“Alexa, pay Bob $50.”

While predictions abound that Amazon will soon roll out an easy payments system for its ubiquitous voice-activated assistant, are Alexa payments really ready for prime time?

The short answer is not yet — unless banks opt to authenticate the transactions outside Alexa, making them harder to execute.

The main problem is that Alexa can’t yet tell whether a person is who they claim to be. The device can distinguish one user from another, but it is not yet capable of verifying identity.

Flow chart on how IdentityX would authenticate bank customers who want to send payments over Alexa.

Many are hopeful that issue can be worked out soon.

“It’s months away, not years,” said Gareth Gaston, executive vice president of omnichannel at U.S. Bank. “This technology is moving very fast. You’ve got three very credible platforms between Amazon, Google and Apple that are all competing for who has the best interaction and who’s going to sell the most devices. That’s great for us and great for customers, because it will help us deliver a better experience through their devices.”

U.S. Bank’s is very interested in helping customers make payments over Amazon’s Alexa, Google’s Assistant and Apple’s Siri, he said.

“We were third to market with Alexa, we’ve done very advanced and active work on Google Assistant and Siri, we really believe that voice is a key way that customers will interact with the bank in the future,” Gaston said. (USAA, Ally Bank, Capital One and TD Bank also have Alexa Skills.)

The bank already lets people do some transactions through its Alexa skill for U.S. Bank products, for instance pay a credit card bill. Customers authenticate the transaction with a verbal PIN code.

“An internal payment from a U.S. Bank account is less risky but it’s still a fairly bold first step in that world,” Gaston said.

Alexa payments could be made more secure either by doing out of band or second factor authentication, or verifying a person’s voice, an issue Amazon, Google and Apple are working on, he said.

“Amazon, Google and Apple don’t want to create friction, the entire being of those companies is ease of use,” Gaston pointed out. “My base assumption and faith is that they’re working on some form of voice authentication that we will be able to hook into, with or without the use of a third party vendor. We have an authentication platform we could hook into that. I do see it not too far in the not-to-distant future. Payments is such a hot space, all of them are interested in it and there’s certainly enough demand from customers of FIs.”

Consumers want this

Interest among consumers for making payments over digital payments is high, said Kiki Del Valle, senior vice president of commerce for every device at Mastercard.

Roughly 12% of U.S. consumers already use a smart speaker and 17% use some kind of voice agent, such as Siri or Alexa, to buy things, while 13% use it to handle payments and 4% use it to do some kind of banking, according to a survey by Mastercard.

"Consumers have started using digital assistants for simple tasks, being able to search or ask for the weather or ask for a recipe,” Del Valle said. “When we think about where commerce, payments and banking fit in, those are more complex tasks consumers will need to grow to do within the space. There is consumer interest in this space and a good opportunity for growth.”

Mastercard has performed conversational commerce pilots, on text- and voice-based digital assistants, not just speakers.

“We have focused on it as an emerging trend — what are the opportunities within this trend we need to be mindful of?” Del Valle said. “We do see an opportunity for interest in among consumers wanting to perform financial transactions as well as commerce.”

Authenticating with Alexa

But consumers are concerned about the security of banking by voice, Mastercard’s survey found.

“There is a level of distress when it comes to how, and in what form, is my money being handled,” Del Valle said. “In the ideal situation, we need to have the ability to authenticate at the individual level.”

Voice recognition technology can listen to a person speak for just a few seconds and accurately verify their identity or block an impostor. Many banks use this technology in their call centers today.

But Amazon, Google and Apple don’t yet have that capability in their smart speakers.

Neither company will store the voiceprints necessary to do voice recognition, said Al Pascual, senior vice president of research and head of fraud and security at Javelin Strategy & Research.

Banks don’t want to store voice prints either, though they do this today for their call centers, he said.

“Over the years, because of privacy concerns, banks have leaned the other way,” Pascual said. “They don’t want to store your biometric data. They don’t want to have to deal with the headache, all the questions that come along with that, and they’d much rather have the biometric stored with you.”

From a risk perspective, it makes sense to store voice and facial biometrics locally on the user’s device instead of having a single point of failure where all that information is stored, Pascual said.

“Even if criminals used malware to target all those devices, it would take a long time for that malware to scale,” he said.

But the devices would need to have some kind of secure element or enclave to protect that information, he said.

The biometric authentication provider Daon, the company behind many banks’ facial and voice recognition authentication features including USAA’s, has created a workaround.

When a bank uses its IdentityX technology, its customer can ask Alexa to pay someone $50, then receive a notification through their mobile phone asking them to use their voice or face to verify the transaction through their smartphone.

According to Tom Grissen, CEO of Daon, this gives consumers flexibility and choice.

“We’ve found that people want to be able to give commands to their digital system through their voice, which is natural, but sometimes they’re in settings where they may not want to speak a PIN by voice because there are other people around,” Grissen said. “We tried to provide a consumer the freedom to authenticate with whatever biometric they want.”

Daon’s technology integrates easily with banks’ Alexa Skills, according to Grissen, and the authentication process is the same they use for mobile or call centers.

“It’s executing what they have already put in place with us, it just happens to be across the digital assistant channel,” he said.

Using biometric authentication gives banks a level of security they can’t get otherwise, he said.

“It brings trust to the digital assistant that is lacking today,” Grissen said.

Daon is working with several financial institutions in North America and the U.K. that plan to deploy its digital assistant authentication within the next 18 months, he said. (Several banks we contacted declined interviews.)

Pascual says he sees interest in the marketplace for this solution.

“I talk to bankers who have been developing Skills for Alexa and they’re trying to figure out how to solve for authentication, and they like the notion of out-of-band biometrics or transaction signing,” Pascual said. “That’s still better than a spoken PIN, which is very low-tech and could lead to all kinds of fraud problems.” For example, children could use the PIN to send themselves and their friends money.

Gaston believes Amazon, Google and Apple will figure out their own answers to authentication quickly.

He points to the way Apple lets companies use the same interface to get their apps to work with Touch ID and Face ID. U.S. Bank recently added support for the iPhone X’s Face ID for its banking app, which already supported Touch ID, and the integration was straightforward, he said.

U.S. Bank has a common authentication layer that it plugs different forms of biometrics into, so that it can adapt as technology evolves. Gaston expects the large tech companies to do something similar.

Mastercard's study also found 90% of consumers would like validation of what payment method is being used when they buy something through a voice command.

“It’s not just about the authentication, it’s also about getting the payment confirmation, getting the visibility and transparency that I’m paying with what I intended to pay, so we’re not driving incremental fraud into the ecosystem,” Del Valle said.

The most logical place for voice payments is in a car, to pay a toll or parking fee.

“That’s absolutely what’s going to happen,” Grissen said. “Voice will be such a preferred interface for the internet of things and for the home and for vehicles, you will see the integration of Alexa with vehicles or alternatively digital assistants with vehicles. Then you’ll see a variety of different commands — pay a toll, pay at McDonald's, or transactions of more consequence. That work is underway now.”

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.