Microsoft account

Last updated

Microsoft account logo Microsoft Account Logo.svg
Microsoft account logo

A Microsoft account or MSA [1] (previously known as Microsoft Passport, [2] .NET Passport, and Windows Live ID) is a single sign-on personal user account for Microsoft customers to log in to consumer [3] [4] Microsoft services (like Outlook.com), devices running on one of Microsoft's current operating systems (e.g. Microsoft Windows computers and tablets, Xbox consoles), and Microsoft application software (including Visual Studio).

Contents

Overview

Microsoft account allows users to sign into websites that support this service using a single set of credentials - these usernames are in the same form as an email address. Microsoft account offers a user two different methods for creating an account:

  1. Use an existing e-mail address: Users are able to use their own valid e-mail address to sign up for a Microsoft account. The service turns the requesting user's e-mail address into a Microsoft account ID. Users may also choose a password of their own choice.
  2. Sign up for a Microsoft e-mail address: Users can also sign up for a free e-mail account through Outlook.com or MSN, with Microsoft's webmail services designated domains (i.e. @hotmail.com, @outlook.com, @msn.com [a] ) that can be used as a Microsoft account to sign into other Microsoft account-enabled websites.

The domains @live.com and @passport.com, as well as other domains are no longer offered, but existing accounts are maintained.

Microsoft websites, services, and apps such as Bing, MSN and Xbox Live use Microsoft account as a means of identifying users. There are also several other companies that use it, such as the Hoyts website which is hosted by NineMSN.

Windows XP and later has an option to link a local Windows user account with a Microsoft account, thus automatically logging users in to their Microsoft account whenever a service is accessed. Starting with Windows 8 and Windows Server 2012, Windows allows users to directly authenticate into their PCs using their Microsoft account rather than a local or domain user. [5]

Login methods

In addition to using an account password, users can login to their Microsoft account by accepting a mobile notification sent to a mobile device with Microsoft Authenticator, a FIDO2 security token or by using Windows Hello. [6] Users can also set up two-factor authentication by getting a time-based, single-use code by text, phone call or using an authenticator app.

Technical details

Users' credentials are not checked by Microsoft account-enabled websites, but by a Microsoft account authentication server. A new user signing into a Microsoft account-enabled website is first redirected to the nearest authentication server, which asks for username and password over an SSL connection. The user may select to have their computer remember their login: a newly signed-in user has an encrypted time-limited cookie stored on their computer and receives a triple DES encrypted ID-tag that previously has been agreed upon between the authentication server and the Microsoft account-enabled website. This ID-tag is then sent to the website, upon which the website plants another encrypted HTTP cookie in the user's computer, also time-limited. As long as these cookies are valid, the user is not required to supply a username and password. If the user actively logs out of their Microsoft account, these cookies will be removed.

Relationship with work or school account

Microsoft also offer a work or school account which are set up by an administrator as part of an organization. These accounts are separate from Microsoft accounts (which is also called personal account) and cannot be merged, but may be used side-by-side by a user. [7] [8] A work or school account uses the Azure Active Directory domain platform. [9]

History

Microsoft Passport, the predecessor to Windows Live ID, was originally positioned as a single sign-on service for all web commerce. Microsoft Passport received much criticism. A prominent critic was Kim Cameron, the author of The Laws of Identity, [10] who questioned Microsoft Passport in its violations of those laws. He then joined Microsoft in 1999 after his company was acquired and was its chief architect of access and identity until his 2019 retirement, helping to address those violations in the design of the Microsoft Account identity meta-system. As a consequence, Microsoft Accounts are not positioned as the single sign-on service for all web commerce, but as one choice of many among identity systems.

In December 1999, Microsoft neglected to pay their annual $35 "passport.com" domain registration fee to Network Solutions. The oversight made Hotmail, which used the site for authentication, unavailable on December 24. A Linux consultant, Michael Chaney, paid it the next day (Christmas), hoping it would solve this issue with the downed site. The payment resulted in the site being available the next morning. [11] In Autumn 2003, a similar good Samaritan helped Microsoft when they missed payment on the "hotmail.co.uk" address, although no downtime resulted. [12]

In 2001, the Electronic Frontier Foundation's staff attorney Deborah Pierce criticized Microsoft Passport as a potential threat to privacy after it was revealed that Microsoft would have full access to and usage of customer information. [13] The privacy terms were quickly updated by Microsoft to allay customers' fears.

In July and August 2001, the Electronic Privacy Information Center and a coalition of fourteen leading consumer groups filed complaints [14] with the Federal Trade Commission (FTC) alleging that the Microsoft Passport system violated Section 5 of the Federal Trade Commission Act (FTCA), which prohibits unfair or deceptive practices in trade. [15] In August 2002, Microsoft agreed to settle the resulting FTC charges. As part of the settlement, Microsoft was required to implement and maintain a comprehensive security program, as well as being prohibited from misrepresenting information practices. [16]

Microsoft had pushed for non-Microsoft entities to create an Internet-wide unified-login system. [17] Examples of sites that used Microsoft Passport were eBay and Monster.com, but in 2004 those agreements were canceled. [18] In August 2009, Expedia sent notice out stating they no longer support Microsoft Passport / Windows Live ID.

In 2012, Windows Live ID was renamed Microsoft account. [19] [20]

Features

Microsoft account is the website for users to manage their identity. Features of a Microsoft account include:

Integrated with

The following is a list of computer programs and web services that support using Microsoft Account as the credentials required for the authentication process.

Web authentication

On August 15, 2007, Microsoft released the Windows Live ID Web Authentication SDK, enabling web developers to integrate Windows Live ID into their websites running on a broad range of web server platforms - including ASP.NET (C#), Java, Perl, PHP, Python and Ruby. [21] [22]

Support for OpenID

On October 27, 2008, Microsoft announced that it was publicly committed to supporting the OpenID framework, with Windows Live ID becoming an OpenID provider. [23] This would allow users to use their Windows Live ID to sign into any website that supports OpenID authentication. There had been no update on Microsoft's planned implementation of OpenID since August 2009, [24] however since November 2013 Microsoft have publicly participated in OpenID Connect interoperability testing. [25] [26]

Security vulnerabilities

On June 17, 2007, Erik Duindam, a web developer in the Netherlands, reported a privacy and identity risk, saying a "critical error was made by Microsoft programmers that allows everyone to create an ID for virtually any e-mail address." [27] A procedure was found to allow users to register invalid or currently used e-mail addresses. Upon registration with a valid e-mail address, an e-mail verification link was sent to the user. Before using it however, the user was allowed to change the e-mail address to one that did not exist, or to an e-mail address currently used by someone else. The verification link then caused the Windows Live ID system to confirm the account as having a verified email address. That flaw was fixed two days later, on June 19, 2007. [28]

On April 20, 2012, Microsoft fixed a flaw in Hotmail's password reset system that allowed anyone to reset the password of any Hotmail account. The company was notified of the flaw by researchers at Vulnerability Lab on the same day [29] and responded with a fix within hours — but not before widespread attacks as the exploitation technique spread quickly across the Internet. [30] [31]

On December 3, 2015, a security researcher discovered a vulnerability in the Adobe Experience Manager (AEM) software used on signout.live.com and reported it to the Microsoft Security Response Center (MSRC). This vulnerability enabled full-administrative access to the AEM Publish nodes' OSGi console and made it possible to execute code inside of the JVM through the upload of a custom OSGi bundle. The vulnerability was confirmed to have been resolved on May 3, 2016. [32]

See also

Other identity services

Identity management

Related Research Articles

Messenger was an instant messaging and presence system developed by Microsoft in 1999 for use with its MSN Messenger software. It was used by instant messaging clients including Windows 8, Windows Live Messenger, Microsoft Messenger for Mac, Outlook.com and Xbox Live. Third-party clients also connected to the service. It communicated using the Microsoft Notification Protocol, a proprietary instant messaging protocol. The service allowed anyone with a Microsoft account to sign in and communicate in real time with other people who were signed in as well.

<span class="mw-page-title-main">Microsoft Outlook</span> Email and calendaring software

Microsoft Outlook is a personal information manager software system from Microsoft, available as a part of the Microsoft 365 software suites. Though primarily being popular as an email client for businesses, Outlook also includes functions such as calendaring, task managing, contact managing, note-taking, journal logging, web browsing, and RSS news aggregation.

<span class="mw-page-title-main">Single sign-on</span> Authentication scheme

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Identity and access management, sometimes also referred to as just Identity management (IdM), is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IAM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

<span class="mw-page-title-main">OpenID</span> Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

Microsoft Notification Protocol is an instant messaging protocol developed by Microsoft for use by the Microsoft Messenger service and the instant messaging clients that connect to it, such as Skype since 2014, and the earlier Windows Live Messenger, MSN Messenger, Windows Messenger, and Microsoft Messenger for Mac. Third-party clients such as Pidgin and Trillian can also communicate using the protocol. MSNP was first used in a publicly available product with the first release of MSN Messenger in 1999.

<span class="mw-page-title-main">Windows Live</span> Former brand name for Microsoft online services

Windows Live is a discontinued brand name for a set of web services and software products developed by Microsoft as part of its software-as-a-service platform. Chief components under the brand name included web services, several computer programs that interact with the services, and specialized web services for mobile devices.

The following tables compare general and technical information for a number of notable webmail providers who offer a web interface in English.

Data Protection Application Programming Interface (DPAPI) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy. A detailed analysis of DPAPI inner-workings was published in 2011 by Bursztein et al.

<span class="mw-page-title-main">Windows Live Alerts</span>

Windows Live Alerts was a part of the Windows Live services from Microsoft that allowed users to get notification of time-sensitive events and information from various alert content providers. Users were able to choose how and when to receive alerts, so that users may stay informed no matter where they are.

Quechup (kway-chup) was a social networking website that came to prominence in 2007 when it used automatic email invitations for viral marketing to all the e-mail addresses in its members' address books. This was described as a "spam campaign" and raised a great deal of criticism.

<span class="mw-page-title-main">Outlook.com</span> Microsoft webmail service

Outlook.com, formerly Hotmail, is a free personal email service offered by Microsoft. This includes a webmail interface featuring mail, calendaring, contacts, and tasks services. Outlook can also be accessed via email clients using the IMAP or POP protocols.

Active Directory Federation Services (ADFS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity. Claims-based authentication involves authenticating a user based on a set of claims about that user's identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication. It is part of the Active Directory Services. Microsoft advises using Entra ID and Azure AD Connect in place of ADFS in most cases.

Apple Account, formerly known as Apple ID, is a user account by Apple for their devices and software. Apple Accounts contain the user's personal data and settings, and when an Apple Account is used to log in to an Apple device, the device will automatically use the data and settings associated with the Apple Account.

SAP Logon Tickets represent user credentials in SAP systems. When enabled, users can access multiple SAP applications and services through SAP GUI and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling single sign-on across SAP boundaries; in some cases, logon tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications.

EmailTray is a lightweight email client for the Microsoft Windows operating system. EmailTray was developed by Internet Promotion Agency S.A., a software development d.

A mailbox provider, mail service provider or, somewhat improperly, email service provider is a provider of email hosting. It implements email servers to send, receive, accept, and store email for other organizations or end users, on their behalf.

<span class="mw-page-title-main">MSN Dial-up</span> Internet service provide operated by Microsoft

MSN Dial-up is an Internet service provider operated by Microsoft in the United States and formerly also in several other countries. Originally named The Microsoft Network, it debuted as a proprietary online service on August 24, 1995, to coincide with the release of Windows 95. In 1996 and 1997, a revised web-based version of the ISP was an early experiment at interactive multimedia content on the Internet.

<span class="mw-page-title-main">Passwordless authentication</span> Identity authentication method

Passwordless authentication is an authentication method in which a user can log in to a computer system without entering a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier and then complete the authentication process by providing a secure proof of identity through a registered device or token.

References

  1. "Upcoming changes to Windows 10 Insider Preview builds [UPDATED 6/22]". Windows Experience Blog. June 19, 2015. Retrieved April 17, 2016.
  2. Microsoft Passport: Streamlining Commerce and Communication on the Web
  3. "What's the difference between a personal Microsoft account and a work or school account?". TECHCOMMUNITY.MICROSOFT.COM. Retrieved October 4, 2023.
  4. "What is my user ID and why do I need it for Office 365 for business? - Microsoft Support". support.microsoft.com. Retrieved October 4, 2023.
  5. "Windows 8: The official review". PCWorld. Retrieved November 24, 2023.
  6. Warren, Tom (November 20, 2018). "You can now sign into a Microsoft Account without a password using a security key". The Verge . Vox Media . Retrieved November 27, 2018.
  7. "Why you need a Microsoft account, or work or school account with Microsoft 365 or Office - Microsoft Support". support.microsoft.com. Retrieved November 24, 2023.
  8. "Which account do you want to use? - Microsoft Support". support.microsoft.com. Retrieved November 24, 2023.
  9. "What's the difference between a personal Microsoft account and a work or school account?". TECHCOMMUNITY.MICROSOFT.COM. Retrieved November 24, 2023.
  10. Cameron, Kim (May 2005). "The Laws of Identity". Microsoft . Retrieved July 9, 2018.
  11. Chaney, Michael (January 27, 2000). "The Passport Payment" . Retrieved November 3, 2007.
  12. Richardson, Tim (November 6, 2003). "Microsoft forgets to renew hotmail". The Register . Retrieved November 3, 2007.
  13. Privacy terms revised for Microsoft Passport
  14. "Complaint and Request for Injunction, Request For Investigation and for Other Relief" (PDF). Electronic Privacy Information center. July 26, 2001.
  15. EPIC: Microsoft Passport Investigation Docket, http://epic.org/privacy/consumer/microsoft/passport.html
  16. "Microsoft Settles FTC Charges Alleging False Security and Privacy Promises". Federal Trade Commission. August 8, 2002. Retrieved May 31, 2024.
  17. Microsoft had pushed for non-Microsoft entities
  18. Microsoft Passport Dumped By Ebay
  19. Windows 8 Consumer Preview - FAQ
  20. "What is a Microsoft account?". Microsoft. Retrieved August 2, 2012. Microsoft account" is the new name for what used to be called a "Windows Live ID.
  21. LiveSide.net: Windows Live ID Web Authentication Is Final Archived October 23, 2008, at the Wayback Machine July 16, 2007
  22. Live ID Team blog announcement: Windows Live ID Web Authentication SDK for Developers Is Released [ dead link ] July 15, 2007
  23. Windows Live ID Becomes an OpenID Provider
  24. Windows Live ID OpenID Status Update
  25. "Microsoft publicly participates in OpenID Connect interoperability testing".
  26. "Microsoft 365 documentation".
  27. "Windows Live ID security breached" on erikduindam.com
  28. Microsoft Windows Live Flaw Opened Door to Scammers Archived May 18, 2008, at the Wayback Machine
  29. "Microsoft MSN Hotmail - Password Reset & Setup Vulnerability". Archived from the original on January 6, 2019. Retrieved April 28, 2012.
  30. Twitter / @msftsecresponse: On Friday we addressed a reset function incident to help protect Hotmail customers, no action needed
  31. Bright, Peter (April 27, 2012). "Microsoft patches major Hotmail 0-day flaw after apparently widespread exploitation". Ars Technica . Archived from the original on October 6, 2012. Retrieved October 21, 2012.
  32. "Remote Code Execution (RCE) on Microsoft's 'signout.live.com'"
  1. @msn.com addresses are only offered to MSN Dial-up and MSN Premium customers

Further reading