Sign in solution is available

Redmond, July 18, 2004, 22:00 PDT

I'm sorry that this post is so late, and I know that folks are frustrated with the lack of communication. We have been on the verge of good news all afternoon (and evening), and it is here.

I'm happy to announce that we have published a solution to the sign-in problem. Users that have been unable to use the passwords or work with their files offline should follow the directions at: http://sync.money.msn.com/help/pss/w1.asp

I know that there are additional questions, which I have answered below.

Q1:      What happened with our passwords?

A1:       On Monday, one of our servers was updated and inadvertently pointed to the wrong location to verify authentication. The authentication process worked perfectly - we caused the problem by looking in the wrong server location. This mistake only affected Money services. (If you think of your login information as a key, and our servers as a lock, then we changed the lock on the safe, and the old key wouldn't work anymore. There is no way for the user [or anybody else] to create working login information. The good news is that nobody could open the local file because of this mistake at any time; your information is still protected.)

We corrected the "wrong server location" problem Tuesday morning, and users who did not login between late Monday afternoon and Tuesday morning should be able to use their files normally.

Those who were affected may continue to be affected, however, since Money downloaded some of the garbled information from our servers. (Basically, we made a copy of the lock on your local file. Why did we do this? Because when you change the lock yourself, you don't want the old key to continue working on your local file. You also wouldn't want there to be an easy way for somebody on your machine to ignore the change in the locks. Of course, we will look at this scenario to see if we could solve it without decreasing security in the future.)

This situation has not caused any violation of our users' privacy, and our online services have continued to be available.

Q2:      How does the fix work?

A2:       We have carefully recreated the incorrect environment of Monday evening and a Web page to access it. The web page will allow affected users to login with their current information and recover the lock information that has locked them out. This will allow them to unlock their file. It is important to note that users who changed their password should use their new password, and that no user will be able to access the lock information for another user.

Again, this solution does not violate our users' privacy. We are using your login information to restore the lock to your unique key.

Users who have been unable to access their local files should open a web browser to http://sync.money.msn.com/help/pss/w1.asp and follow the directions on that page.

Q3:      Why did it take so long?

A3:       We have addressed the problem in stages. Our first efforts were to restore the correct configuration of our servers, while preserving the state they were in for investigation.

Then, we started a careful investigation of the impact on users. Naturally, we are very careful when dealing with users' login information and follow strict procedures to protect their privacy.

We have identified three different states that users' files can be in, and we worked on fixes for all of them. We realize that it was important that the fix be thorough.

At all times we were working as directly and hard as possible at getting a solution out to the affected users as soon as possible.

Q4:      What if I still can't access my file?

A4:       You should send email to mnyngsup@microsoft.com .

Q5:      Was this Passport's fault?

A5:       No. Passport was working correctly, and always did work for access to our online services, such as MSN Bill Pay.  The issue relates to Money's server interactions with local Money files.

Q6:      Why does Money use Passport for the local file?

A6:       We use Passport for a number of web services at Microsoft, including financial web services that we offer through Microsoft Money. Since the local file can access these services, the file needs to be protected as well. For ease of use, we use the same system, Passport, to protect access to the local file. Users that do not use the web services do not have to use Passport for the local file.

-Russ Paul-Jones
MSN Money

Note: The email and web addresses above are no longer valid