Windows Live ID
Encyclopedia
Windows Live ID is a single sign-on
web service developed and provided by Microsoft
that allows users to log in to many website
s using one account. The service is commonly referred to as "MSN", because many services incorporating the Live ID are or were previously branded with the MSN brand.
service for all web commerce. Microsoft Passport had received much criticism. A prominent critic was Kim Cameron, the author of the Laws of Identity, who questioned Microsoft Passport in its violations of those laws. He has since become Microsoft's Chief Identity Architect and helped address those violations in the design of the Windows Live ID identity meta-system. As a consequence, Windows Live ID is not positioned as the single sign-on service for all web commerce, but as one choice of many among identity systems.
In December 1999, Microsoft neglected to pay their annual $35 "passport.com" domain registration fee to Network Solutions
. The oversight made Hotmail, which used the site for authentication, unavailable on Christmas Eve, December 24. A Linux
consultant, Michael Chaney, paid it the next day (Christmas
), hoping it would solve this issue with the downed site. The payment resulted in the site being available the next morning. In Autumn 2003, a similar good Samaritan
helped Microsoft when they missed payment on the "hotmail.co.uk" address, although no downtime resulted.
In 2001, the Electronic Frontier Foundation
's staff attorney Deborah Pierce criticized Microsoft Passport as a potential threat to privacy after it was revealed that Microsoft would have full access to and usage of customer information. The privacy terms were quickly updated by Microsoft to allay customers' fears.
In July and August 2001, the Electronic Privacy Information Center
and a coalition of fourteen leading consumer groups filed complaints with the Federal Trade Commission (FTC) alleging that the Microsoft Passport system violated Section 5 of the Federal Trade Commission Act (FTCA)
, which prohibits unfair or deceptive practices in trade.
In 2003, Faisal Danka, a British IT Security expert, revealed a serious flaw in Microsoft Passport, through which any account linked to Microsoft Passport or Hotmail could easily be cracked by using any common browser.
Microsoft had pushed for non-Microsoft entities to create an Internet-wide unified-login system. Examples of sites that used Microsoft Passport were eBay
and Monster.com
, but in 2004 those agreements were cancelled.
In August 2009, Expedia sent notice out stating they no longer support Microsoft Passport / Windows Live ID.
Windows Live ID service offers a user to make an ID by three different methods:
Microsoft sites, services, and properties such as MSN
, MSNBC
, Xbox Live
, the .NET Messenger Service
, Zune Marketplace. Microsoft Developer Network
and Microsoft TechNet
use Windows Live ID as a mean of identifying users. There are also several other companies that use it, such as Hoyts
.
Windows XP
and later has an option to link a Windows user account with a Windows Live ID, thus automatically logging users into Windows Live ID whenever a service is accessed.
(C#), Java
, Perl
, PHP
, Python
and Ruby
.
instead of the usual username and password combination. Windows Live ID account owners can enable integration with Windows CardSpace (a component of the .NET Framework
versions 3.0 and 3.5) by selecting an Information Card from the Windows CardSpace selector UI to link to their Windows Live ID. This CardSpace identity then becomes the alternate login credentials for that account, replacing the need for a password.
framework, with Windows Live ID becoming an OpenID provider. This would allow users to use their Windows Live ID to sign-in to any website that supports OpenID authentication. There has been no update on Microsoft's planned implementation of OpenID since August 2009.
User may select to have his computer remember his login: A newly signed-in user has an encrypted time-limited cookie stored on his computer and receives a triple DES
encrypted ID-tag that previously has been agreed upon between the authentication server and the Windows Live ID-enabled website. This ID-tag is then sent to the website, upon which the website plants another encrypted HTTP cookie in the user’s computer, also time-limited. As long as these cookies are valid, the user is not required to supply a username and password.
If the user actively logs out of Windows Live ID, these cookies will be removed.
Windows Live Account is the website for Windows Live ID users to manage their identity and relationship with Windows Live. Features of Windows Live Account include:
Information created in Windows Live Account is used throughout the Windows Live applications — for example, a password created in Windows Live Account will be used to access Windows Live Hotmail, Windows Live Messenger
, etc.
The latest version of Windows Live Account allow users to link multiple Windows Live IDs for one sign-in.
reported a privacy and identity risk, saying a "critical error was made by Microsoft programmers that allows everyone to create an ID for virtually any e-mail address." A procedure was found to allow users to register invalid or currently used e-mail addresses. Upon registration with a valid e-mail address, an e-mail verification link is sent to the user. Before using it however, the user was allowed to change the e-mail address to one that doesn't exist, or to an e-mail address currently used by someone else. The verification link then caused the Windows Live ID system to confirm the account as having a verified email address. That flaw was fixed two days later, on June 19, 2007.
Identity management
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
web service developed and provided by Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
that allows users to log in to many website
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
s using one account. The service is commonly referred to as "MSN", because many services incorporating the Live ID are or were previously branded with the MSN brand.
History
Microsoft Passport, the predecessor to Windows Live ID, was originally positioned as a single sign-onSingle sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
service for all web commerce. Microsoft Passport had received much criticism. A prominent critic was Kim Cameron, the author of the Laws of Identity, who questioned Microsoft Passport in its violations of those laws. He has since become Microsoft's Chief Identity Architect and helped address those violations in the design of the Windows Live ID identity meta-system. As a consequence, Windows Live ID is not positioned as the single sign-on service for all web commerce, but as one choice of many among identity systems.
In December 1999, Microsoft neglected to pay their annual $35 "passport.com" domain registration fee to Network Solutions
Network Solutions
Network Solutions, LLC is a technology company founded in 1979. The domain name registration business has become the most important division of the company. As of January 2009, Network Solutions managed more than 6.6 million domain names.-History:...
. The oversight made Hotmail, which used the site for authentication, unavailable on Christmas Eve, December 24. A Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
consultant, Michael Chaney, paid it the next day (Christmas
Christmas
Christmas or Christmas Day is an annual holiday generally celebrated on December 25 by billions of people around the world. It is a Christian feast that commemorates the birth of Jesus Christ, liturgically closing the Advent season and initiating the season of Christmastide, which lasts twelve days...
), hoping it would solve this issue with the downed site. The payment resulted in the site being available the next morning. In Autumn 2003, a similar good Samaritan
Parable of the Good Samaritan
The parable of the Good Samaritan is a parable told by Jesus and is mentioned in only one of the Canonical gospels. According to the Gospel of Luke a traveller is beaten, robbed, and left half dead along the road. First a priest and then a Levite come by, but both avoid the man. Finally, a...
helped Microsoft when they missed payment on the "hotmail.co.uk" address, although no downtime resulted.
In 2001, the Electronic Frontier Foundation
Electronic Frontier Foundation
The Electronic Frontier Foundation is an international non-profit digital rights advocacy and legal organization based in the United States...
's staff attorney Deborah Pierce criticized Microsoft Passport as a potential threat to privacy after it was revealed that Microsoft would have full access to and usage of customer information. The privacy terms were quickly updated by Microsoft to allay customers' fears.
In July and August 2001, the Electronic Privacy Information Center
Electronic Privacy Information Center
Electronic Privacy Information Center is a public interest research group in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values in the information age...
and a coalition of fourteen leading consumer groups filed complaints with the Federal Trade Commission (FTC) alleging that the Microsoft Passport system violated Section 5 of the Federal Trade Commission Act (FTCA)
Federal Trade Commission Act
The Federal Trade Commission Act of 1914 started the Federal Trade Commission , a bipartisan body of five members appointed by the president of the United States for seven-year terms. This commission was authorized to issue “cease and desist” orders to large corporations to curb unfair trade...
, which prohibits unfair or deceptive practices in trade.
In 2003, Faisal Danka, a British IT Security expert, revealed a serious flaw in Microsoft Passport, through which any account linked to Microsoft Passport or Hotmail could easily be cracked by using any common browser.
Microsoft had pushed for non-Microsoft entities to create an Internet-wide unified-login system. Examples of sites that used Microsoft Passport were eBay
EBay
eBay Inc. is an American internet consumer-to-consumer corporation that manages eBay.com, an online auction and shopping website in which people and businesses buy and sell a broad variety of goods and services worldwide...
and Monster.com
Monster.com
Monster.com is one of the largest employment websites in the world, owned and operated by Monster Worldwide, Inc. Monster is one of the 20 most visited websites out of 100 million worldwide, according to comScore Media Metrics...
, but in 2004 those agreements were cancelled.
In August 2009, Expedia sent notice out stating they no longer support Microsoft Passport / Windows Live ID.
Overview
Windows Live ID allows users to sign in to websites that support this service using a single set of credentials. Users' credentials are not checked by Windows Live ID-enabled websites, but by a Windows Live ID authentication server.Windows Live ID service offers a user to make an ID by three different methods:
- Limited ID: Windows Live ID gives the requesting user a username in form of
@passport.com where is chosen by user. User may also choose a password. - Linked ID: Windows Live ID turns the requesting user's e-mail address into Windows Live ID. User may also choose a password of his own choice.
- Hotmail ID: Users that sign up for Windows Live Hotmail (or any other Windows LiveWindows LiveWindows Live is the collective brand name for a set of services and software products from Microsoft, part of their software plus services platform. A majority of these services are Web applications, accessible from a browser, but there are also client-side binary applications that require...
service) are given an e-mail account that can be used as a Windows Live ID to sign in to other Windows Live ID-enabled websites.
Microsoft sites, services, and properties such as MSN
MSN
MSN is a collection of Internet sites and services provided by Microsoft. The Microsoft Network debuted as an online service and Internet service provider on August 24, 1995, to coincide with the release of the Windows 95 operating system.The range of services offered by MSN has changed since its...
, MSNBC
MSNBC
MSNBC is a cable news channel based in the United States available in the US, Germany , South Africa, the Middle East and Canada...
, Xbox Live
Xbox Live
Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft Corporation. It is currently the only online gaming service on consoles that charges users a fee to play multiplayer gaming. It was first made available to the Xbox system in 2002...
, the .NET Messenger Service
.NET Messenger Service
The .NET Messenger Service is an instant messaging and presence system developed by Microsoft in 1999 for use with its MSN Messenger software and used today by its current instant messaging clients, Windows Live Messenger and Microsoft Messenger for Mac...
, Zune Marketplace. Microsoft Developer Network
Microsoft Developer Network
The Microsoft Developer Network is the portion of Microsoft responsible for managing the firm's relationship with developers and testers: hardware developers interested in the operating system , developers standing on the various OS platforms, developers using the API and scripting languages of...
and Microsoft TechNet
Microsoft TechNet
Microsoft TechNet is a Microsoft program and resource for technical information, news, and events for IT professionals. Along with a website, they also produce a monthly subscription magazine titled "TechNet Magazine"....
use Windows Live ID as a mean of identifying users. There are also several other companies that use it, such as Hoyts
Hoyts
The Hoyts Group is an Australian company consisting of Hoyts Exhibition, Hoyts Distribution and Val Morgan.Hoyts Exhibition manages 450 screens across 40 Australian and 10 New Zealand cinema complexes; making it Australia's second largest cinema chain. Val Morgan, the cinema advertising arm of the...
.
Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
and later has an option to link a Windows user account with a Windows Live ID, thus automatically logging users into Windows Live ID whenever a service is accessed.
Web authentication
On August 15, 2007, Microsoft released the Windows Live ID Web Authentication SDK, enabling web developers to integrate Windows Live ID into their websites running on a broad range of web server platforms - including ASP.NETASP.NET
ASP.NET is a Web application framework developed and marketed by Microsoft to allow programmers to build dynamic Web sites, Web applications and Web services. It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft's Active Server Pages ...
(C#), Java
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
, Perl
Perl
Perl is a high-level, general-purpose, interpreted, dynamic programming language. Perl was originally developed by Larry Wall in 1987 as a general-purpose Unix scripting language to make report processing easier. Since then, it has undergone many changes and revisions and become widely popular...
, PHP
PHP
PHP is a general-purpose server-side scripting language originally designed for web development to produce dynamic web pages. For this purpose, PHP code is embedded into the HTML source document and interpreted by a web server with a PHP processor module, which generates the web page document...
, Python
Python (programming language)
Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
and Ruby
Ruby (programming language)
Ruby is a dynamic, reflective, general-purpose object-oriented programming language that combines syntax inspired by Perl with Smalltalk-like features. Ruby originated in Japan during the mid-1990s and was first developed and designed by Yukihiro "Matz" Matsumoto...
.
Support for Windows CardSpace
The Windows Live ID login page presents users with the alternative to sign in using Windows CardSpaceWindows CardSpace
Windows CardSpace , is Microsoft's now-canceled client software for the Identity Metasystem. CardSpace is an instance of a class of identity client software called an Identity Selector. CardSpace stores references to users' digital identities for them, presenting them to users as visual...
instead of the usual username and password combination. Windows Live ID account owners can enable integration with Windows CardSpace (a component of the .NET Framework
.NET Framework
The .NET Framework is a software framework that runs primarily on Microsoft Windows. It includes a large library and supports several programming languages which allows language interoperability...
versions 3.0 and 3.5) by selecting an Information Card from the Windows CardSpace selector UI to link to their Windows Live ID. This CardSpace identity then becomes the alternate login credentials for that account, replacing the need for a password.
Support for OpenID
On October 27, 2008, Microsoft announced that it was publicly committed to supporting the OpenIDOpenID
OpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities...
framework, with Windows Live ID becoming an OpenID provider. This would allow users to use their Windows Live ID to sign-in to any website that supports OpenID authentication. There has been no update on Microsoft's planned implementation of OpenID since August 2009.
Details
A new user signing into a Windows Live ID-enabled website is first redirected to the nearest authentication server, which asks for username and password over an SSL connection.User may select to have his computer remember his login: A newly signed-in user has an encrypted time-limited cookie stored on his computer and receives a triple DES
Triple DES
In cryptography, Triple DES is the common name for the Triple Data Encryption Algorithm block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block....
encrypted ID-tag that previously has been agreed upon between the authentication server and the Windows Live ID-enabled website. This ID-tag is then sent to the website, upon which the website plants another encrypted HTTP cookie in the user’s computer, also time-limited. As long as these cookies are valid, the user is not required to supply a username and password.
If the user actively logs out of Windows Live ID, these cookies will be removed.
Windows Live Account
- updating user's information such as first and last names, address, etc. associated with the account;
- updating user settings, such as preferred language or preferences for email communications;
- changing or resetting user passwords;
- close the account;
- view billing details associated with the account;
- link multiple Windows Live IDs together;
- view the current Windows Live services being used by the user;
- finding help, support, or providing feedback for any Windows Live product or service.
Information created in Windows Live Account is used throughout the Windows Live applications — for example, a password created in Windows Live Account will be used to access Windows Live Hotmail, Windows Live Messenger
Windows Live Messenger
Windows Live Messenger is an instant messaging client created by Microsoft that is currently designed to work with Windows XP , Windows Vista, Windows 7, Windows Mobile, Windows CE, Xbox 360, Blackberry OS, iOS, Java ME, S60 on Symbian OS 9.x and Zune HD...
, etc.
The latest version of Windows Live Account allow users to link multiple Windows Live IDs for one sign-in.
Security vulnerability
On June 17, 2007, Erik Duindam, a web developer in the NetherlandsNetherlands
The Netherlands is a constituent country of the Kingdom of the Netherlands, located mainly in North-West Europe and with several islands in the Caribbean. Mainland Netherlands borders the North Sea to the north and west, Belgium to the south, and Germany to the east, and shares maritime borders...
reported a privacy and identity risk, saying a "critical error was made by Microsoft programmers that allows everyone to create an ID for virtually any e-mail address." A procedure was found to allow users to register invalid or currently used e-mail addresses. Upon registration with a valid e-mail address, an e-mail verification link is sent to the user. Before using it however, the user was allowed to change the e-mail address to one that doesn't exist, or to an e-mail address currently used by someone else. The verification link then caused the Windows Live ID system to confirm the account as having a verified email address. That flaw was fixed two days later, on June 19, 2007.
See also
Other identity services- Active Directory Federation ServicesActive Directory Federation ServicesActive Directory Federation Services is a software component developed by Microsoft that can be installed on Windows Server operating systems to provide users with Single Sign-On access to systems and applications located across organizational boundaries...
- OpenIDOpenIDOpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities...
- Light-Weight IdentityLight-Weight IdentityLID is a management system for online digital identities developed in part by . It was first published in early 2005, and is the original URL-based identity system, later followed by OpenID. LID uses URLs as a verification of the user's identity, and makes use of several open-source protocols...
- YadisYadisYadis is a communications protocol for discovery of services such as OpenID, OAuth, and XDI connected to a Yadis ID. While intended to discover digital identity services, Yadis is not restricted to those. Other services can easily be included....
- Windows CardSpaceWindows CardSpaceWindows CardSpace , is Microsoft's now-canceled client software for the Identity Metasystem. CardSpace is an instance of a class of identity client software called an Identity Selector. CardSpace stores references to users' digital identities for them, presenting them to users as visual...
Identity management
- Liberty AllianceLiberty AllianceThe Liberty Alliance was formed in September 2001 by approximately 30 organizations to establish open standards, guidelines and best practices for identity management...
- OASIS (organization)OASIS (organization)The Organization for the Advancement of Structured Information Standards is a global consortium that drives the development, convergence and adoption of e-business and web service standards...
Further reading
- Creating a Windows Live ID Account
- Introduction to Windows Live ID whitepaper — Provides a brief overview of the Windows Live ID service in the context of Microsoft's overall identity strategy.
- Understanding Windows Live Delegated Authentication whitepaper — Describes how a Web site can use the Windows Live ID Delegated Authentication system to get permission to access users' information on Windows Live services.
- Windows Live ID Federation whitepaper — Describes the concept of identity federation and offers considerable detail about how the Windows Live ID service supports it.