After 5 years, I’m leaving the Windows Live ID team to pursue a Lead PM position in the Windows Marketplace team.  While I’m sad to leave my coworkers and friends in an area that I know like the back of my hand, I’m equally excited to embark on a new adventure working in a completely different space.  The icing on the cake is that I’ll be working again for a guy, who I worked for a number of years ago.  Definitely one of the people I respect most at Microsoft.

My transition from Live ID to Marketplace will be happening over the next few weeks, with my ‘official’ last day on Live ID being October 27th. 

For those on the MS campus, I’ll be moving from 119 to 25, which spells great news since I’ll finally be able to get parking without valet!

Mark Wong and Erren Lester, two PMs on my team, wrote on our team blog moments ago about the new multi-user support on our Windows Live ID sign-in page.

The multi-user support is enabled by our “Windows Live Sign-in Assistant”  which is our IE browser add-on that is optionally installed with Windows Live smart clients like Live Messenger.

Do you have multiple Windows Live ID accounts? Do you the same Windows account with more than one person?  Do you switch between these accounts frequently?  If you answered yes to these questions, you’re in for some good news!

Today we are shipping the Windows Live Sign-in Assistant which is an Internet Explorer add-on that comes included with Windows Live Smart Clients, such as Windows Live Messenger. The goal of this add-on is to help make your sign-in experience faster and more convenient for users that have more than one Windows Live ID account.

Easily choose which account you want to use

Multiple Windows Live ID accounts are often used on a particular computer, either because multiple people share a computer (like in a family home), or, because you are an individual user with multiple accounts (for example, separate accounts for ‘work’ and ‘home’).   A key feature that Windows Live ID sign-in experience will offer is the ability for our users to save multiple credentials on their machine.   These multiple accounts will be shown as a list on the sign-in page – you’re even able to save your password for each of these accounts, eliminating the need to re-type your password everytime you want to change your identity!  (Note: if you use a shared/public computer, we do not recommend saving your password) Take a look at this screenshot taken from one of our test environments:
(click to enlarge): 

True Password Persistence!

Before the Windows Live Sign-in Assistant, the ‘save my password’ option caused your sign-in state to be persisted across multiple browser sessions (it was a persistent cookie), but hitting “sign-out” at any page would delete the cookie and the next time you wanted to log in, you were prompted for your password again. 

This was a frustrating experience for users.

With the Sign-in Assistant installed, the ‘save my password’ box will work just like it does in Messenger – it will keep the password in a local credential store (we use the Windows Credential Manager). If you’ve chosen to save your password, all it takes to sign in is a single click on the appropriate user tile. This is a huge improvement over the previous experience.  We’ve also made it very easy for you to remove your saved password, just click on “remove” link and the member name and password are deleted from the credential store.  You are in still in control of when your credentials are saved.
 

One credential list shared by Windows Live smart clients and browser applications

The list of users that is shown on the sign-in page is actually the same saved user list used by Windows Live desktop applications, meaning that if you save a credential in Windows Live Messenger, it will be shown by your browser on the Windows Live ID sign-in page!  If you choose to “save my password” on the Windows Live sign-in page, your username and password will show up on the user list in Windows Live Messenger.  This will unify the experience across Windows Live ID enabled applications.  This also means that choosing “remove” on the Windows Live Sign-in page will remove the saved ID/password for all

<continued on our team blog….>

I’ve decided to start a series of posts on my beloved product, Passport (aka Windows Live ID). I’ve talked in the past about the breadth and depth of work our team is doing for Microsoft, much of it behind the scenes to help partners like Messenger and Xbox realize their scenarios.

A recurring topic that has come up since the inception of Passport surrounds the sign-in user interface (UI). Signing into MSN, Microsoft and Windows Live services is a hot topic and sign-in is often perceived to be a barrier. To kick this this series of posts off, I’ll start off with the most common gripe:

Q: Why do you keep asking me to sign in over and over again even though I’ve checked “automatically sign me in”? What don’t you understand about “automatic”?!

One of the biggest problems with see in the network of MSN, Windows Live and Microsoft sites is that Passport sign-in is seen way too often by users. It appears as if we are disregarding your choice of “automatically sign me in” and randomly asking you to sign in when we want with no rhyme or reason.

In order to explain why this is happening and get down to the source of the problem (and ultimate solution) i’ll briefly discuss the way Passport sign in works. (Note: I will purposely be a little “handy wavy” and vague for simplicity of discussion).

Passport / Live ID sign-in 101

Passport sign in is based on cookies. Because HTTP is stateless, we have only 2 ways of persisting information across requests — the first being to carry it on the query string, and second via HTTP cookies. The first method (query string) isn’t useful across browser sessions (open IE, close it, and re-open), which leaves us only option 2 (cookies). Cookies are the mainstay of modern web sites, and allows very powerful personalization and state management. Passport leverages this to provide the world’s largest web authentication (aka sign-in) system in the world.

Passport first validates your identity by validating your “credentials” (email address and password combination) that you typed in on our sign-in UI. Once validated, Passport uses cookies in the passport.com and the partner’s domain (eg. www.live.com, MSN Money, MSDN) to vouch for your identity. The cookies in our partner’s domain act as assertions that you are who you say you are. Because each partner site trusts Passport, the sign-in authority, assertions about a user’s identity from Passport are also trusted by the partner.

<geek>

For those more technically inclined and familiar with sign-in systems, Passport utilizes a protocol very similar to Kerberos with:

-Passport sign-in server acting as the Key Distribution Center (KDC)

-Passport.com cookies domain acting as the Ticket Grant Ticket (TGT) (also known as a magic cookie)

-cookies in each partner domain (eg. msn.com) acting as service ticket

-Partner sites (eg. www.live.com) acting as the Service Server (SS)

</geek>

After you sign into one partner site in the “passport network”, users can freely go to subsequent partner sites and sign in. This is where the magic of Passport comes into play and single sign-on is achieved. When you visit another partner site, and click “sign in” you are redirected to Passport servers. Because you already authenticated once to Passport (represented through your passport.com cookies), we don’t need to validate your credentials again and can issue a service ticket for this new partner website.

But Trevin, you just said that “because you already authenticated once to Passport <snip>, we don’t need to validate you credentials again…“. That clearly isn’t the case since I seem to keep getting asked for my password!

In the last section, especially the last paragraph, I purposely left out some detail for simplicity. We can dive into more detail now that you have a better high-level understanding of the flow of passport sign-in.

In order to have a secure single sign-on system, you simply cannot have one prompt for a login then be able to access any site. It sounds counter-intuitive, since that’s what “single sign-on” seems to imply. This would only be possible if every single website you accessed had the same level of security and data sensitivity. We all know that this is not the case, and instead, sites vary in the level of security needed to protect it.

On the lower end of the spectrum (least sensitive), we have sites like www.live.com, which is merely personalization. In the middle, have sites like Live Mail, which has personal information such as email from your friends. On the extreme end of the scale (most senstitive) we have sites like Microsoft Billing which contains your credit card information. Because of this varying levels of data sensitivity, each site in the Passport network configures what we’ll call their “security policy” which tells passport parameters to enforce during sign in which is supposed to be directly related to their data sensitivity — the more sensitive the information therein, the “tighter” the security policy.

What exactly does a “tight” security policy mean? For this discussion, we’ll restrict it to “time window”, which is the length of time since you last entered your password. So a time window of 5 mins, means that you must have entered your password within the last 5 mins, otherwise you will be forced to sign in again.

Trevin, you’ve written the longest blog post in the history of your blog. What’s the point of all this?

Relax, I’m getting there On each redirect to Passport that a partner website makes, they indicate what their security policy is (usually on the query string). Passport, as the authentication broker, simply enforces that policy. So the reason you often get asked to sign in over and over again, is not because Passport is “broken”, but rather because we’re obligated to honor the security policy (time window) that we’ve been told to enforce.

All our partner websites currently have a mis-matched set of security policies, each set at their own discretion of their team’s security champ. It’s because of the inconsistent security plicies, you keep getting asked for your password over and over.

Wow, so this sounds like a tough problem to solve. How are you going to fix this?

Our team is absolutely committed to make the sign in experience the best on the internet. To fix this specific problem, our team is moving to a centralized definition of security policies. What does this mean? Instead of each partner website telling us the specific parameters of the security policy (such as time window), they instead will tell us an ID of a security policy to enforce, whose definition will be on the Passport sign-in servers. This means, that by offering a limited set of security policies we limit the mistakes partner websites can make, and we will inherently have more consistency across the entire network for sign in. Additionally, it gives us more agility to tweak both the user experience and security of the network since Passport is in total control of the parameters.

Over and out

Albeit lengthy, I hope this long explanattion helps to give you some insight into the Passport single sign-on system as well as why certain behaviors you experience are happening. In subsequent posts over the next few weeks, I will be addressing other parts of Passport sign-in in order to shed some light of what’s going on under the covers and tell you where we’re going in the future.

Our team is committed to improving the sign-in experience, so please drop a comment if you have questions or any feedback for our team.

I rarely get to do this, but looks like one of my old features that shipped last May got another mention indirectly through a post on the new Windows Live Custom Domains service.  This service is actually pretty neat as it allows you to offer hosted Hotmail email, but the email addresses are in your domain. So if you own trevin.com, you can offer friends and family email addresses in your domain, all hosted by Hotmail (eg. mom@trevin.com, dad@trevin.com, etc). That is, you can sign into www.hotmail.com with your new email address and send/receive mail all from within Hotmail.  To top it off, all these accounts are also full fledged Passport accounts, so you can use them for Messenger and all our other services that use Passport authentication.

But the real point of this post was to point out that my feature got a mention over at Greg Hughes’ blog :)  Cynthia, a long time friend and PM over in the Custom Domains team, sent me a link to Greg’s post praising her service.  The best part was this:

“But even better than that, as I typed the new password, a color-coded ‘password strength’ bar showed me the complexity strength of my password. It went from Red (weak) to Yellow (so-so) to Green (strong) as I typed. Nice! That’s what we need more of - simple, powerful tools to help end users be more secure in real time. Great work, whoever decided to put that in, and to whoever built it. It’s quite effective.“

Cool, that password strength meter is the feature I PM’d!

We shipped that back in May 2005 and it’s been part of the registration process ever since, but since users only go through registration once, many people haven’t really seen it.  But with new Windows Live services rolling out that involve credential creation and management (like Custom Domains), elements of our registration experience are getting seen by more people more often, including the Password strength meter.   The funny part of this actually, is that this is one of the smaller features that I’ve PM’d during my time at Microsoft.  I’ve shipped redesign sign-in UI, Xbox Live authentication, smart client authentication libraries, etc.  It seems that this little UI/Security widget really resonates with users, i guess more so than even my Xbox Live authentication work

I’ve always been jealous of other products in the company that get lots of super cool press coverage (eg. Kahuna, start.com, etc).  My team always gets passed over because we’re not shipping e2e customer scenarios, but rather the glue for other services to deliver their scenarios.  I’ll going to go bask the warm glow of my 30 seconds of glory now…