Microsoft account

Microsoft account
Web address	account.live.com
Slogan	Your account, our priority
Type of site	Single sign-on
Owner	Microsoft

Microsoft account (previously Microsoft Passport,^[1] .NET Passport, Microsoft Passport Network, and Windows Live ID) is a single sign-on web service developed and provided by Microsoft that allows users to log into websites (like Outlook.com), devices (e.g. Windows 8 computers and tablets, or Windows Phones), and applications (including Visual Studio) using one account.

History[edit]

Microsoft Passport, the predecessor to Windows Live ID, was originally positioned as a single sign-on service for all web commerce. Microsoft Passport had received much criticism. A prominent critic was Kim Cameron, the author of the Laws of Identity, who questioned Microsoft Passport in its violations of those laws. He has since become Microsoft's Chief Identity Architect and helped address those violations in the design of the Windows Live ID identity meta-system. As a consequence, Windows Live ID is not positioned as the single sign-on service for all web commerce, but as one choice of many among identity systems.

In December 1999, Microsoft neglected to pay their annual $35 "passport.com" domain registration fee to Network Solutions. The oversight made Hotmail, which used the site for authentication, unavailable on Christmas Eve, December 24. A Linux consultant, Michael Chaney, paid it the next day (Christmas), hoping it would solve this issue with the downed site. The payment resulted in the site being available the next morning.^[2] In Autumn 2003, a similar good Samaritan helped Microsoft when they missed payment on the "hotmail.co.uk" address, although no downtime resulted.^[3]

In 2001, the Electronic Frontier Foundation's staff attorney Deborah Pierce criticized Microsoft Passport as a potential threat to privacy after it was revealed that Microsoft would have full access to and usage of customer information.^[4] The privacy terms were quickly updated by Microsoft to allay customers' fears.

In July and August 2001, the Electronic Privacy Information Center and a coalition of fourteen leading consumer groups filed complaints with the Federal Trade Commission (FTC) alleging that the Microsoft Passport system violated Section 5 of the Federal Trade Commission Act (FTCA), which prohibits unfair or deceptive practices in trade.^[5]

In 2003, Faisal Danka,^[6] a British IT Security expert, revealed a serious flaw in Microsoft Passport, through which any account linked to Microsoft Passport or Hotmail could easily be cracked by using any common browser.

Microsoft had pushed for non-Microsoft entities to create an Internet-wide unified-login system.^{[citation needed]} Examples of sites that used Microsoft Passport were eBay and Monster.com, but in 2004 those agreements were cancelled.^[7] In August 2009, Expedia sent notice out stating they no longer support Microsoft Passport / Windows Live ID.^{[citation needed]}

In 2012, Windows Live ID was renamed Microsoft account.^[8][9]

Overview[edit]

Microsoft account allows users to sign into websites that support this service using a single set of credentials. Users' credentials are not checked by Microsoft account-enabled websites, but by a Microsoft account authentication server. A new user signing into a Microsoft account-enabled website is first redirected to the nearest authentication server, which asks for username and password over an SSL connection. The user may select to have their computer remember their login: a newly signed-in user has an encrypted time-limited cookie stored on their computer and receives a triple DES encrypted ID-tag that previously has been agreed upon between the authentication server and the Microsoft account-enabled website. This ID-tag is then sent to the website, upon which the website plants another encrypted HTTP cookie in the user's computer, also time-limited. As long as these cookies are valid, the user is not required to supply a username and password. If the user actively logs out of their Microsoft account, these cookies will be removed.

Microsoft account offers a user two different methods for creating an account:

1. Use an existing e-mail address: Users are able to use their own valid e-mail address to sign up for a Microsoft account. The service turns the requesting user's e-mail address into a Microsoft account. User may also choose a password of their own choice.
2. Sign up for a Microsoft e-mail address: Users can also sign up for an e-mail account with Microsoft's webmail services designated domains (i.e. @hotmail.com, @live.com, @msn.com, @passport.com and @outlook.com or any variant for a specific country) that can be used as a Microsoft account to sign into other Microsoft account-enabled websites.

Microsoft sites, services, and properties such as Windows Live, MSN, Xbox Live, Zune, Windows Phone, and Windows 8 use Microsoft account as a mean of identifying users. There are also several other companies that use it, such as the Hoyts website which is hosted by NineMSN.

Windows XP and later has an option to link a Windows user account with a Microsoft account, thus automatically logging users into Microsoft account whenever a service is accessed. Windows 8 also allow users to directly authenticate into their PCs using their Microsoft account, rather than a local or domain user.

Web authentication[edit]

On August 15, 2007, Microsoft released the Windows Live ID Web Authentication SDK, enabling web developers to integrate Windows Live ID into their websites running on a broad range of web server platforms - including ASP.NET (C#), Java, Perl, PHP, Python and Ruby.^[10][11]

Support for Windows CardSpace[edit]

The Windows Live ID login page presents users with the alternative to sign in using Windows CardSpace instead of the usual username and password combination. Windows Live ID account owners can enable integration with Windows CardSpace (a component of the .NET Framework versions 3.0 and 3.5) by selecting an Information Card from the Windows CardSpace selector UI to link to their Windows Live ID. This CardSpace identity then becomes the alternate login credentials for that account, replacing the need for a password.^[12]

Support for OpenID[edit]

On October 27, 2008, Microsoft announced that it was publicly committed to supporting the OpenID framework, with Windows Live ID becoming an OpenID provider.^[13] This would allow users to use their Windows Live ID to sign into any website that supports OpenID authentication. There had been no update on Microsoft's planned implementation of OpenID since August 2009,^[14] however since November 2013 Microsoft have publicly participated in OpenID Connect interoperability testing.^[15][16]

Features[edit]

Screenshot of Microsoft account overview page

Microsoft account is the website for users to manage their identity. Features of a Microsoft account include:

• updating user's information such as first and last names, address, etc. associated with the account;
• updating user settings, such as preferred language or preferences for email communications;
• changing or resetting user passwords;
• close the account;
• view billing details associated with the account.

Services accessible[edit]

• Windows
• Windows Phone
• Outlook.com
• OneDrive
• Office Online
• Xbox Live
• Windows Store
• Windows Phone Store
• People
• Bing
• Calendar
• Visual Studio

Security vulnerabilities[edit]

On June 17, 2007, Erik Duindam, a web developer in the Netherlands, reported a privacy and identity risk, saying a "critical error was made by Microsoft programmers that allows everyone to create an ID for virtually any e-mail address."^[17] A procedure was found to allow users to register invalid or currently used e-mail addresses. Upon registration with a valid e-mail address, an e-mail verification link was sent to the user. Before using it however, the user was allowed to change the e-mail address to one that did not exist, or to an e-mail address currently used by someone else. The verification link then caused the Windows Live ID system to confirm the account as having a verified email address. That flaw was fixed two days later, on June 19, 2007.^[18]

On April 20, 2012, Microsoft fixed a flaw in Hotmail's password reset system that allowed anyone to reset the password of any Hotmail account. The company was notified of the flaw by researchers at Vulnerability Lab on the same day^[19] and responded with a fix within hours — but not before widespread attacks as the exploitation technique spread quickly across the Internet.^[20][21]

See also[edit]

• Identity management
• Identity management system
• List of single sign-on implementations

Other identity services

• Active Directory Federation Services
• OpenID
• Light-Weight Identity
• Yadis
• Windows CardSpace

Identity management

• Liberty Alliance
• OASIS (organization)

References[edit]

Further reading[edit]

• Creating a Windows Live ID Account
• Introduction to Windows Live ID whitepaper — Provides a brief overview of the Windows Live ID service in the context of Microsoft's overall identity strategy.
• Understanding Windows Live Delegated Authentication whitepaper — Describes how a Web site can use the Windows Live ID Delegated Authentication system to get permission to access users' information on Windows Live services.
• Windows Live ID Federation whitepaper — Describes the concept of identity federation and offers considerable detail about how the Windows Live ID service supports it.

External links[edit]

• Official website
• Windows Live Sign In Help Center
• Windows Live Developers Portal
• Windows Live ID on mobile devices

v t e Windows Phone Development history Versions Windows Phone 7 (Removed features) Windows Phone 8 Windows Phone 8.1 Device software Bing Mobile Bing Vision Bing Audio Cortana Internet Explorer Mobile Office Mobile MixRadio Remote Desktop Xbox LIVE on Windows Phone Windows Live for Mobile Zune Media Player Xbox Music Xbox Video Desktop sync Zune Software Windows Phone App Services Microsoft account My Windows Phone Windows Phone Store OneDrive Hotmail Mobile Development .NET Compact Framework Silverlight SQL Server Compact XNA App Studio Windows Phone 7 devices Windows Phone 8 devices Windows Phone 8.1 devices

v t e Microsoft Office History Office suites Windows 3.0 95 97 2000 XP 2003 2007 2010 2013 Mac OS 98 2001 X 2004 2008 2011 Applications (List) Desktop Access Excel Lync OneNote Outlook PowerPoint Project Publisher SharePoint Designer Visio Word Viewer Server Lync Server SharePoint Excel Services Project Server Search Server Mobile Office Mobile Online Office Online Calendar People OneDrive Outlook.com Sway Office 365 Office tools Microsoft Office shared tools Ribbon Hero Ribbon Hero 2 Discontinued Accounting Clip Organizer Data Analyzer Document Imaging Document Scanning Entourage FrontPage Groove Server InfoPath InterConnect Liquid Motion Live Meeting Mail Office Assistants Office Live PerformancePoint Server Picture Manager PhotoDraw Photo Editor Project Portfolio Server Schedule+ SharePoint Workspace Snapshot Viewer for Access Vizact Works Technologies Information Bridge Framework Language Packs Object Linking and Embedding Office Open XML Office XML formats Smart tags Visual Basic for Applications Other topics Microsoft Office website Microsoft Product Activation Office Genuine Advantage Office filename extensions Microsoft Office password protection Category Commons Book Wikiversity