Jamie Thomson


I'm liking Live ID auth but I do have a question about it.

  • Once someone has signed-up for my site using Live Auth, how much of that user's personal information am I going to have access to For example, if I want to send emails to my users I don't want to have to ask them for their email address - as far as they are concerned I should already know it cos they've logged into my site. I'd obviously like to know their name as well, and undoubtedly alot of other things.

As I wrote that my train of thought led me to ponder these things as well:

  • Will Microsoft store custom information for us i.e. information other than what Microsoft already collect about a user through their Live ID/profile. Let's suppose, purely hypothetically, I want to know a user's twitter username/password so that they can publish to twitter from my web site - will you store that username/password (encrypted of course) for me I guess you can rephrase this as "Will Microsoft store my web site's profile database for me without me having to care about how and where you do this " This would promote "stickiness" of Live ID as well which I assume is what you are ultimately persuing here.

  • Assuming you would do something like I just described (huge assumption I know) would there be a mechanism for allowing a user to change details about their profile from my service rather than having to go to http://account.live.com That would be a really interesting proposition because in theory if someone changes their registered username/password for (e.g.) twitter while using someone else's service then I would automatically know about it. In reality we're talking about centralising ALL the information that is known about a user and that could have HUGE beneficial implications for both the user and servives that leverage Live ID auth.

  • The last 2 questions raise interesting permutations for Live ID becoming a 'hub' for all of a user's login IDs. A "password locker" service in the cloud if you like. However, I admit to being a technologist that lets other people worry about privacy issues so I'm not sure if this has got legs or not. I'm actually surprised that Microsoft hasn't made a play for passwordlocker.com or some similar service.

Any comments on these questions/ideas Thanks in advance.

-Jamie





Re: What do I know about those that sign-up using Live ID auth?

Sir Darquan


Hey Jamie,

Althougt I don't work for Microsoft, I think I may have a clue to this answer. I remember reading that the reason Microsoft redesigned Passport to Live ID was because they realized that they can't be everything for everyone. At one point, they did share this information with passport partners, but I think it got abused some way and they stopped. You'll notice in the example, it suggests that we need to put disclaimers stating that Our sites aren't affiliated with Live and that there is no data shared. So Live ID is literally just authentication. At some point they may allow the users to set "site permissions" to allow Live to share certain things with our sites, like gamertag and things so that we can connect to other Live services. But I wouldn't hold my breath for that, because there are probably other ways to have users access other live services without giving our sites any info.

So, in conclusion, after a person signs into Live to authenticate, you need to make sure they are registered on your site, and if not gather the information you'll need to know to service them.

I hope this helps.






Re: What do I know about those that sign-up using Live ID auth?

Don Woods

I assume that upon authentication, you can only get the unique id of a user. It's now upto you as to how you implement authorization or store custom attributes. I believe that you can maintain a local database with all custom attributes and use the user unique id to fetch information about a particular user.

Users, while registration, enter their information( i.e., email, phone etc.,) which are known as the personal identifiable information (PII) . You do not have access to any of these information.

I hope this answers some of your concerns.

~Don






Re: What do I know about those that sign-up using Live ID auth?

Jamie Thomson

Hi guys,

Thanks for the replies.

I personally don't like the user experience that this is going to create. If I'm a user I don't want to login using my email address and then have to enter my email address seperately. Similarly, if I'm a user I don't want to have to supply personal info to serviceXYZ when I have already supplied that info on my LiveID. That's NT a good user experience.

Unfortunately if this is true it means that I won't be using Live ID authentication any time soon.

Its a shame no-one from MSFT has addressed this. Unfortunately this lack of support to customers is endemic throughout the whole of Windows Live in my experience. <sigh>

-Jamie






Re: What do I know about those that sign-up using Live ID auth?

Josh Brown - MSFT

All you receive is a pairwise ID for the user. You must collect and store profile info for these users on your own. This is to protect the user's PII (personally identifiable information). According to the academics, identity bloggers etc... the future of the identity meta-system will all be this way and will be based on pairwise ID and no information sharing.




Re: What do I know about those that sign-up using Live ID auth?

Jamie Thomson

Josh Brown - MSFT wrote:

All you receive is a pairwise ID for the user. You must collect and store profile info for these users on your own. This is to protect the user's PII (personally identifiable information). According to the academics, identity bloggers etc... the future of the identity meta-system will all be this way and will be based on pairwise ID and no information sharing.

Hi Josh,

Thank you very much for addressing this (and other posts of mine today).

I guess I can't argue with the academics. Its a shame tho - information sharing seems almost like a panacea to me.

Regards

Jamie






Re: What do I know about those that sign-up using Live ID auth?

slyi

Did you review Windows Live Data service http://msdn2.microsoft.com/en-us/library/bb447720.aspx

It should enable the sharing Windows Live ID signup data in safe manner.





Re: What do I know about those that sign-up using Live ID auth?

Angus Logan (Windows Live)

Jamie - you are right - Live ID isn't for everyone;

but would wouldn't you love the fact your end users can sign in using Info Card or they could sign in with 2 clicks;

most users iwll click "sign in" they will have their credentials saved in the login.live.com box and just click again;

then they come back to your site and enter the details they want YOU TO HAVE.

BTW - are you going to be @ MIXUK or TechEd lets hook up - I do a lot of work w/ Paul dawson.

Regards






Re: What do I know about those that sign-up using Live ID auth?

Angus Logan (Windows Live)

Hey - good idea.

I am waiting to see if anyone combines a signup process for Thirdparty.com with the signup for the Windows Live Data (contacts API) and then they can import the information from their contact record...

Smile






Re: What do I know about those that sign-up using Live ID auth?

Jamie Thomson

Angus Logan (Windows Live) wrote:
Jamie - you are right - Live ID isn't for everyone;

but would wouldn't you love the fact your end users can sign in using Info Card or they could sign in with 2 clicks;

most users iwll click "sign in" they will have their credentials saved in the login.live.com box and just click again;

then they come back to your site and enter the details they want YOU TO HAVE.

Y'know Angus, I'm kinda coming round to that way of thinking. I began an internal discussion at Conchango this week about this and the consensus seemed to be that this wouldn't be a detrimental experience. I guess the user will decide!

Angus Logan (Windows Live) wrote:

BTW - are you going to be @ MIXUK or TechEd lets hook up - I do a lot of work w/ Paul dawson.

Regards

Unfortunately not. I work in California and will be for the next 6 months or so. Definitely keep in touch though - it will be good to hook up when I get back. Do you work in the UK or the US

Say hello to Paul for me though. And tell him you've been talking to me - I'm trying desperately to get on his radar so that I can get involved with our Windows Live efforts. Smile

-Jamie






Re: What do I know about those that sign-up using Live ID auth?

Don Woods

I kinda liked the Windows Live data(http://msdn2.microsoft.com/en-us/library/bb447720.aspx) idea. However, right now they only expose Windows Live Contacts Would they give out at least the name of the user

~Don





Re: What do I know about those that sign-up using Live ID auth?

Jamie Thomson

Don Woods wrote:

I kinda liked the Windows Live data(http://msdn2.microsoft.com/en-us/library/bb447720.aspx) idea. However, right now they only expose Windows Live Contacts Would they give out at least the name of the user

~Don

Ah yes. That's made interesting reading. I thought Windows Live Data only exposed data when asked for it. What I DIDN'T realise was that you got a token that enabled you to access that data any time in the future (i.e. without the user's permission). Cool!

-Jamie