Blog
RSS feed

Windows Live ID and Phishing

Hi everyone, Neelamadhaba Mahapatro (Neel) here – I run Microsoft’s online identity service (Windows Live ID). Consumer safety, security and privacy are our top priority. Earlier this week a comment was left on Angus Logan’s blog, it got me thinking, and I want to share what we are doing to create phishing resistant systems.

  • We are absolutely aware of the dangers of phishing on the Internet.
  • We understand the probability of attack goes up when the value of the asset that is being protected is higher than the strength of authentication protecting that asset - watch this video by Kim Cameron to see OpenID phished.
  • We have put certain measures in place to counteract phishing attempts which are listed below.

Self Issued InfoCards

In August 2007 we announced beta support for self issued InfoCards with Windows Live ID (instead of username/password). The Windows Live ID team is working closely with the Windows CardSpace team to ensure we deliver the best solution for the 400 million+ people who use Windows Live ID monthly. Angus's commentor, davidacoder, also asked for the Windows Live ID service to become a Managed InfoCard provider - we have been evaluating this; however we have nothing to announce yet.

Authenticating to Windows Live ID with CardSpace.

Additional Protection through Extended Validation Certificates

To further reduce the risk of phishing, we have implemented Extended Validation certificates to prove that the login.live.com site is trustworthy. I do however think more education for internet users is required to help drive the understanding of what it means when the address bar turns green (and what to do when it doesn’t). When authenticating in a web browser, Microsoft will only ask for your Windows Live ID credential pair on login.live.com – nowhere else! (See this related post).

login.live.com with the Extended Validation certificate.

What else have you got?

With identity and security you can’t do enough, therefore we continue to invest in other methods for protecting consumers. Another technique we use for both phishing resistance and usability is the Windows Live Sign-in Assistant. The sign-in assistant stores credentials in the Windows Credential Manager and shares them between login.live.com and Windows Live client applications (e.g. Messenger).

We also use roaming user tiles, which show the user’s avatar on login.live.com. If the picture doesn’t match your identity you should look at the title bar to see if you are in fact on login.live.com.

Windows Live Messenger with list of Live IDs   Windows Live Sign-in Assistant and roaming user tiles on login.live.com.

User Experience and User Education

We’re constantly looking for ways to balance end-user security/privacy and user experience. If the barrier to entry is too high or the user experience is poor, the users will revolt. If it is too insecure the system becomes an easy target. A balance needs to be struck.

Microsoft is proactively engaging with organizations that put consumers at risk by asking for their secret credentials to access Windows Live services by either screen-scraping or using unsupported/undocumented APIs - It is critical that the web industry help change the way consumers treat their secret credentials by ceasing to ask for username/passwords except on the one site that issued them. Using Windows CardSpace is definitely a move forward from usernames & passwords but adoption will be the critical factor here.

Summary

Opening our services & identities so they can be used at sites like flickr is another way we can respond to the needs of our users. Our work on overcoming phishing is complementary to this openness – let’s not pit one area of progress against another.

Published Monday, April 07, 2008 2:37 PM by JonB