Some of these are legitimate grievances but it seems quite reasonable to have separate accounts for work and play.
What I do despise is that my Amazon.com credentials are the same as my Amazon AWS root account credentials. They aren't equals. The services share the name of a rainforest and a very rich CEO but that's about where the similarities end for my part.
I'd rather not have to plug in my AWS root account credentials when I get the urge to impulse buy a robotic vacuum cleaner.
Without going into too much detail, this "coupled account" problem is taken very seriously internally (AWS Identity dev, my opinions are my own and I don't speak for the company).
There is a very large project to fix this. But as you can probably imagine, with a system this large and complex making changes to fundamentals like identities is hard, and done with a lot of care.
All new accounts created today are "decoupled". They are not your Amazon account, and (barring some special internal tools for testing) you cannot make them the same account. But migrating all the existing accounts without causing harm is a messy business.
Is there work on Amazon.com itself? Because basically everything there needs fixing. But the filters would be a very good place to begin a sorely needed facelift.
I'm not a spokesperson for the company and really don't feel comfortable saying anything specific about this.
Generically: Identity is a very hard space. It's one of those things that sounds really simple but the deeper you go the more edge cases you find.
With an complex systems, changing fundamental designs of the system- while users and other systems are currently using that system- is like trying to upgrade the engines on a plane while in flight. Technically possible, with a lot of planning, but any wrong move or bad assumption and you're going to crash.
> detail, this "coupled account" problem is taken very seriously internally
I can say for certain that no, it is not something taken seriously.
I (loudly) complained to AWS enterprise support in 2017, 4 years ago, about this issue. Got escalated as high as could possibly be escalated (team leads of IAM calling my cell phone).
4 years later and the issue is unresolved. This is Amazon we’re talking about. There’s very little that can’t be fixed in 4 years.
> What I do despise is that my Amazon.com credentials are the same as my Amazon AWS root account credentials.
This bite me hard last year... I lost my phone and with it my MFA for the root account, and of course forgot to properly backup the MFA seed.
Now when calling AWS support to get back my accesses, they ask me to prove ownership of my Amazon.com account with the same email... Which is like 15 years old. I changed phone number, address, country dozens of times since then.
Apparently I would have to get back to my home country and ask a notary to sign a paper asserting I am really me to get back my accesses. Nightmare.
You can change an AWS account's root account's email address. Even if you don't want to set up a new email account just for your AWS root account, many email providers include additional forwarding addresses as a feature, or use something like the Gmail feature where `me+aws-root-account@gmail.com` gets sent to me@gmail.com`; from AWS's perspective these are completely different email addresses even if Gmail treats them as the same Gmail account.
Nope. For accounts created before 2017, if you change the root account's email address it changes the Amazon.com retail account's email address as well. This is documented behavior by AWS[0]:
> If your AWS account and Amazon.com retail account share the same login information, updating the email address or password on one of the accounts changes information on the other account.
I'm using the same method. But only went down this like the grandfather comment where I'd already been bitten by having the same email as amazon@domain.com for both AWS and Amazon. Fortunately creating aliases in Fastmail is very trivial.
Up until 3-4 years ago, if you created an AWS account with the same email address as your amazon.com shopping account, Amazon would automatically link the two together, without warning and without a setting to undo this. Changing the password on one changed the other too. This connection persisted for accounts made after AWS stopped doing this, probably for backwards compatibility reasons.
At least when I dealt with this mess a couple years ago, AWS support did not have reassuring answers. They claimed they could separate it, but if something went wrong we were on our own without spending large amounts of money on premium support.
Lucky for me most of our resources were already in child AWS accounts and the rest could be migrated, so I was able to create a _new_ top-level AWS account, re-parent the child accounts, and delete the old parent account instead. At least with that process we could create a throwaway child account and test every step before doing it for real with production.
I have enabled 2FA on my Amazon account and also on my root AWS account. In order to log in to AWS using my root account, I must enter two 2FA responses: one for my Amazon account, the other for my AWS root account. It's weird!
I'm not sure this is actually a good idea. Do I want AWS to contact me about my work account via my personal account? Do I want to get my personal card charged for work expenses or vice versa? I don't see what types of configuration would be useful to keep across accounts.
This is very interesting because it comes from the perspective of someone who cares so much about what they do at work that it bleeds into their personal life.
> never hear about WorkDocs rolling out a feature to the Frankfurt region — unless you’re using WorkDocs in Frankfurt
Personally I'd hate that. Send that info to my work email account for sure, but my private one? No way!
If I'm not currently being paid to think about my job, nothing should be trying to remind me of its existence.
The downside of One True Identity is getting your startup data deleted from account A because account B was booted from Google for unclear TOS violation.
Usually these issues can only get resolved by getting your blog post to HN
There was a horror story on Reddit a few years back, cross-posted to HN, where a single employee got their entire company's G Suite account banned for violating some Play Store policy using their work account. (as a consumer, not a dev)
The horrifying part was that Google went on to ban every employee's personal account as well because they were "linked" to an account that was banned for TOS violations. Imagine losing access to your email, Android apps, and photo library because a coworker you may not even know broke some TOS.
A Google employee entered the thread and said they were investigating, but notably ignored anyone asking "is it really Google's policy to ban people's personal accounts if their employer gets banned?"
I was pretty happy when my company switched from G Suite to Office 365.
(Amazon allegedly isn't free of these "guilt by association" practices - I've heard stories of people getting permabanned from Amazon because their roommate or family member returned too much stuff, since the delivery address was the same.)
The fact that these stories go viral as often as they do suggests false positives are pretty common, and that the standard support channels are really, really bad at dealing with them. Whenever I read a story like this, complaining on social media was the company/user's desperate last resort, not their first step.
For every user who gets saved by someone at Google seeing their story on HN or Twitter, how many users stay permabanned because they just aren't social media savvy enough (or lucky enough) to get traction?
I would guess that the majority of false positive bans never get resolved.
AWS doesn't deserve that kind of responsibility, no tech giant does. I'm surprised anyone would propose that without considering the consequences of this statement:
The richest man in the world now controls the idea of your identity.
I will give crayons to every angry third grader willing to color all over that idea until it is unrecognizable.
Real cryptography based identities with derived keys are possible. PGP allows this today. With some organization you could use PGP with twice derived keys for various identities that can be corralled under a single identity. Again, all possible today for the aspiring entrepreneur. What I think will be infinitely tricky is creating an organization that is international to manage them without influence. They can't be beholden to a single nation or continent. Being able to be influenced by any nation would need to be a P1 bug in the corporate architecture. You'd need a stupidly secure facility with offline data gaps, the kind that are proposed for things like SCADA.
Anyway, I've thought about this problem a good bit over the years. I'm interested in others thoughts.
Idea of some grouping tool, orthogonal to security and account managment, used to store personal preferences/notification settings/social network links sound reasonable.
Idea of 'identity for the human' reeks of ghastly surveillance and control. AWS has no business with 'the human', only with client - it's not my family, it's not my friend, it's not a law enforcing state with monopoly for violence.
Sounds like a problem if you are an AWS Serverless Hero, but for the rest of us I think there is comfort in the fact that AWS identities are not a massive privacy invasion.
This was exactly my thinking when I read through it. I don't even really care about shared pinned services, my day job and side projects use different services for the most part. None of the benefits explored will have much impact to me, and I use AWS almost every day for one reason or another.
If anything it just gives me another place where I can't keep work and home separate. I don't want another "Atlassian" where suddenly my work own my account because I had a work email attached to it, and can close it at will.
For the few Google products we use at work, like Calendar, we make sure that people do not register with their existing personal accounts but use their work email address.
That story doesn't seem very believable. Why are other people's personal accounts getting banned too?
One possible explanation is that the exit IP for the company has had malware hosted on it, so that IP is getting banned from Google services. If they go home or turn off WiFi on their phones it will probably work.
> That story doesn't seem very believable. Why are other people's personal accounts getting banned too?
Fully believable.
In some cases people don't even have the slightest clue.
In this case there is at least an explanation even if it is bad.
PS: I don't hate everything Google do or any employees specifically, I just try to shine a light on the places where they fail like lack of transparency or even basic communication or their abuse of market power to try to kill competing browsers.
They have done good work in other areas it seems like standing up against dragnet surveillance etc.
It's good that every service has separate credentials.
For a counterexample, consider Apple and how they try to restrict you to a single Apple ID. They want everything to be tied to a single person. Every service you use is tied to your Apple ID.
It just doesn't match the way that people use computers.
For example, I get my computer games and business software billed to the same card, and there's no easy way to change that.
Somehow the app store "helpfully" installed a baby monitor app that I use at home on my work computer.
We set up a Mac as build server in the office. It's shared by multiple people. I need to log in with my personal credentials to download software from the Mac App store.
My girlfriend bought an iPad for the kids to watch TV. It's shared by a couple of people. She had to log in with her Apple ID to set it up, and now her personal iMessages and emails are on it. It's stupid.
Some of these problems can be fixed, but it's really annoying.
I use my personal Apple ID for personal things, my work one for work things, and as an admin of our Apple Business Manager account I can create new Apple IDs for anyone in the company as necessary.
To my knowledge Apple doesn't even have a policy of requiring one account, I've certainly been told to set up separate accounts by Apple support teams.
Facebook does have this problem, they have a policy that you must not have separate IDs, they police this heavily with a lot of automated bans, and they also require a Facebook account to do development with Facebook.
It’s more like a single device is limited to a single Apple ID. (At least the mobile ones.) that gets tricky when it comes to, e.g. sharing an iPad with your kids. On computers you can work around it by having different profiles different people use.
Do you use multiple Apple IDs on one device? I tried doing that for some time, and it caused a lot of issues. Maybe it works if you have separate devices for work and for home use, but I use my Macs for both business and home use.
Lots of services won’t allow duplicates. For example, you can’t use the same number for account recovery on two different Microsoft accounts. Zoho won’t let you register more than one account with the same number. Etc..
I silo my profiles. I have 4 of them. It’s really hard to do. Everyone encourages you to put all your stuff into a single profile. It’s awful for work life balance and security, but it benefits big tech companies, so that’s why it’s like that.
Do you want separate profiles for your password manager? Pay twice. Do you want separate personal and work windows installs (dual boot)? Pay twice. Etc..
Free, reputable password managers are available if you want to separate two different databases. As for work and personal Windows, it's likely that your company covers the licensing cost of their copy.
> My girlfriend bought an iPad for the kids to watch TV. It's shared by a couple of people. She had to log in with her Apple ID to set it up, and now her personal iMessages and emails are on it. It's stupid.
Apple considers iPads (and iPhones/Macs) as personal devices. You aren't expected to share an iPad, you're expected to buy an iPad for each user.
> Shared iPad requires a mobile device management (MDM) solution and Managed Apple IDs that are issued and owned by the organisation. Shared iPad requires a mobile device management (MDM) solution and Managed Apple IDs that are issued and owned by the organisation. Users with a Managed Apple ID can then sign in to Shared iPad, which is owned by the organisation. Note: Managed Apple IDs don’t support Family Sharing.
I mean it’s not really malicious to design a single-user system. At best it’s passively malicious. Sure, you can always share your personal pizza but you have to deal with the consequences that it was sized for one person and you both might be hungry after.
Are you upset about the fact that you can’t have multiple isolated user-accounts on an iPhone?
> Are you upset about the fact that you can’t have multiple isolated user-accounts on an iPhone?
The iPhone was mentioned once, to connect it’s not possible on either iPhone or iPad. This is about the iPad, a completely different class of device, where it makes sense it would be shared, at least within a family, and has nothing to do with personal pizzas.
It'a small point here, but the way you moved the goal post so your analogy applied more really bothered me.
> This is about the iPad, a completely different class of device, where it makes sense it would be shared, at least within a family, and has nothing to do with personal pizzas.
It would be very awkward, even if you had multiple user accounts. How do you deal with things like notifications on the lock screen for messages, which can be very personal. There is so much personal stuff on my iPad, it would be like sharing a toothbrush. Sure, you could do it, but why would you ever want to ?
Computers have become deeply personal devices, to the point that having to keep personal stuff off them would negate a lot of their utility. Is there still a point to having shared computers ? Do people still do that ? Even my parents, who are in their late 60's and care little about technology both have their own personal laptops.
iOS doesn't show messages on my phone lock screen until it's authenticated me via Face ID. Presumably on a theoretical multi-user iPad, it'd do Face ID and then show me _my_ lock screen messages and not anyone else's who happens to have an account.
Sharing a computer doesn't mean keeping personal information off of it, it just means you want a device that respects your personal information and keeps it private (non-readable by other user accounts) by default.
My bet is that the user research would say the cast majority of iPhone usage is indeed personal, but that a major amount if iPad usage is shared, especially among children (and even moreso in poorer areas where an iPad-per-child isn't affordable). And I'd bet Apple knows this, but wants to maintain the fiction to encourage more sales.
It's like Amazon waiting forever to include Chromecast functionality to sell more Fire Sticks. I understand, but it's still degrading the user experience, and that just grates my cheese.
Oh wow, I've seen some mind bending arguments so far but I sure didn't expect you to defend Apple's condescending way of telling their customers what to do by telling people how they should eat their pizza.
I actually meant the opposite. Nobody is going to stop you from sharing your personal pizza, like it’s yours do whatever you want. But it’s weird to complain to the pizza joint about the portion sizes and that you’re still hungry after splitting one.
Like Apple isn’t misleading anyone, you know when you buy it that it’s a single user system with all the downsides that entails. It’s fine to say “I think Apple should support multiple users to cover my use-case” but not “how dare Apple not support my use-case.”
How dare my toaster not fit bagels! It’s a conspiracy I tell you to get you to also buy a separate bagel toaster!
Like are people really just blind buying devices without even looking to see if they do what you want them to do? If you’re requirements are “I need a tablet to share between me and my kids” why is an iPad even on the table?
Sure not buying Apple is always a solution but if we're continuing the pizza analogy then surely a restaurant that would refuse to bring you an extra plate and tableware would be considered to have bad service?
You can log out of iMessage and not set up email. It's silly that there aren't user accounts on the iPad at this point but you can get rid of most everything by logging out and setting up controls in Screentime.
You can, but the experience sucks for families. If you want shared access to your family photos or music collection, you kinda need a shared account. But you probably don't want your family members to read all your email, so you need separate accounts. And what if you want to email a photo from the shared account? You end up having to switch accounts all the time, and the experience sucks.
The result is that people just use web apps like Gmail instead of native apps, because it's a lot easier to sign in and out of services.
My son wanted to login to the desktop AirBnB because I wanted a PDF of a receipt, which he couldn't get on mobile. He logged in using his Google account on his phone. On his Windows and Mac laptops, with Chrome and Firefox he got errors. He just couldn't login. We cleared cookies, everything. Rebooted. Nothing would fix it. Of course, to start a chat with aBnB you need to login...
So, I agree. Every service should have separate credentials.
Are you using a Linux phone by any chance? Could you share some details? I've been thinking about it but I didn't pull the trigger because the alternatives I've been looking at all have shortcomings. Curious to hear more.
This is one of the things Google actually got right with Android. I can add as many Google accounts to my phone as I want. Anything that needs to be associated with a Google account lets me choose which account to use, and I can selectively decide what gets (and does not get) synced from each account (mail, contacts, photos, store purchases, etc.). Many apps will even let me switch between accounts easily and seamlessly.
I feel like several of your problems where you “have to” do this or that, you’re missing the value of iCloud “child” accounts that can be enabled to use the parent account’s things they didn’t pay for.
Especially for the literal kids, use a child account. But also use a child account for the work machine so it can use your apps but isn’t your personal messages and photos.
Child accounts don't fix the problem that it is a shared device.
I've never considered creating a fake child account for business use, but I have tried to create some fake Apple IDs for shared devices, so I didn't need to use personal credentials. Unfortunately Apple has blocked these fake accounts from accessing some services, so I had to fall back to using personal accounts.
As an independent software contractor I could say the same about Microsoft's Partner Network.
Unless I sit a myriad of different exams I can't advance my competency to Silver or Gold. This means my MPN default "Partner" benefit is restricted Azure AD Basic and I can't take a parallel Azure DevOps build with me to a new project.
Worst still, if I leave my MS Gold Partner for a start-up I'll lose access to the enterprise elements of Azure AD (SCIM integration, Azure AD Application Proxy etc). If I'm called out to support something I delivered I'll need to absorb the cost of upgrading my Azure AD subscription.
A lot of people are comparing AWS identities to G Suite or Apple ID.
A better, more apples-to-apples comparison would be Azure Active Directory.
A single AAD account enables access to: Azure DevOps, Microsoft 365 collaboration apps, remote desktop logins to servers, virtual desktops, and a bunch of other stuff.
It certainly is very convenient, but the downside is that a global outage of AAD takes down a lot of things all at once.
For example, AAD system-managed identities are used as a type of "service account" in Azure. This means that web apps can lose access to their HTTPS certificates stored in Key Vault because AAD is down, causing massive outages.
In theory, AAD has a "read-only delayed replica" as a fallback, but in practice this hasn't worked.
This is actually one of the core "philosophical" differences between AWS and Azure. The former values completely distinct services with no (or minimal) interdependencies, the latter values integrated, cohesive architectures.
In my experience Azure's approach is more convenient but more fragile. Conversely, AWS is more robust but can be super irritating for end-users.
For those not reading the article: the purpose is to have better customer engagement, not to affect security or privacy in any way. They have a fractured ecosystem (customer-wise) and it makes people's lives annoying. (It's also a missed opportunity to simplify business intelligence)
The benefit to you, the consumer, is deeper connection to the AWS ecosystem. Your contributions can be tracked on a dashboard and added to a virtual resume, so you don't have to list every god damn service and account you've worked with in your resume. You can more easily contact support across accounts and services, forums, etc. If you've ever gone, "shit, in what account/region did I use that one S3 feature before?", you could look it up in your global user history.
It's the same thing as having one GitHub account that lists all your contributions across orgs/repos. You can always create another GitHub account linked to another key/email/identity.
Solving this is a good idea, and can be done without much technical work, but it won't be, because of their business model.
This is what Google already does: all your "stuff" is linked to a Google account across all their products/services, because their bread and butter is knowing who "you" are everywhere, so they can make money off "you".
AWS doesn't care who "you" are because (outside of Amazon Prime) they don't make money off "you", they make money when you pay them. Very different business model. There's effectively no business case to track "you" everywhere, so they're not going to put in the work.
But actually, this could be solved easily with PGP keys and a database of databases. Add your public key to every system that AWS has (or they can add it for you, based on your email address). They can look up your general information in any public key server. And if they need verification of who you are, just send them a signed E-mail or file or something. It would be tedious to do this manually for every service, so they can architect some internal service to map public keys to internal services to hopefully get the human validation part down to just one time.
I've always thought that AWS conceptual model and implementation is a big mess. Root accounts different from other account, big numbers & ARNs exposed to the user, meaningless names for services, multiple names for same concepts (do I need to say Ireland-1 or is it eu-east-1?). It's inhuman and overly complex. I assume people hasn't revolted because that baroque and unnecessary obfuscation feeds a lot of consultants whose time could have been cut significantly have Amazon had someone to think before implementing such monstrosity.
EXCEPT for the absolutely abysmal "customer service" and "issue resolution" provided by the likes of Amazon, Google, FB, etc. (as if those so-called services even rise to the level of the ordinary defnitions).
IFF they provided real humans, with real time and authority to look into and resolve issues, this might be a good idea.
But since, in the real world, their business model is obviously to provide only the most superficial figment of anything resembling an ability to resolve issues, any such linkage would be absolutely terrifying.
Any inadvertent slipup, or even getting innocently hacked already result in disastrous loss of access to your own data and privs. Just today, there's an HN story of such an unrecoverable loss on FB & Oculus [1]
The only solution in light of these hostile policies on the part of FAANGs and other big tech companies is maximum fragmentation/segmentation/sharding of accounts.
(I've already passed on invitations for an Amazon Biz acct, despite the fact that it might be quite useful for my biz, for exactly these reasons.)
Absolutely no. I present different facets of my personality in different circumstances, because not everyone needs to know, or wants to know, everything about me. Work, family, public profiles, private chat and entirely personal spaces are separate for a reason. I don't talk about tech in too much depth with most of my family, and neither do I share my home address with everyone who checks my LinkedIn page.
Binding these personality facets into a single person also has the disadvantage that if my account gets banned in one social context, the repercussions will touch the other contexts too. Will an oversensitive PC/abuse filter on one service ban me from all my Amazon-based access? I don't know, let's YOLO and find out.
Yes! This was exactly the premise of my April Fools joke this year, where I imagined that Google would stop doing authentication challenges, because they already know who you are and which identities you use from all that tracking:
Hope you get what you want, but I hope it's an opt-in because I do not want it.
Depending on the service, I probably do not want to be ME + sub-identities. While a good sleuth (or algorithm) with enough data can probably connect me to all the different services I use/manage, I don't necessarily want that information to be public. And if it exists in a database somewhere, it will likely eventually become public.
We overuse identity as an important thing in computing. AWS does have problems with IAM of course, but we need to accept that adding human identities everywhere in what is largely a system of computers and applications talking to each other is a security mistake, we need the fine grained delegation of access control, and capabilities. Just because I control some aspect of a program does not imbue it with any sense of my identity. Roles, capabilities, all these are more important than identities.
They should be able to talk to you as a person for marketing or conferences yeah, thats a different thing.
I feel like this doesn't consider the massive upside to IAM roles as identities. Once a user is a top-level concept, there will be things that only users can do. When everything is a role, an action can be taken by a user or an autonomous system in the exact same way.
I don't think this was an accident. Internally, Amazon traditionally had very different methods for authenticating and authorizing users versus systems, and it was a massive pain. Switching to IAM roles relieved some massive pain-points.
I'm reading the comments and it looks like many people forgot to read the piece before commenting on it. Yes, separate credentials are good, he states that in the article. That's not what he's asking for either. He's aware of IAM, he's a user, and it's also stated in the article on several occasions.
I clicked this wanting to ensure that AWS continues not knowing who I am. Apparently this person's issue is being too anonymous in the eyes of Bezos...a strange complaint indeed.
Because they're namespaced by which AWS account you connect to, same as Slack and many more enterprise products.
You don't have an AWS account. You have an IAM identity and credentials for an AWS account. Except for the root account where what you described is never the case.
I absolutely do think that reasonable ordinary people find this situation confusing. As do password managers. IAM identity is not exactly a widespread understood concept. I doubt if most people entirely "get" the distinction. Google (our instance) pretty much forbids crossbinding like this. I've had non google accounts refused as bootstrap identity in ads and gke because they were just used elsewhere on Google for authorising access.
I'm reluctant to delete duplicate Amazon entries in 1password and bitwarden in case I still need them, for some distinct IAM.
You should be deleting IAM identities you do not use. At the source, not just from the password manager but actually deleting the accounts/secret keys/passwords/whatever.
Also AWS isn't exactly for "reasonable ordinary people", it's a tool that requires some minimum amount of training. Yes the concept isn't super widely used for end user applications (although 1Password is a good example of another such "you have an account on an instance, that is unrelated to your account with the same email on another instance" concept). And yeah I do wish password managers would handle that better, but for anything that uses subdomain-level separation (example.1password.com vs amazon's signin.aws.amazon.com with multiple fields), it generally works out fine.
I especially don't want AWS to tie my personal stuff to my work stuff. That would mean my work would then credibly have some rights over my personal stuff.
What I do despise is that my Amazon.com credentials are the same as my Amazon AWS root account credentials. They aren't equals. The services share the name of a rainforest and a very rich CEO but that's about where the similarities end for my part.
I'd rather not have to plug in my AWS root account credentials when I get the urge to impulse buy a robotic vacuum cleaner.