Windows Live ID

Windows Live ID

An example of a Windows Live ID sign-in page
Type	Single sign-on
Slogan	Simplify your sign in
Owner	Microsoft

Windows Live ID (originally Microsoft Wallet^[1], Microsoft Passport^[2], .NET Passport, then briefly Microsoft Passport Network) is a single sign-on web service developed and provided by Microsoft that allows users to log in to many websites using one account. The service is commonly referred to as "MSN", because many services incorporating the Live ID are or were previously branded with the MSN brand.

History

Microsoft Passport, the predecessor to Windows Live ID, was originally positioned as a single sign-on service for all web commerce. Microsoft Passport had received much criticism. A prominent critic was Kim Cameron, the author of the Laws of Identity, who questioned Microsoft Passport in its violations of those laws. He has since become Microsoft's Chief Identity Architect and helped address those violations in the design of the Windows Live ID identity meta-system. As a consequence, Windows Live ID is not positioned as the single sign-on service for all web commerce, but as one choice of many among identity systems.

In December 1999, Microsoft neglected to pay their annual $35 "passport.com" domain registration fee to Network Solutions. The oversight made Hotmail, which used the site for authentication, unavailable on Christmas Eve, December 24. A Linux consultant, Michael Chaney, paid it the next day (Christmas), hoping it would solve this issue with the downed site. The payment resulted in the site being available the next morning.^[3] In Autumn 2003, a similar good Samaritan helped Microsoft when they missed payment on the "hotmail.co.uk" address, although no downtime resulted.^[4]

In 2001, the Electronic Frontier Foundation's staff attorney Deborah Pierce criticized Microsoft Passport as a potential threat to privacy after it was revealed that Microsoft would have full access to and usage of customer information.^[5] The privacy terms were quickly updated by Microsoft to allay customers' fears.

In July and August 2001, the Electronic Privacy Information Center and a coalition of fourteen leading consumer groups filed complaints with the Federal Trade Commission (FTC) alleging that the Microsoft Passport system violated Section 5 of the Federal Trade Commission Act (FTCA), which prohibits unfair or deceptive practices in trade.^[6]

In 2003, Faisal Danka,^[7] a British IT Security expert, revealed a serious flaw in Microsoft Passport, through which any account linked to Microsoft Passport or Hotmail could easily be cracked by using any common browser.

Microsoft had pushed for non-Microsoft entities to create an Internet-wide unified-login system.^{[citation needed]} Examples of sites that used Microsoft Passport were eBay and Monster.com, but in 2004 those agreements were cancelled.^[8]

In August 2009, Expedia sent notice out stating they no longer support Microsoft Passport / Windows Live ID.^{[citation needed]}

Overview

Windows Live ID allows users to sign in to websites that support this service using a single set of credentials. Users' credentials are not checked by Windows Live ID-enabled websites, but by a Windows Live ID authentication server.

Windows Live ID service offers a user to make an ID by three different methods:^[9]

1. Limited ID: Windows Live ID gives the requesting user a username in form of <username>@passport.com where <username> is chosen by user. User may also choose a password.
2. Linked ID: Windows Live ID turns the requesting user's e-mail address into Windows Live ID. User may also choose a password of his own choice.
3. Hotmail ID: Users that sign up for Windows Live Hotmail (or any other Windows Live service) are given an e-mail account that can be used as a Windows Live ID to sign in to other Windows Live ID-enabled websites.

Microsoft sites, services, and properties such as MSN, MSNBC, Xbox Live, the .NET Messenger Service, Zune Marketplace. Microsoft Developer Network and Microsoft TechNet use Windows Live ID as a mean of identifying users. There are also several other companies that use it, such as Hoyts.

Windows XP and later has an option to link a Windows user account with a Windows Live ID, thus automatically logging users into Windows Live ID whenever a service is accessed.

Web authentication

On August 15, 2007, Microsoft released the Windows Live ID Web Authentication SDK, enabling web developers to integrate Windows Live ID into their websites running on a broad range of web server platforms - including ASP.NET (C#), Java, Perl, PHP, Python and Ruby.^[10][11]

Support for Windows CardSpace

The Windows Live ID login page presents users with the alternative to sign in using Windows CardSpace instead of the usual username and password combination. Windows Live ID account owners can enable integration with Windows CardSpace (a component of the .NET Framework versions 3.0 and 3.5) by selecting an Information Card from the Windows CardSpace selector UI to link to their Windows Live ID. This CardSpace identity then becomes the alternate login credentials for that account, replacing the need for a password. ^[12]

Support for OpenID

On October 27, 2008, Microsoft announced that it was publicly committed to supporting the OpenID framework, with Windows Live ID becoming an OpenID provider.^[13] This would allow users to use their Windows Live ID to sign-in to any website that supports OpenID authentication. There has been no update on Microsoft's planned implementation of OpenID since August 2009.^[14]

Details

A new user signing into a Windows Live ID-enabled website is first redirected to the nearest authentication server, which asks for username and password over an SSL connection.

User may select to have his computer remember his login: A newly signed-in user has an encrypted time-limited cookie stored on his computer and receives a triple DES encrypted ID-tag that previously has been agreed upon between the authentication server and the Windows Live ID-enabled website. This ID-tag is then sent to the website, upon which the website plants another encrypted HTTP cookie in the user’s computer, also time-limited. As long as these cookies are valid, the user is not required to supply a username and password.

If the user actively logs out of Windows Live ID, these cookies will be removed.

Windows Live Account

Screenshot of Windows Live Account

Windows Live Account showing the page for linking multiple Windows Live IDs together

Windows Live Account is the website for Windows Live ID users to manage their identity and relationship with Windows Live. Features of Windows Live Account include:

• updating user's information such as first and last names, address, etc. associated with the account;
• updating user settings, such as preferred language or preferences for email communications;
• changing or resetting user passwords;
• close the account;
• view billing details associated with the account;
• link multiple Windows Live IDs together;
• view the current Windows Live services being used by the user;
• finding help, support, or providing feedback for any Windows Live product or service.

Information created in Windows Live Account is used throughout the Windows Live applications — for example, a password created in Windows Live Account will be used to access Windows Live Hotmail, Windows Live Messenger, etc.

The latest version of Windows Live Account allow users to link multiple Windows Live IDs for one sign-in.

Security vulnerability

On June 17, 2007, Erik Duindam, a web developer in the Netherlands reported a privacy and identity risk, saying a "critical error was made by Microsoft programmers that allows everyone to create an ID for virtually any e-mail address."^[15] A procedure was found to allow users to register invalid or currently used e-mail addresses. Upon registration with a valid e-mail address, an e-mail verification link is sent to the user. Before using it however, the user was allowed to change the e-mail address to one that doesn't exist, or to an e-mail address currently used by someone else. The verification link then caused the Windows Live ID system to confirm the account as having a verified email address. That flaw was fixed two days later, on June 19, 2007.^[16]

See also

Other identity services

• Active Directory Federation Services
• OpenID
• Light-Weight Identity
• Yadis
• Windows CardSpace

Identity management

• Liberty Alliance
• OASIS (organization)

References

Further reading

• Creating a Windows Live ID Account
• Introduction to Windows Live ID whitepaper — Provides a brief overview of the Windows Live ID service in the context of Microsoft's overall identity strategy.
• Understanding Windows Live Delegated Authentication whitepaper — Describes how a Web site can use the Windows Live ID Delegated Authentication system to get permission to access users' information on Windows Live services.
• Windows Live ID Federation whitepaper — Describes the concept of identity federation and offers considerable detail about how the Windows Live ID service supports it.

External links

• Passport.net
• Windows Live Account management website
• Windows Live Sign In Help Center
• Windows Live Developers Portal
• Windows Live ID on mobile devices