Windows Live ID

Windows Live ID
Windows Live ID Sign-in page
Developer:	Microsoft
Website:	http://login.live.com

Windows Live ID (originally named .NET Passport; briefly Microsoft Passport Network) is a "unified-login" service developed and provided by Microsoft that allows users to log in to many websites using one account. It was originally positioned as a single sign-on service for all web commerce.

Product overview

Most of the web sites and applications that use Windows Live ID are Microsoft sites and services such as Hotmail, MSNBC, MSN, Xbox 360's Xbox Live, the .NET Messenger Service, Zune or MSN subscriptions, but there are also several other companies affiliated with Microsoft that use it, such as Expedia and Hoyts. Users of Hotmail or MSN automatically have a Windows Live ID that corresponds to their accounts. Most recently user log in data has started to allow demographic targeting by advertisers using Microsoft adCenter.

Microsoft's Windows XP has an option to link a Windows user account with a Windows Live ID (appearing with its former names), logging users into Windows Live ID whenever they log into Windows.

Windows Live ID's relationship to Windows CardSpace, a component of Windows Vista, is unknown at this time; Microsoft's own Chief Identity Architect, Kim Cameron, has questioned Windows Live ID in his Laws of Identity, many of which are violated by Windows Live ID.

On August 15, 2007, Microsoft released Windows Live ID Web Authentication, opening Windows Live ID to web site developers.

Technical overview

A new user entering a commerce server will first be redirected to the nearest authentication server, which asks for username and password over an SSL-secured connection, unless the user can present a valid GLOBALAUTH-cookie. In return, a newly accepted user (a) has an encrypted time-limited GLOBALAUTH-cookie implanted on his computer and (b) receives a triple DES encrypted ID-tag that previously has been agreed upon, between the authentication and the commerce server. This ID-tag is then sent to the commerce server, upon which the commerce server plants an encrypted LOCALAUTH-cookie in the user’s computer, also time-limited. The presenting of these LOCAL and GLOBAL cookies to various commerce and authentication servers prevents the need for authentication within the time of validity, as in the Kerberos protocol.

If the user actively logs out of Windows Live ID, these cookies will be removed; however, users are often confused by other commerce server logout functions, and unintentionally leave these cookies intact. The service also depends on users allowing their browsers to ship cookies to servers other than the one they originated from.

Following recent updates to Windows XP, some users experience popups asking them to enter their Windows Live ID whenever they browse to their Documents and Settings/username/ folder, whether or not they have such an ID or use those services. This can be prevented by deleting the item "My web sites on MSN" from the NetHood subfolder in this folder, which apparently causes this by trying to access the network.^{[citation needed]}

Digital rights and early criticism

Windows Live ID (at the time Microsoft Passport) was criticized by the Electronic Frontier Foundation's staff attorney Deborah Pierce as a potential threat to privacy after it was revealed that Microsoft would have full access to and usage of customer information.^[1] The privacy terms were quickly updated by Microsoft to allay customers' fears.

Security issues

Windows Live ID is used by many services to prove ownership of a user's e-mail address. However a security breach was found in Windows Live ID on June 17 2007 by Erik Duindam, a web developer in the Netherlands, who reported a "critical error was made by Microsoft programmers that allows everyone to create an ID for virtually any e-mail address." ^[2]

The problem arose around the e-mail verification link received upon a new Windows Live ID registration. A procedure was found to allow users to register invalid or currently used e-mail addresses. After registration with a valid e-mail address that the user does have access to, a verification link is received. Before using it however, the user is allowed to change the initial email address to one that doesn't exist, or an existing email address currently used by another user. After logging out a second time and confirming using the first link, the Microsoft system simply confirms the account using the invalid or unowned email address. This implies possible privacy and identity risks, for example a colleague pretending to be the user's manager or a media reporter pretending to be an investor using the Windows Live Messenger service.

This problem was acknowledged and fixed by Microsoft on June 19 2007. Without confirmation of the e-mail address, Microsoft will include a warning with any future instant messages sent on Windows Live Messenger, which will appear as "fake@emailaddress (E-mail Address Not Verified)." However, any existing accounts created with fake e-mail addresses were still active as of June 20 2007 without the warning message. Microsoft did not provide any further information on the security flaw's impact.^[3]

References

1. ^ Privacy terms revised for Microsoft Passport
2. ^ http://www.erikduindam.com/windowslive.pdf "Windows Live ID security breached" on erikduindam.com
3. ^ "Windows Live Bug Opened Door to Scammers" - PC World

See also

• Liberty Alliance
• OASIS (organization)
• Xbox Live
• OpenID, Yadis, Light-Weight Identity - URL-based identity protocols
• Windows CardSpace
• Windows Live

External links

• Windows Live ID blog – Microsoft’s official blog for Windows Live ID
• Microsoft Passport Network web site

Donate to Wikimedia