in the Alexa app to use these features.|
|2||Test the behavior of your skill when the user has created a voice ID and met the mandatory prerequisites on the Alexa app. An example of a mandatory prerequisite would be creating a personal profile PIN. When the user interacts with the skill, invoke all intents that let that user unlock or disarm a connected vehicle.||The requests to unlock or disarm the connected vehicles are accepted when Alexa can achieve a minimum authentication confidence level of 400 in user identification.|
|3||Determine if remote unlocking or disarming the connected vehicle is secured with either an OEM-managed PIN or an authentication confidence level of `400 or higher`.||The user must be able to unlock or disarm the connected vehicle by using an OEM-managed PIN or meeting an authentication confidence level of `400 or higher`. Guide the user to fulfill the prerequisites for meeting authentication confidence levels if they haven’t done so. For example, guide the user to create a voice ID.|
Testing your skill for OEM-managed PIN implementation
Complete the OEM-managed PIN tests listed in the following table.
|1||Enable the skill and complete the account linking process. Make sure that the account linking flow includes setting an OEM-managed PIN to access unlock functionality and the OEM-managed PIN meets the security requirements.||
|2||Enable the skill, but don't set the OEM-managed PIN or opt out of the OEM-managed PIN requirement when prompted. Attempt to invoke the intents that let the user unlock or disarm a connected vehicle.||
|3||Invoke each intent that lets a user unlock or disarm a connected vehicle without opting out of the OEM-managed PIN.||
|4||Invoke each intent that lets a user unlock or disarm a connected vehicle. When prompted for the OEM-managed PIN, say an incorrect PIN. Provide an incorrect PIN at least three times.||