Microsoft Sway – big (nasty) surprise when you try to use it

Topic

New Reply

So, I read the article, thought Sway worth trying. I opened it, and it kept asking for emails, etc. Finally, it announced that from now on I’d be logging into Windows with my PIN – NOPE, not going down that stink hole on a daily use PC or account. For some reason, the article here on WS forgot to mention that.

Reply | Quote

Replies

What were you trying to do when it asked for emails? That does not seem normal.

It seems as though you changed how you logon to your PC. I don’t think SWAY would change logon settings. What precise steps did you take to get SWAY to do this?

--Joe

Reply | Quote

As you have just discovered, Sway insists on the use of an email address before it can be used for the first time:

46824-sway
Click to enlarge

Any email address you supply will be used to set up a Microsoft Account. I no longer subscribe to the newsletter but it’s possible the article didn’t make this clear.

If you were using a local account to login to Windows 10 before your first use of Sway and are now prompted by Windows 10 for this Microsoft Account to login then you can always (well, so far) change back to using a local account for login (although you will still need to sign in to Sway with the Microsoft Account).

Have a look at this TenForums How to Switch to a Local Account from a Microsoft Account in Windows 10 article.

Hope this helps…

Reply | Quote

It shouldn’t be a surprise that a Microsoft account is required to use Sway, as it’s been that way since it was introduced 18 months ago:

Sways are stored on Microsoft’s servers and are tied to the user’s Microsoft account.

https://en.wikipedia.org/wiki/Office_Sway

Reply | Quote

I don’t mind logging in to MS for the app; I resent being forced to do so just for Windows if I want to use sway – and I’m po’d that there is no warning until it throws it in your face. And no, I don’t remember the article saying this. FYI, I use Office 365, and don’t have to use a MS login on Windows itself to do so.

Reply | Quote

About the same for me .
After reading the article I installed the ‘PC version’ and run into that not bypass-able “login with a MS account (or phone number – funny for a PC software) ” request .
I don’t really understand the point of having a locally installed version of the software if it only works online!
I don’t need to log in to user Word or Excel , I was expecting the same behavior from Sway.

Reply | Quote

About the same for me .
After reading the article I installed the ‘PC version’ and run into that not bypass-able “login with a MS account (or phone number – funny for a PC software) ” request .
I don’t really understand the point of having a locally installed version of the software if it only works online!
I don’t need to log in to user Word or Excel , I was expecting the same behavior from Sway.

The stated reason is because Sway stores your data online and it’s basically a front-end to background processing within Azure, i.e. online again. The result is that Sway content creators are thus ‘locked in’ (and the cynic in me thinks that having data like phone numbers just helps grow the amount of personal data MS knows about you).

Reply | Quote

I have to admit, I’m a local processing & storage guy, except when a service can only work ‘in the cloud’, ‘on the network’, etc. Just because Microsoft chose to design Sway to use Azure doesn’t mean I have to buy in to that design.

There’s a design tradeoff here that gets very little discussion. Putting content on the network and delivering it through web browsers has been sold as convenient, cross-platform, multi-device and secure. That’s the upside and I accept most of those have been delivered.

On the downside though, you are profoundly network dependent now. If anything happens to your network or the hosting servers, your nifty application is toast. You go from 100% app availability to 0% in the blink of an eye.

Next, your security now depends on the vendor. There have been scads, just scads and scads of gigantic breaches in the internet. It doesn’t matter how big the company is, what industrial sector they operate in, even their historic security reputation. The best network security information I have says that every network of any size has already been breached. So the whole ‘cloud is secure’ message is more than a little suspect.

And then of course there is the corporate data mining, the governmental intrusions, and all the rest. None of which is appealing.

Finally, devices and software are historically cheap. They’ve literally never been cheaper! Why are we trying so hard to ignore the powerful and flexible computing ecosystems that are in our hands? This is the one part of the computing ecosystem we have definitive control over, but most of these cloud solutions want to turn powerful distributed computing devices into fancy terminals. And while there are places and situations where this idea has strong business justification, the sales pitch is excessive.

‘All the cool kids are using cloud. If you aren’t using cloud, you are losing out. Left behind. A dinosaur.’

Yeah, OK, I remember real terminals, and that environment wasn’t great. I have lived with Citrix solutions, and you know what? 99% of Citrix configurations aren’t great (feature poor, designed to save money and be administratively easy. Little or no thought given to the user).

In broad terms, cloud often means a limited, locked-down environment. It’s easy, the backup is usually excellent, and device synchronization is largely handled. But you are now a product, numbered and lined up into neat little rows.

Reply | Quote

Can I ask what you have against using a PIN? It may be that my understanding of the risks need updating. Secondly, if it requires you to use an MS account, surely that doesn’t of itself necessitate using a PIN? I use a PIN to login, but can switch to a pw when I feel like it (I think).

Reply | Quote

The objections to PINs are generally threefold:

1). A PIN is, by definition, a number, and usually a short number too. As such PINs have much lower complexity than passwords and that makes them easier to crack;

2). Correct me if I’m wrong, but Microsoft account PIN login checks all accounts. When the security challenge is performed you simply enter any PIN and the OS checks all accounts for matches with known PINs. Since traditional passwords are strictly associated with an account name, again they are more secure. The user has to provide both a correct account name and the matching password for that name. Get either one wrong and the login attempt is rejected.

3). The OP was, I think, objecting specifically to authenticating through Microsoft. This isn’t a PIN objection so much as objecting to Microsoft being the gatekeeper. If Windows is authenticating to a local account then pbug56 actually has both ultimate control and responsibility. If Windows is authenticating to a Microsoft account then Microsoft has ultimate control and responsibility.

This latter point is a pretty common complaint by people who have a strong security orientation. Either that or they are suspicious of Microsoft, or they are more comfortable with traditional security controls, which are in the hands of the user.

Reply | Quote

The objections to PINs are generally threefold:

1). A PIN is, by definition, a number, and usually a short number too. As such PINs have much lower complexity than passwords and that makes them easier to crack;

Not necessarily: Why a PIN is better than a password (or as good as a local password)

2). Correct me if I’m wrong, but Microsoft account PIN login checks all accounts. When the security challenge is performed you simply enter any PIN and the OS checks all accounts for matches with known PINs. Since traditional passwords are strictly associated with an account name, again they are more secure. The user has to provide both a correct account name and the matching password for that name. Get either one wrong and the login attempt is rejected.

You’re wrong. If you sign in to Windows (8/10) with a PIN, you’re always doing so immediately below the current or selected user account; so they’re per user just like passwords.

3). The OP was, I think, objecting specifically to authenticating through Microsoft. This isn’t a PIN objection so much as objecting to Microsoft being the gatekeeper. If Windows is authenticating to a local account then pbug56 actually has both ultimate control and responsibility. If Windows is authenticating to a Microsoft account then Microsoft has ultimate control and responsibility.

This latter point is a pretty common complaint by people who have a strong security orientation. Either that or they are suspicious of Microsoft, or they are more comfortable with traditional security controls, which are in the hands of the user.

But if a PIN and/or password is forgotten, it’s easier to reset those of a Microsoft account. A forgotten local password requires some kind of workaround using another account etc.

Reply | Quote