(Redirected from .NET Passport Authentication)
'Windows Live ID' (originally named '.NET Passport'; briefly 'Microsoft Passport Network') is a "unified-login" service developed and provided by
Microsoft that allows users to log in to many
websites using one account. It was originally positioned as a
single sign-on service for all web commerce.
Product overview
Most of the web sites and applications that use Windows Live ID are Microsoft sites and services such as
Hotmail,
MSNBC,
MSN, Xbox 360's
Xbox Live, the
.NET Messenger Service,
Zune or
MSN subscriptions, but there are also several other companies affiliated with Microsoft that use it, such as
Expedia and
Hoyts. Users of
Hotmail or
MSN automatically have a Windows Live ID that corresponds to their accounts. Most recently user log in data has started to allow demographic targeting by advertisers using
Microsoft adCenter.
Microsoft's
Windows XP has an option to link a Windows user account with a Windows Live ID (appearing with its former names), logging users into Windows Live ID whenever they log into Windows.
Windows Live ID's relationship to
Windows CardSpace, a component of
Windows Vista, is unknown at this time; Microsoft's own Chief Identity Architect, Kim Cameron, has questioned Windows Live ID in his
Laws of Identity, many of which are violated by Windows Live ID.
On August 15, 2007, Microsoft releases
Windows Live ID Web Authentication, opening Windows Live ID to web site developers.
Technical overview
A new user entering a commerce server will first be redirected to the nearest authentication server, which asks for username and password over an
SSL-secured connection, unless the user can present a valid GLOBALAUTH-
cookie. In return, a newly accepted user (a) has an encrypted time-limited GLOBALAUTH-cookie implanted on his computer and (b) receives a
triple DES encrypted ID-tag that previously has been agreed upon, between the authentication and the commerce server. This ID-tag is then sent to the commerce server, upon which the commerce server plants an encrypted LOCALAUTH-
cookie in the user’s computer, also time-limited. The presenting of these LOCAL and GLOBAL cookies to various commerce and authentication servers prevents the need for authentication within the time of validity, as in the
Kerberos protocol.
If the user actively logs out of Windows Live ID, these cookies will be removed; however, users are often confused by other commerce server logout functions, and unintentionally leave these cookies intact. The service also depends on users allowing their browsers to ship cookies to servers other than the one they originated from.
Following recent updates to Windows XP, some users experience popups asking them to enter their Windows Live ID whenever they browse to their Documents and Settings/username/ folder, whether or not they have such an ID or use those services. This can be prevented by deleting the item "My web sites on MSN" from the NetHood subfolder in this folder, which apparently causes this by trying to access the network.
Digital rights and early criticism
Windows Live ID (at the time Microsoft Passport) was criticized by the
Electronic Frontier Foundation's staff attorney Deborah Pierce as a potential threat to privacy after it was revealed that Microsoft would have full access to and usage of customer information.
[1] The privacy terms were quickly updated by Microsoft to allay customers' fears.
Security issues
Windows Live ID is used by many services to prove ownership of a user's e-mail address. However a security breach was found in Windows Live ID on
June 17 2007 by Erik Duindam, a web developer in the
Netherlands, who reported a "critical error was made by Microsoft programmers that allows everyone to create an ID for virtually any e-mail address."
[2]
The problem arose around the e-mail verification link received upon a new Windows Live ID registration. A procedure was found to allow users to register invalid or currently used e-mail addresses. After registration with a valid e-mail address that the user does have access to, a verification link is received. Before using it however, the user is allowed to change the initial email address to one that doesn't exist, or an existing email address currently used by another user. After logging out a second time and confirming using the first link, the Microsoft system simply confirms the account using the invalid or unowned email address. This implies possible privacy and identity risks, for example a colleague pretending to be the user's manager or a media reporter pretending to be an investor using the
Windows Live Messenger service.
This problem was acknowledged and fixed by Microsoft on
June 19 2007. Without confirmation of the e-mail address, Microsoft will include a warning with any future instant messages sent on Windows Live Messenger, which will appear as "fake@emailaddress (E-mail Address Not Verified)." However, any existing accounts created with fake e-mail addresses were still active as of
June 20 2007 without the warning message. Microsoft did not provide any further information on the security flaw's impact.
[3]
References
1. Privacy terms revised for Microsoft Passport
2. http://www.erikduindam.com/windowslive.pdf "Windows Live ID security breached" on erikduindam.com
3. "Windows Live Bug Opened Door to Scammers" - PC World
See also
★
Liberty Alliance
★
OASIS (organization)
★
Xbox Live
★
OpenID,
Yadis,
Light-Weight Identity - URL-based identity protocols
★
Windows CardSpace
★
Windows Live
External links
★
Windows Live ID blog – Microsoft’s official blog for Windows Live ID
★
Microsoft Passport Network web site
العربية
中国
Français
Deutsch
Ελληνική
हिन्दी
Italiano
日本語
Português
Русский
Español
