Why does Passport (Live ID) sign-in suck?
I’ve decided to start a series of posts on my beloved product, Passport (aka Windows Live ID). I’ve talked in the past about the breadth and depth of work our team is doing for Microsoft, much of it behind the scenes to help partners like Messenger and Xbox realize their scenarios.
A recurring topic that has come up since the inception of Passport surrounds the sign-in user interface (UI). Signing into MSN, Microsoft and Windows Live services is a hot topic and sign-in is often perceived to be a barrier. To kick this this series of posts off, I’ll start off with the most common gripe:
Q: Why do you keep asking me to sign in over and over again even though I’ve checked “automatically sign me in”? What don’t you understand about “automatic”?!
One of the biggest problems with see in the network of MSN, Windows Live and Microsoft sites is that Passport sign-in is seen way too often by users. It appears as if we are disregarding your choice of “automatically sign me in” and randomly asking you to sign in when we want with no rhyme or reason.
In order to explain why this is happening and get down to the source of the problem (and ultimate solution) i’ll briefly discuss the way Passport sign in works. (Note: I will purposely be a little “handy wavy” and vague for simplicity of discussion).
Passport / Live ID sign-in 101
Passport sign in is based on cookies. Because HTTP is stateless, we have only 2 ways of persisting information across requests — the first being to carry it on the query string, and second via HTTP cookies. The first method (query string) isn’t useful across browser sessions (open IE, close it, and re-open), which leaves us only option 2 (cookies). Cookies are the mainstay of modern web sites, and allows very powerful personalization and state management. Passport leverages this to provide the world’s largest web authentication (aka sign-in) system in the world.
Passport first validates your identity by validating your “credentials” (email address and password combination) that you typed in on our sign-in UI. Once validated, Passport uses cookies in the passport.com and the partner’s domain (eg. www.live.com, MSN Money, MSDN) to vouch for your identity. The cookies in our partner’s domain act as assertions that you are who you say you are. Because each partner site trusts Passport, the sign-in authority, assertions about a user’s identity from Passport are also trusted by the partner.
<geek>
For those more technically inclined and familiar with sign-in systems, Passport utilizes a protocol very similar to Kerberos with:
-Passport sign-in server acting as the Key Distribution Center (KDC)
-Passport.com cookies domain acting as the Ticket Grant Ticket (TGT) (also known as a magic cookie)
-cookies in each partner domain (eg. msn.com) acting as service ticket
-Partner sites (eg. www.live.com) acting as the Service Server (SS)
</geek>
After you sign into one partner site in the “passport network”, users can freely go to subsequent partner sites and sign in. This is where the magic of Passport comes into play and single sign-on is achieved. When you visit another partner site, and click “sign in” you are redirected to Passport servers. Because you already authenticated once to Passport (represented through your passport.com cookies), we don’t need to validate your credentials again and can issue a service ticket for this new partner website.
But Trevin, you just said that “because you already authenticated once to Passport <snip>, we don’t need to validate you credentials again…“. That clearly isn’t the case since I seem to keep getting asked for my password!
In the last section, especially the last paragraph, I purposely left out some detail for simplicity. We can dive into more detail now that you have a better high-level understanding of the flow of passport sign-in.
In order to have a secure single sign-on system, you simply cannot have one prompt for a login then be able to access any site. It sounds counter-intuitive, since that’s what “single sign-on” seems to imply. This would only be possible if every single website you accessed had the same level of security and data sensitivity. We all know that this is not the case, and instead, sites vary in the level of security needed to protect it.
On the lower end of the spectrum (least sensitive), we have sites like www.live.com, which is merely personalization. In the middle, have sites like Live Mail, which has personal information such as email from your friends. On the extreme end of the scale (most senstitive) we have sites like Microsoft Billing which contains your credit card information. Because of this varying levels of data sensitivity, each site in the Passport network configures what we’ll call their “security policy” which tells passport parameters to enforce during sign in which is supposed to be directly related to their data sensitivity — the more sensitive the information therein, the “tighter” the security policy.
What exactly does a “tight” security policy mean? For this discussion, we’ll restrict it to “time window”, which is the length of time since you last entered your password. So a time window of 5 mins, means that you must have entered your password within the last 5 mins, otherwise you will be forced to sign in again.
Trevin, you’ve written the longest blog post in the history of your blog. What’s the point of all this?
Relax, I’m getting there 
On each redirect to Passport that a partner website makes, they indicate what their security policy is (usually on the query string). Passport, as the authentication broker, simply enforces that policy. So the reason you often get asked to sign in over and over again, is not because Passport is “broken”, but rather because we’re obligated to honor the security policy (time window) that we’ve been told to enforce.
All our partner websites currently have a mis-matched set of security policies, each set at their own discretion of their team’s security champ. It’s because of the inconsistent security plicies, you keep getting asked for your password over and over.
Wow, so this sounds like a tough problem to solve. How are you going to fix this?
Our team is absolutely committed to make the sign in experience the best on the internet. To fix this specific problem, our team is moving to a centralized definition of security policies. What does this mean? Instead of each partner website telling us the specific parameters of the security policy (such as time window), they instead will tell us an ID of a security policy to enforce, whose definition will be on the Passport sign-in servers. This means, that by offering a limited set of security policies we limit the mistakes partner websites can make, and we will inherently have more consistency across the entire network for sign in. Additionally, it gives us more agility to tweak both the user experience and security of the network since Passport is in total control of the parameters.
Over and out
Albeit lengthy, I hope this long explanattion helps to give you some insight into the Passport single sign-on system as well as why certain behaviors you experience are happening. In subsequent posts over the next few weeks, I will be addressing other parts of Passport sign-in in order to shed some light of what’s going on under the covers and tell you where we’re going in the future.
Our team is committed to improving the sign-in experience, so please drop a comment if you have questions or any feedback for our team.
I have a different problem. .Net passport saves everything ever entered. So when I go the pulldown menu, I have various erroneous entries and e-mail addresses that I don’t or cannot use in passport. How do I remove them????
Marty, are you talking about MSN/Windows Live Messenger? The browser sign-in UI doesn’t have a drop-down menu, so I figure you must be referring to a rich client like Messenger.
If it is indeed Messenger that you are talking about, when you select one of the saved email addresses, there shoudl be a link next to “remember me” that says “forget me”. If you click “forget me” it will delete that saved user.
I read this explanation and it seems to be BS since it only happens on Internet Explorer. I also use Fire Fox and the problem of sign-in using the same email address and password being “forgotten” never occurs. Are Fire Fox programmers that much smarter or is this just some more MicroSoft arrogance?
Jim, I’d love to get exact reproducible steps where you show this is only broken in Internet Explorer and not Firefox. Since Passport/LiveID is, at its core, a cookie-based authentication system, there are no ties to either IE or Firefox.
What I’m describing in this post is a situation where the overall user experience is broken due a poor implementation by several Microsoft properties that utilize Live ID as its authentication service.
Again, if you have specific repro steps where you can find a bug that is only applicable to IE, I’d love to hear it. I can pass it along to the Live ID team (I have since moved onto The Windows Marketplace team).
Please just tell me how to get away from MS Passport.
I am now going through a router and have additional
protection, and sometimes by the time Passport lets me sign in I’ve forgotten what I wanted to do. I want to go straight to sites from my homepage. I hate to give up my msn homepage, Thanks fir any help.
Johnnie Badia
msjaybee@comcast.net
Johnnie, I’m confused at how a router and Windows Live ID (aka Microsoft Passport) are related. You need to sign-in with your Live ID in order to identify yourself to the Microsoft services you are accessing (like the MSN Homepage).
When you say that your router is protecting you, I’m assuming you are talking about the built-in firewall, but that has nothing to do with online authentication.
Perhaps I misunderstood what you were trying to ask?
How come whenever I sign in, I try talking to a contact and it just signs me back out?
Imogen,
I believe you’re talking about Windows Live Messenger? If so, I’m not sure what your issue could be because it sounds like an issue with Messenger itself and not Passport/LiveID.
Have you tried installing the latest Messenger from http://get.live.com/betas/messenger_betas ?
I have a different problem, It may be simple.
Whenever I try to sign in it starts something to create a .net passport. But I already have one! I don’t want to make a new one. But there’s no option to put that I already have one!
I am reading this 2 years 2 late, but the explanation was excellent.
Now I will be far more understanding of the situation and direct my “virtual irritation” at those partner sites with multiple/non-standardized policies.
I guess the progress towards having them simply select a predefined policy from Passport Servers is still a transition in progress?
Jeff: You should actually have already seen a drammatic difference in how often you’re prompted to sign-in with LiveID and how many times it will “silently” sign you in.