Wednesday, 31 August 2016

Microsoft seriously need to sort out their online Identity model

Account Nightmares with Microsoft

I have spent hours over the past 2 weeks with various account problems with Microsoft. Partner Network, MSDN, Azure, Bizspark and others. They seriously need to sort this out because it is becoming a joke so old, it will become a cliché!

What are they doing wrong? Like many people, their identity model is FAR too simplistic and therefore it causes a great confusion.

Example 1 - Bizspark, confusing personal identity with account identity

Bizspark is a program by Microsoft that supplies software, hosting and support (thanks MS, it has helped us enormously) but to login to your Bizspark account, you only use a Microsoft account and nothing else. Why is this bad? Because I have about 6 Microsoft accounts and I don't know which one I have used for Bizspark. I thought I did but to make it worse, it was originally setup (for reasons I can't remember) linked to an old email account I no longer have access to, and of course, I need to use the email for verification so I had to contact MS to change the email address over. To make matters worse, they pulled in the "name" from the billing contact, who is not me and which makes it even more fun when dealing with support.

Here's the thing. I should have an unambiguous identifier for the Bizspark account. Perhaps a federated company identifier but something that says, "I know which door I need to open, now let me try my various keys to get in". This is of course not helped by the security community who insist on trying to hide "helpful" information like which account I should be using to login or which account simply has a wrong password entered but is otherwise correct. Today, it is so easy to add an extra step to reset via an email or send a token to a phone with 2-factor or something that basically means they can be helpful without risking security.

Example 2 - MSDN, having multiple identities that don't securely match

So I also signed up for the MS Action pack subscription, a useful way for small companies like ours to get some office and development software and it gives you 3 MSDN subscriptions. Great. How do we use them? We create or login to MSDN using a Microsoft account (any account) and then add the subscription details, which might well live under a different email address. Basically, if I have an MSDN subscription number (or technical ID from Action Pack), I can link the MSDN account.

If the MSDN subscription is given to me under the Action pack subscription, then MSDN should require me to login. It should know that the account I use for MSDN is the same person as the MSDN subscription because I should be able to link the accounts. This way, MSDN should be able to pull the data through automatically without the additional time delay problems that we experience when trying to link these purely in MSDN.

Example 3 - Transferring ownership.

One of the problems with the email identity model is that if I want to give someone else ownership of one of the products we use online, if I'm lucky I can add the other user and even possibly remove mine but most of the time, I would have to give that person my password so they can login using my account.

Again, this breaks the idea that I should have a company account, which I can give people access to, either globally (which is useful in small companies) or on a more specific basis, perhaps access to Azure and Bizspark but not the Partner Network etc. This way, I can plan for the day when I leave the company or am fired and someone else will already be able to take over the accounts and remove my permissions.

Example 4 - Multiple account hell

There is another major problem when your federation doesn't link accounts to a single entity. Multiple account hell. I log into Azure with my support account and then open up the Partner Network in another tab. Of course, it automatically logs me in with the support account and there is nothing useful to see. Why? Because I need to be logged in as with my luke account. What do I have to do? Log out as support and log in as luke. Great, now back to Azure and - oh yeah, can't see anything any more. Account switching is poor with MS but it might not be required if the sites were identifying ME and not just a specific email address.

Example 5- Unregistered access to program sites

What happens on most web sites when you click to go into a restricted area without having registered? You will be told to sign in or sign up. Authentication 101. What happens on Bizspark or the Partner Network? You can log in with any MS account and not immediately realise that you are not registered because you get let in with some "helpful" context-sensitive menus that have hidden some options because you are not registered to the program even though you have authenticated to the site. This is terrible when attempting to remember creds for a specific site because it always lets you in when you would rather it said, "this account does not have a registration for Bizspark", even if it let you then click through to start the program registration, at least you would see that straight away.


So you see, there are various ways in which MSs problems show themselves. Unlike Google (which is pretty bad itself) and Apple, MS have many sites and sub-sites which just makes it worse. Apple and Google seem to basically have developer and normal sites with everything behind these umbrellas.

The terrible mess of online accounts with Microsoft also seems to get worse and worse. You are constantly redirected to various systems and there are inconsistencies that simply shouldn't exist. Logout from one site and it takes you to (still logged in!) but log out from somewhere else and you go to (for goodness knows what reason?).

There needs to be global coordination of these sites, both the design and consistency of UX, as well as a better thought-out strategy for taking these forwards, like the UK Government did to lots of their portals and won awards for simple and easy to use sites.

Why Microsoft don't have a global VP for web access I don't know - it appears each area runs their own sites to their own designs with various levels of usability and design quality. Some of the sites like the Partner Network are terribly commercial looking and hard to navigate due to the overly excessive functionality and menus, others like Bizspark look nice but still lack coherent navigation so that some items are not immediately visible and others that you are told to click on are not there because you are logged into the wrong account!
Post a Comment