Movatterモバイル変換


[0]ホーム

URL:


Jump to content
WikipediaThe Free Encyclopedia
Search

Microsoft account

From Wikipedia, the free encyclopedia
(Redirected from.net passport)
User account required for Microsoft-owned services
"Microsoft Passport" redirects here. For Windows 10 security feature of the same name, seeWindows 10 § System security.

Microsoft account logo

AMicrosoft account orMSA[1] (previously known asMicrosoft Passport,[2].NET Passport, andWindows Live ID) is asingle sign-on personaluser account forMicrosoft customers tolog in to consumer[3][4] Microsoft services (likeOutlook.com), devices running on one of Microsoft's currentoperating systems (e.g.Microsoft Windows computers and tablets,Xbox consoles), and Microsoftapplication software (e.g.Microsoft Office,Microsoft Teams).

Overview

[edit]

Microsoft account allows users to sign into websites that support this service using a single set of credentials - theseusernames are in the same form as anemail address. Microsoft account offers a user two different methods for creating an account:

  1. Use an existing e-mail address: Users are able to use their own valid e-mail address to sign up for a Microsoft account. The service turns the requesting user's e-mail address into a Microsoft account ID. Users may also choose a password of their own choice.
  2. Sign up for a Microsoft e-mail address: Users can also sign up for a free e-mail account through Outlook.com or MSN, with Microsoft's webmail services designateddomains (i.e.@hotmail.com,@outlook.com,@msn.com[a]) that can be used as a Microsoft account to sign into other Microsoft account-enabled websites.

Both methods don't require, as of 2025, mobile verification.The domains @live.com and @passport.com, as well as other domains are no longer offered, but existing accounts are maintained.

Microsoft websites, services, and apps such asBing,MSN andXbox Live use Microsoft account as a means of identifying users. There are also several other companies that use it, such as theHoyts website which is hosted byNineMSN.

Windows XP and later has an option to link a local Windows user account with a Microsoft account, thus automatically logging users in to their Microsoft account whenever a service is accessed. Starting withWindows 8 andWindows Server 2012, Windows allows users to directly authenticate into theirPCs using their Microsoft account rather than a local or domain user.[5]

Login methods

[edit]

In addition to using an account password, users can login to their Microsoft account by accepting a mobile notification sent to a mobile device with Microsoft Authenticator, aFIDO2security token or by usingWindows Hello.[6] Users can also set uptwo-factor authentication by getting atime-based, single-use code by text, phone call or using an authenticator app.

Technical details

[edit]

Users' credentials are not checked by Microsoft account-enabled websites, but by a Microsoft account authentication server. A new user signing into a Microsoft account-enabled website is first redirected to the nearest authentication server, which asks for username and password over anSSL connection. The user may select to have their computer remember their login: a newly signed-in user has an encrypted time-limited cookie stored on their computer and receives atriple DES encrypted ID-tag that previously has been agreed upon between the authentication server and the Microsoft account-enabled website. This ID-tag is then sent to the website, upon which the website plants another encrypted HTTP cookie in the user's computer, also time-limited. As long as these cookies are valid, the user is not required to supply a username and password. If the user actively logs out of their Microsoft account, these cookies will be removed.

Relationship with work or school account

[edit]

Microsoft also offer awork or school account which are set up by anadministrator as part of an organization. These accounts are separate from Microsoft accounts (which is also calledpersonal account) and cannot be merged, but may be used side-by-side by a user.[7][8] A work or school account uses theAzure Active Directory domain platform.[9]

History

[edit]

Microsoft Passport, the predecessor to Windows Live ID, was originally positioned as asingle sign-on service for all web commerce. Microsoft Passport received much criticism. A prominent critic wasKim Cameron, the author ofThe Laws of Identity,[10] who questioned Microsoft Passport in its violations of those laws. He then joined Microsoft in 1999 after his company was acquired and was its chief architect of access and identity until his 2019 retirement, helping to address those violations in the design of the Microsoft Account identity meta-system. As a consequence, Microsoft Accounts are not positioned as the single sign-on service for all web commerce, but as one choice of many among identity systems.

In December 1999, Microsoft neglected to pay their annual $35 "passport.com" domain registration fee toNetwork Solutions. The oversight madeHotmail, which used the site for authentication, unavailable on December 24. ALinux consultant, Michael Chaney, paid it the next day (Christmas), hoping it would solve this issue with the downed site. The payment resulted in the site being available the next morning.[11] In Autumn 2003, a similargood Samaritan helped Microsoft when they missed payment on the "hotmail.co.uk" address, although no downtime resulted.[12]

In 2001, theElectronic Frontier Foundation's staff attorney Deborah Pierce criticized Microsoft Passport as a potential threat to privacy after it was revealed that Microsoft would have full access to and usage of customer information.[13] The privacy terms were quickly updated by Microsoft to allay customers' fears.

In July and August 2001, theElectronic Privacy Information Center and a coalition of fourteen leading consumer groups filed complaints[14] with theFederal Trade Commission (FTC) alleging that the Microsoft Passport system violated Section 5 of theFederal Trade Commission Act (FTCA), which prohibits unfair or deceptive practices in trade.[15] In August 2002, Microsoft agreed to settle the resulting FTC charges. As part of the settlement, Microsoft was required to implement and maintain a comprehensive security program, as well as being prohibited from misrepresenting information practices.[16]

Microsoft had pushed for non-Microsoft entities to create an Internet-wide unified-login system.[17] Examples of sites that used Microsoft Passport wereeBay andMonster.com, but in 2004 those agreements were canceled.[18] In August 2009, Expedia sent notice out stating they no longer support Microsoft Passport / Windows Live ID.

In 2012, Windows Live ID was renamed Microsoft account.[19][20]

Features

[edit]

Microsoft account is the website for users to manage their identity. Features of a Microsoft account include:

  • updating user's information such as first and last names, address, etc. associated with the account;
  • updating user settings, such as preferred language or preferences for email communications;
  • changing or resetting user passwords;
  • close the account;
  • view billing details associated with the accounts.

Integrated with

[edit]

The following is a list of computer programs and web services that support using Microsoft Account as the credentials required for the authentication process.

Web authentication

[edit]

On August 15, 2007, Microsoft released the Windows Live ID Web Authentication SDK, enabling web developers to integrate Windows Live ID into their websites running on a broad range of web server platforms - includingASP.NET (C#),Java,Perl,PHP,Python andRuby.[21][22]

Support for OpenID

[edit]

On October 27, 2008, Microsoft announced that it was publicly committed to supporting theOpenID framework, with Windows Live ID becoming an OpenID provider.[23] This would allow users to use their Windows Live ID to sign into any website that supports OpenID authentication. There had been no update on Microsoft's planned implementation of OpenID since August 2009,[24] however since November 2013 Microsoft have publicly participated in OpenID Connect interoperability testing.[25][26]

Security vulnerabilities

[edit]

On June 17, 2007, Erik Duindam, a web developer in the Netherlands, reported a privacy and identity risk, saying a "critical error was made by Microsoft programmers that allows everyone to create an ID for virtually any e-mail address."[27] A procedure was found to allow users to register invalid or currently used e-mail addresses. Upon registration with a valid e-mail address, an e-mail verification link was sent to the user. Before using it however, the user was allowed to change the e-mail address to one that did not exist, or to an e-mail address currently used by someone else. The verification link then caused the Windows Live ID system to confirm the account as having a verified email address. That flaw was fixed two days later, on June 19, 2007.[28]

On April 20, 2012, Microsoft fixed a flaw in Hotmail's password reset system that allowed anyone to reset the password of any Hotmail account. The company was notified of the flaw by researchers at Vulnerability Lab on the same day[29] and responded with a fix within hours — but not before widespread attacks as the exploitation technique spread quickly across the Internet.[30][31]

On December 3, 2015, a security researcher discovered a vulnerability in theAdobe Experience Manager (AEM) software used on signout.live.com and reported it to the Microsoft Security Response Center (MSRC). This vulnerability enabled full-administrative access to the AEM Publish nodes'OSGi console and made it possible to execute code inside of theJVM through the upload of a custom OSGi bundle. The vulnerability was confirmed to have been resolved on May 3, 2016.[32]

See also

[edit]

Other identity services

Identity management

References

[edit]
  1. ^"Upcoming changes to Windows 10 Insider Preview builds [UPDATED 6/22]".Windows Experience Blog. June 19, 2015. RetrievedApril 17, 2016.
  2. ^Microsoft Passport: Streamlining Commerce and Communication on the Web
  3. ^"What's the difference between a personal Microsoft account and a work or school account?".TECHCOMMUNITY.MICROSOFT.COM. RetrievedOctober 4, 2023.
  4. ^"What is my user ID and why do I need it for Office 365 for business? - Microsoft Support".support.microsoft.com. RetrievedOctober 4, 2023.
  5. ^"Windows 8: The official review".PCWorld. RetrievedNovember 24, 2023.
  6. ^Warren, Tom (November 20, 2018)."You can now sign into a Microsoft Account without a password using a security key".The Verge.Vox Media. RetrievedNovember 27, 2018.
  7. ^"Why you need a Microsoft account, or work or school account with Microsoft 365 or Office - Microsoft Support".support.microsoft.com. RetrievedNovember 24, 2023.
  8. ^"Which account do you want to use? - Microsoft Support".support.microsoft.com. RetrievedNovember 24, 2023.
  9. ^"What's the difference between a personal Microsoft account and a work or school account?".TECHCOMMUNITY.MICROSOFT.COM. RetrievedNovember 24, 2023.
  10. ^Cameron, Kim (May 2005)."The Laws of Identity".Microsoft. RetrievedJuly 9, 2018.
  11. ^Chaney, Michael (January 27, 2000)."The Passport Payment". RetrievedNovember 3, 2007.
  12. ^Richardson, Tim (November 6, 2003)."Microsoft forgets to renew hotmail".The Register. RetrievedNovember 3, 2007.
  13. ^Privacy terms revised for Microsoft Passport
  14. ^"Complaint and Request for Injunction, Request For Investigation and for Other Relief"(PDF).Electronic Privacy Information center. July 26, 2001.
  15. ^EPIC: Microsoft Passport Investigation Docket,http://epic.org/privacy/consumer/microsoft/passport.html
  16. ^"Microsoft Settles FTC Charges Alleging False Security and Privacy Promises".Federal Trade Commission. August 8, 2002. RetrievedMay 31, 2024.
  17. ^Microsoft had pushed for non-Microsoft entities
  18. ^Microsoft Passport Dumped By Ebay
  19. ^Windows 8 Consumer Preview - FAQ
  20. ^"What is a Microsoft account?". Microsoft. RetrievedAugust 2, 2012.Microsoft account" is the new name for what used to be called a "Windows Live ID.
  21. ^LiveSide.net:Windows Live ID Web Authentication Is FinalArchived October 23, 2008, at theWayback Machine July 16, 2007
  22. ^Live ID Team blog announcement:Windows Live ID Web Authentication SDK for Developers Is Released July 15, 2007
  23. ^Windows Live ID Becomes an OpenID Provider
  24. ^Windows Live ID OpenID Status Update
  25. ^"Microsoft publicly participates in OpenID Connect interoperability testing".
  26. ^"Microsoft 365 documentation".
  27. ^"Windows Live ID security breached" on erikduindam.com
  28. ^Microsoft Windows Live Flaw Opened Door to ScammersArchived May 18, 2008, at theWayback Machine
  29. ^"Microsoft MSN Hotmail - Password Reset & Setup Vulnerability". Archived fromthe original on January 6, 2019. RetrievedApril 28, 2012.
  30. ^Twitter / @msftsecresponse: On Friday we addressed a reset function incident to help protect Hotmail customers, no action needed
  31. ^Bright, Peter (April 27, 2012)."Microsoft patches major Hotmail 0-day flaw after apparently widespread exploitation".Ars Technica.Archived from the original on October 6, 2012. RetrievedOctober 21, 2012.
  32. ^"Remote Code Execution (RCE) on Microsoft's 'signout.live.com'"
  1. ^@msn.com addresses are only offered toMSN Dial-up and MSN Premium customers

Further reading

[edit]

External links

[edit]
Management
tools
Apps
Shell
Services
File systems
Server
Architecture
Security
Compatibility
API
Games
Discontinued
Games
Apps
Others
Spun off to
Microsoft Store
Web services
Developer services
Discontinued
Software applications
Versions
Device software
Desktop software
Services
Development
Devices
Microsoft Office
Windows
Mac
Applications
(list)
Desktop
Server
Mobile
Web
Discontinued
Technologies
Related
Retrieved from "https://en.wikipedia.org/w/index.php?title=Microsoft_account&oldid=1272777195"
Categories:
Hidden categories:

[8]ページ先頭

©2009-2025 Movatter.jp