[HN Gopher] AWS doesn't know who I am
___________________________________________________________________
AWS doesn't know who I am
Author : kiyanwang
Score : 116 points
Date : 2021-08-22 08:56 UTC (14 hours ago)
(HTM) web link (ben11kehoe.medium.com)
(TXT) w3m dump (ben11kehoe.medium.com)
| cagataygurturk wrote:
| The author is looking for Google Cloud's IAM architecture.
| larrybud wrote:
| Or Azure Active Directory (AAD)
| ggm wrote:
| Whatever the identity tuple is with Amazon it's deeply confusing.
| I think it's possible to have:
|
| frobiz@example.com password A frobiz@example.com password B
|
| Work, and be two different accounts. It's scary.
| justincormack wrote:
| They dont work very well, I had two Amazon accounts and changed
| them to the same email, but I could only log in to one of them.
| It is very confusing.
| scrollaway wrote:
| Because they're namespaced by which AWS account you connect to,
| same as Slack and many more enterprise products.
|
| You don't have an AWS account. You have an IAM identity and
| credentials for an AWS account. Except for the root account
| where what you described is never the case.
| ggm wrote:
| I absolutely do think that reasonable ordinary people find
| this situation confusing. As do password managers. IAM
| identity is not exactly a widespread understood concept. I
| doubt if most people entirely "get" the distinction. Google
| (our instance) pretty much forbids crossbinding like this.
| I've had non google accounts refused as bootstrap identity in
| ads and gke because they were just used elsewhere on Google
| for authorising access.
|
| I'm reluctant to delete duplicate Amazon entries in 1password
| and bitwarden in case I still need them, for some distinct
| IAM.
| scrollaway wrote:
| You should be deleting IAM identities you do not use. At
| the source, not just from the password manager but actually
| deleting the accounts/secret keys/passwords/whatever.
|
| Also AWS isn't exactly for "reasonable ordinary people",
| it's a tool that requires some minimum amount of training.
| Yes the concept isn't super widely used for end user
| applications (although 1Password is a good example of
| another such "you have an account on an instance, that is
| unrelated to your account with the same email on another
| instance" concept). And yeah I do wish password managers
| would handle that better, but for anything that uses
| subdomain-level separation (example.1password.com vs
| amazon's signin.aws.amazon.com with multiple fields), it
| generally works out fine.
| YPPH wrote:
| Some of these are legitimate grievances but it seems quite
| reasonable to have separate accounts for work and play.
|
| What I do despise is that my Amazon.com credentials are the same
| as my Amazon AWS root account credentials. They aren't equals.
| The services share the name of a rainforest and a very rich CEO
| but that's about where the similarities end for my part.
|
| I'd rather not have to plug in my AWS root account credentials
| when I get the urge to impulse buy a robotic vacuum cleaner.
| imwillofficial wrote:
| These are two different sets of Creds, or should be.
| YPPH wrote:
| Hm, well they're the same for me and I get redirected to
| Amazon.com to edit certain pieces of AWS account information.
|
| Perhaps it's because my account is very old - possibly having
| been created near the inception of AWS. I have no memory of
| creating the account.
| waf wrote:
| Right, AWS accounts created before September 2017 are
| coupled to amazon.com retail accounts. Accounts created
| after this are separate.
| mcherm wrote:
| For those of us with coupled accounts, is there any way
| to separate them?
| LilBytes wrote:
| Change the root user email on your AWS account or the
| Amazon retail address to something different.
| psanford wrote:
| That doesn't work for old accounts. Changing your root
| email address will also change it for the retail account.
| This is documented behavior by AWS:
| https://aws.amazon.com/premiumsupport/knowledge-
| center/trans...
| LilBytes wrote:
| Thanks for the correction.
|
| I thought my personal account was this old already,
| clearly not.
| hhsub wrote:
| That's kinda your fault for not having created two accounts,
| innit
| [deleted]
| Galanwe wrote:
| > What I do despise is that my Amazon.com credentials are the
| same as my Amazon AWS root account credentials.
|
| This bite me hard last year... I lost my phone and with it my
| MFA for the root account, and of course forgot to properly
| backup the MFA seed.
|
| Now when calling AWS support to get back my accesses, they ask
| me to prove ownership of my Amazon.com account with the same
| email... Which is like 15 years old. I changed phone number,
| address, country dozens of times since then.
|
| Apparently I would have to get back to my home country and ask
| a notary to sign a paper asserting I am really me to get back
| my accesses. Nightmare.
| danielheath wrote:
| As you have learned, setting up 2fa for an important service
| isn't something to be done lightly.
|
| My current setup is two yubikeys (one in storage, one in my
| computer) and OTP on my phone. Failure is still possible but
| it's unlikely enough for me.
| mabbo wrote:
| Without going into too much detail, this "coupled account"
| problem is taken very seriously internally (AWS Identity dev,
| my opinions are my own and I don't speak for the company).
|
| There is a very large project to fix this. But as you can
| probably imagine, with a system this large and complex making
| changes to fundamentals like identities is _hard_ , and done
| with a lot of care.
|
| All new accounts created today are "decoupled". They are not
| your Amazon account, and (barring some special internal tools
| for testing) you cannot make them the same account. But
| migrating all the existing accounts without causing harm is a
| messy business.
|
| My own AWS account has the same problem.
| cj wrote:
| > detail, this "coupled account" problem is taken very
| seriously internally
|
| I can say for certain that no, it is not something taken
| seriously.
|
| I (loudly) complained to AWS enterprise support in 2017, 4
| years ago, about this issue. Got escalated as high as could
| possibly be escalated (team leads of IAM calling my cell
| phone).
|
| 4 years later and the issue is unresolved. This is Amazon
| we're talking about. There's very little that can't be fixed
| in 4 years.
| mcharezinski wrote:
| Could you please share some of the technical challenges about
| the migration?
| FridayoLeary wrote:
| Is there work on Amazon.com itself? Because basically
| everything there needs fixing. But the filters would be a
| _very_ good place to begin a sorely needed facelift.
| koolba wrote:
| > I'd rather not have to plug in my AWS root account
| credentials when I get the urge to impulse buy a robotic vacuum
| cleaner.
|
| Clearly the solution to this is for the retail site to support
| IAM roles.
| quickthrower2 wrote:
| Yeah make it so confusing nobody buys anything!
| mxz3000 wrote:
| That made me chuckle
| andrewnicolalde wrote:
| Is this the case for you? Mine are totally different. How did
| they get tied together?
| jffry wrote:
| Up until 3-4 years ago, if you created an AWS account with
| the same email address as your amazon.com shopping account,
| Amazon would automatically link the two together, without
| warning and without a setting to undo this. Changing the
| password on one changed the other too. This connection
| persisted for accounts made after AWS stopped doing this,
| probably for backwards compatibility reasons.
|
| At least when I dealt with this mess a couple years ago, AWS
| support did not have reassuring answers. They claimed they
| could separate it, but if something went wrong we were on our
| own without spending large amounts of money on premium
| support.
|
| Lucky for me most of our resources were already in child AWS
| accounts and the rest could be migrated, so I was able to
| create a _new_ top-level AWS account, re-parent the child
| accounts, and delete the old parent account instead. At least
| with that process we could create a throwaway child account
| and test every step before doing it for real with production.
| YPPH wrote:
| Yes, it is. If I try to change my AWS root account password,
| I get redirected to Amazon.com.
|
| My account is very old. From the sounds of it, my grievance
| has been addressed by Amazon but I'm grandfathered on the old
| system.
| solatic wrote:
| You can change an AWS account's root account's email address.
| Even if you don't want to set up a new email account just for
| your AWS root account, many email providers include additional
| forwarding addresses as a feature, or use something like the
| Gmail feature where `me+aws-root-account@gmail.com` gets sent
| to me@gmail.com`; from AWS's perspective these are completely
| different email addresses even if Gmail treats them as the same
| Gmail account.
| psanford wrote:
| Nope. For accounts created before 2017, if you change the
| root account's email address it changes the Amazon.com retail
| account's email address as well. This is documented behavior
| by AWS[0]:
|
| > If your AWS account and Amazon.com retail account share the
| same login information, updating the email address or
| password on one of the accounts changes information on the
| other account.
|
| [0]: https://aws.amazon.com/premiumsupport/knowledge-
| center/trans...
| LilBytes wrote:
| I'm using the same method. But only went down this like the
| grandfather comment where I'd already been bitten by having
| the same email as amazon@domain.com for both AWS and Amazon.
| Fortunately creating aliases in Fastmail is very trivial.
| fairramone wrote:
| I have enabled 2FA on my Amazon account and also on my root AWS
| account. In order to log in to AWS using my root account, I
| must enter two 2FA responses: one for my Amazon account, the
| other for my AWS root account. It's weird!
| toss1 wrote:
| Yes, that's a lovely idea.
|
| EXCEPT for the absolutely abysmal "customer service" and "issue
| resolution" provided by the likes of Amazon, Google, FB, etc. (as
| if those so-called services even rise to the level of the
| ordinary defnitions).
|
| IFF they provided real humans, with real time and authority to
| look into and resolve issues, this might be a good idea.
|
| But since, in the real world, their business model is obviously
| to provide only the most superficial figment of anything
| resembling an ability to resolve issues, any such linkage would
| be absolutely terrifying.
|
| Any inadvertent slipup, or even getting innocently hacked already
| result in disastrous loss of access to your own data and privs.
| Just today, there's an HN story of such an unrecoverable loss on
| FB & Oculus [1]
|
| The only solution in light of these hostile policies on the part
| of FAANGs and other big tech companies is maximum
| fragmentation/segmentation/sharding of accounts.
|
| (I've already passed on invitations for an Amazon Biz acct,
| despite the fact that it might be quite useful for my biz, for
| exactly these reasons.)
|
| Edit: add ref for [1]
| https://news.ycombinator.com/item?id=28249977
| qxmat wrote:
| As an independent software contractor I could say the same about
| Microsoft's Partner Network.
|
| Unless I sit a myriad of different exams I can't advance my
| competency to Silver or Gold. This means my MPN default "Partner"
| benefit is restricted Azure AD Basic and I can't take a parallel
| Azure DevOps build with me to a new project.
|
| Worst still, if I leave my MS Gold Partner for a start-up I'll
| lose access to the enterprise elements of Azure AD (SCIM
| integration, Azure AD Application Proxy etc). If I'm called out
| to support something I delivered I'll need to absorb the cost of
| upgrading my Azure AD subscription.
| turminal wrote:
| More megacorps knowing who I am?
|
| No thanks.
| ed-209 wrote:
| I clicked this wanting to ensure that AWS continues not knowing
| who I am. Apparently this person's issue is being too anonymous
| in the eyes of Bezos...a strange complaint indeed.
| zomiaen wrote:
| This is essentially the classic "internet ID" proposal that's
| been floated around for a few years, which universally has been
| regarded as a bad idea.
| lexicality wrote:
| This is very interesting because it comes from the perspective of
| someone who cares so much about what they do at work that it
| bleeds into their personal life.
|
| > never hear about WorkDocs rolling out a feature to the
| Frankfurt region -- unless you're using WorkDocs in Frankfurt
|
| Personally I'd hate that. Send that info to my work email account
| for sure, but my private one? No way!
|
| If I'm not currently being paid to think about my job, nothing
| should be trying to remind me of its existence.
| yellow_lead wrote:
| I'm not sure this is actually a good idea. Do I want AWS to
| contact me about my work account via my personal account? Do I
| want to get my personal card charged for work expenses or vice
| versa? I don't see what types of configuration would be useful to
| keep across accounts.
| DominikD wrote:
| I'm reading the comments and it looks like many people forgot to
| read the piece before commenting on it. Yes, separate credentials
| are good, he states that in the article. That's not what he's
| asking for either. He's aware of IAM, he's a user, and it's also
| stated in the article on several occasions.
| justincormack wrote:
| We overuse identity as an important thing in computing. AWS does
| have problems with IAM of course, but we need to accept that
| adding human identities everywhere in what is largely a system of
| computers and applications talking to each other is a security
| mistake, we need the fine grained delegation of access control,
| and capabilities. Just because I control some aspect of a program
| does not imbue it with any sense of my identity. Roles,
| capabilities, all these are more important than identities.
|
| They should be able to talk to you as a person for marketing or
| conferences yeah, thats a different thing.
| Sanguinaire wrote:
| To see how this can go tragically badly, try using MS Teams with
| one login address across multiple client accounts.
| politelemon wrote:
| Article fails to explain why that's a problem. From a security
| standpoint, this separation is necessary and beneficial.
| psanford wrote:
| Sounds like a problem if you are an AWS Serverless Hero, but for
| the rest of us I think there is comfort in the fact that AWS
| identities are not a massive privacy invasion.
| bluehatbrit wrote:
| This was exactly my thinking when I read through it. I don't
| even really care about shared pinned services, my day job and
| side projects use different services for the most part. None of
| the benefits explored will have much impact to me, and I use
| AWS almost every day for one reason or another.
|
| If anything it just gives me another place where I can't keep
| work and home separate. I don't want another "Atlassian" where
| suddenly my work own my account because I had a work email
| attached to it, and can close it at will.
| selfhoster11 wrote:
| Absolutely no. I present different facets of my personality in
| different circumstances, because not everyone needs to know, or
| wants to know, everything about me. Work, family, public
| profiles, private chat and entirely personal spaces are separate
| for a reason. I don't talk about tech in too much depth with most
| of my family, and neither do I share my home address with
| everyone who checks my LinkedIn page.
|
| Binding these personality facets into a single person also has
| the disadvantage that if my account gets banned in one social
| context, the repercussions will touch the other contexts too.
| Will an oversensitive PC/abuse filter on one service ban me from
| all my Amazon-based access? I don't know, let's YOLO and find
| out.
| SilasX wrote:
| Yes! This was exactly the premise of my April Fools joke this
| year, where I imagined that Google would stop doing
| authentication challenges, because they already know who you
| are and which identities you use from all that tracking:
|
| http://blog.tyrannyofthemouse.com/2021/04/leaked-google-init...
| kalium-xyz wrote:
| They wont as of yet.
| aoms wrote:
| No thank you
| Canada wrote:
| I don't agree at all. I don't want to use the same account across
| multiple organizations.
| jon-wood wrote:
| And even if you did, that can be done via federated auth in
| IAM.
| lovetocode wrote:
| I disagree. I think compartmentalization is important.
| nitwit005 wrote:
| Every service that knowns something about your identity has the
| potential to leak it due to a security problem. It's better to
| just not have access.
|
| This also seems like an IT headache. If you tie an identity to
| some test user, it has to get cleaned up somehow if you leave the
| job.
| saba2008 wrote:
| Idea of some grouping tool, orthogonal to security and account
| managment, used to store personal preferences/notification
| settings/social network links sound reasonable.
|
| Idea of 'identity for the human' reeks of ghastly surveillance
| and control. AWS has no business with 'the human', only with
| client - it's not my family, it's not my friend, it's not a law
| enforcing state with monopoly for violence.
| blunte wrote:
| Hope you get what you want, but I hope it's an opt-in because I
| do not want it.
|
| Depending on the service, I probably do not want to be ME + sub-
| identities. While a good sleuth (or algorithm) with enough data
| can probably connect me to all the different services I
| use/manage, I don't necessarily want that information to be
| public. And if it exists in a database somewhere, it will likely
| eventually become public.
| nikanj wrote:
| The downside of One True Identity is getting your startup data
| deleted from account A because account B was booted from Google
| for unclear TOS violation.
|
| Usually these issues can only get resolved by getting your blog
| post to HN
| profmonocle wrote:
| There was a horror story on Reddit a few years back, cross-
| posted to HN, where a single employee got their entire
| company's G Suite account banned for violating some Play Store
| policy using their work account. (as a consumer, not a dev)
|
| The horrifying part was that Google went on to ban _every
| employee 's personal account as well_ because they were
| "linked" to an account that was banned for TOS violations.
| Imagine losing access to your email, Android apps, and photo
| library because a coworker you may not even know broke some
| TOS.
|
| A Google employee entered the thread and said they were
| investigating, but notably ignored anyone asking "is it really
| Google's policy to ban people's personal accounts if their
| employer gets banned?"
|
| I was pretty happy when my company switched from G Suite to
| Office 365.
|
| (Amazon allegedly isn't free of these "guilt by association"
| practices - I've heard stories of people getting permabanned
| from Amazon because their roommate or family member returned
| too much stuff, since the delivery address was the same.)
| blunte wrote:
| Do they? We heard the cries for help, and we assume in most
| cases a Googler here on HN champions the caller.
|
| In fact, I'd like to see some metrics, a transparency report of
| false positive blocks/deletions which were reversed.
|
| But indeed, I absolutely do not want my personal projects to be
| related in any way to my work projects, nor vice versa.
| thanksforfish wrote:
| Surely there are people getting banned from Google who are
| not HN users. Social media outcry is not a good solution as
| its not accessible to everyone.
|
| Agreed about wanting to see more transparency.
| profmonocle wrote:
| The fact that these stories go viral as often as they do
| suggests false positives are pretty common, and that the
| standard support channels are really, really bad at dealing
| with them. Whenever I read a story like this, complaining on
| social media was the company/user's desperate last resort,
| not their first step.
|
| For every user who gets saved by someone at Google seeing
| their story on HN or Twitter, how many users stay permabanned
| because they just aren't social media savvy enough (or lucky
| enough) to get traction?
|
| I would _guess_ that the majority of false positive bans
| never get resolved.
| zamaterian wrote:
| Madness, if you get blocked by aws in one of their accounts. Wave
| good by to all the other accounts
| anilakar wrote:
| It's also possible to get your personal GMail account banned
| after someone at your company breaks Google ToS:
| https://www.reddit.com/r/tifu/comments/8kvias/tifu_by_gettin...
|
| For the few Google products we use at work, like Calendar, we
| make sure that people do not register with their existing
| personal accounts but use their work email address.
| bbarnett wrote:
| Isn't having more than one Gmail account a violation too?
| sokoloff wrote:
| I don't think so. We have a family gmail account (mostly
| for a shared calendar) and Google has explicit ways to use
| more than one account.
|
| https://support.google.com/accounts/answer/1721977?co=GENIE
| ....
| nl wrote:
| It's not a violation to have more than one Google Account -
| there is the (pretty horrible) account switcher for that
| scenario.
| bbarnett wrote:
| Do you mean the login screen with a list of accounts,
| used from the browser? Or Android's multiple accounts
| ability?
|
| That doesn't mean more than one account _per person_ is
| OK though. Just the reality than more than one person may
| share a device.
| nl wrote:
| That story doesn't seem very believable. Why are other
| people's personal accounts getting banned too?
|
| One possible explanation is that the exit IP for the company
| has had malware hosted on it, so that IP is getting banned
| from Google services. If they go home or turn off WiFi on
| their phones it will probably work.
| skinkestek wrote:
| > That story doesn't seem very believable. Why are other
| people's personal accounts getting banned too?
|
| Fully believable.
|
| In some cases people don't even have the slightest clue.
|
| In this case there is at least an explanation even if it is
| bad.
|
| PS: I don't hate everything Google do or any employees
| specifically, I just try to shine a light on the places
| where they fail like lack of transparency or even basic
| communication or their abuse of market power to try to kill
| competing browsers.
|
| They have done good work in other areas it seems like
| standing up against dragnet surveillance etc.
| goforbg wrote:
| Exactly. I don't want this for the exact same reason.
| mvaliente2001 wrote:
| I've always thought that AWS conceptual model and implementation
| is a big mess. Root accounts different from other account, big
| numbers & ARNs exposed to the user, meaningless names for
| services, multiple names for same concepts (do I need to say
| Ireland-1 or is it eu-east-1?). It's inhuman and overly complex.
| I assume people hasn't revolted because that baroque and
| unnecessary obfuscation feeds a lot of consultants whose time
| could have been cut significantly have Amazon had someone to
| think before implementing such monstrosity.
| 0xbadcafebee wrote:
| For those not reading the article: the purpose is to have better
| customer engagement, not to affect security or privacy in any
| way. They have a fractured ecosystem (customer-wise) and it makes
| people's lives annoying. (It's also a missed opportunity to
| simplify business intelligence)
|
| The benefit to you, the consumer, is deeper connection to the AWS
| ecosystem. Your contributions can be tracked on a dashboard and
| added to a virtual resume, so you don't have to list every god
| damn service and account you've worked with in your resume. You
| can more easily contact support across accounts and services,
| forums, etc. If you've ever gone, "shit, in what account/region
| did I use that one S3 feature before?", you could look it up in
| your global user history.
|
| It's the same thing as having one GitHub account that lists all
| your contributions across orgs/repos. You can always create
| another GitHub account linked to another key/email/identity.
|
| Solving this is a good idea, and can be done without much
| technical work, but it won't be, because of their business model.
|
| This is what Google already does: all your "stuff" is linked to a
| Google account across all their products/services, because their
| bread and butter is knowing who "you" are everywhere, so they can
| make money off "you".
|
| AWS doesn't care who "you" are because (outside of Amazon Prime)
| they don't make money off "you", they make money when you pay
| them. Very different business model. There's effectively no
| business case to track "you" everywhere, so they're not going to
| put in the work.
|
| But actually, this could be solved easily with PGP keys and a
| database of databases. Add your public key to every system that
| AWS has (or they can add it for you, based on your email
| address). They can look up your general information in any public
| key server. And if they need verification of who you are, just
| send them a signed E-mail or file or something. It would be
| tedious to do this manually for every service, so they can
| architect some internal service to map public keys to internal
| services to hopefully get the human validation part down to just
| one time.
| yarcob wrote:
| It's good that every service has separate credentials.
|
| For a counterexample, consider Apple and how they try to restrict
| you to a single Apple ID. They want everything to be tied to a
| single person. Every service you use is tied to your Apple ID.
|
| It just doesn't match the way that people use computers.
|
| For example, I get my computer games and business software billed
| to the same card, and there's no easy way to change that.
|
| Somehow the app store "helpfully" installed a baby monitor app
| that I use at home on my work computer.
|
| We set up a Mac as build server in the office. It's shared by
| multiple people. I need to log in with my personal credentials to
| download software from the Mac App store.
|
| My girlfriend bought an iPad for the kids to watch TV. It's
| shared by a couple of people. She had to log in with her Apple ID
| to set it up, and now her personal iMessages and emails are on
| it. It's stupid.
|
| Some of these problems can be fixed, but it's really annoying.
| wisty wrote:
| Or see people who "spammed" emotes into a Youtube livestream
| getting caught by spam detection and locked out of gmail.
| teddyh wrote:
| And, IIRC, they only did it because the YouTube streamer
| (i.e. the channel host) _asked_ them to do it!
| mbesto wrote:
| > I need to log in with my personal credentials to download
| software from the Mac App store.
|
| Do you though? Why not just setup a "apps@<yourbiz>.com" and
| create a new account?
|
| > and now her personal iMessages and emails are on it. It's
| stupid.
|
| So just turn these services off? They aren't mandatory.
| saba2008 wrote:
| Registering AppleID involves phone number checking. In some
| countries getting one without exposing personal information
| is not trivial.
| [deleted]
| donmcronald wrote:
| Lots of services won't allow duplicates. For example, you
| can't use the same number for account recovery on two
| different Microsoft accounts. Zoho won't let you register
| more than one account with the same number. Etc..
|
| I silo my profiles. I have 4 of them. It's really hard to
| do. Everyone encourages you to put all your stuff into a
| single profile. It's awful for work life balance and
| security, but it benefits big tech companies, so that's why
| it's like that.
|
| Do you want separate profiles for your password manager?
| Pay twice. Do you want separate personal and work windows
| installs (dual boot)? Pay twice. Etc..
| selfhoster11 wrote:
| Free, reputable password managers are available if you
| want to separate two different databases. As for work and
| personal Windows, it's likely that your company covers
| the licensing cost of their copy.
| [deleted]
| e40 wrote:
| My son wanted to login to the desktop AirBnB because I wanted a
| PDF of a receipt, which he couldn't get on mobile. He logged in
| using his Google account on his phone. On his Windows and Mac
| laptops, with Chrome and Firefox he got errors. He just
| couldn't login. We cleared cookies, everything. Rebooted.
| Nothing would fix it. Of course, to start a chat with aBnB you
| need to login...
|
| So, I agree. Every service should have separate credentials.
| danpalmer wrote:
| How does Apple restrict you to a single Apple ID?
|
| I use my personal Apple ID for personal things, my work one for
| work things, and as an admin of our Apple Business Manager
| account I can create new Apple IDs for anyone in the company as
| necessary.
|
| To my knowledge Apple doesn't even have a policy of requiring
| one account, I've certainly been told to set up separate
| accounts by Apple support teams.
|
| Facebook does have this problem, they have a policy that you
| must not have separate IDs, they police this heavily with a lot
| of automated bans, and they also require a Facebook account to
| do development with Facebook.
| noahtallen wrote:
| It's more like a single device is limited to a single Apple
| ID. (At least the mobile ones.) that gets tricky when it
| comes to, e.g. sharing an iPad with your kids. On computers
| you can work around it by having different profiles different
| people use.
| yarcob wrote:
| Do you use multiple Apple IDs on one device? I tried doing
| that for some time, and it caused a lot of issues. Maybe it
| works if you have separate devices for work and for home use,
| but I use my Macs for both business and home use.
| d0lphin wrote:
| I do! I have a separate Apple ID for services like iMessage
| than I do for the App Store. I can't log into more Apple
| IDs than that in settings though.
| amelius wrote:
| Yes, Apple ID is like a cookie that you can't delete.
|
| My solution: use Linux :)
| mastazi wrote:
| Are you using a Linux phone by any chance? Could you share
| some details? I've been thinking about it but I didn't pull
| the trigger because the alternatives I've been looking at all
| have shortcomings. Curious to hear more.
| Aaargh20318 wrote:
| > My girlfriend bought an iPad for the kids to watch TV. It's
| shared by a couple of people. She had to log in with her Apple
| ID to set it up, and now her personal iMessages and emails are
| on it. It's stupid.
|
| Apple considers iPads (and iPhones/Macs) as personal devices.
| You aren't expected to share an iPad, you're expected to buy an
| iPad for each user.
| lancesells wrote:
| You can log out of iMessage and not set up email. It's silly
| that there aren't user accounts on the iPad at this point but
| you can get rid of most everything by logging out and setting
| up controls in Screentime.
| dukeyukey wrote:
| Then Apple is either wrong, or being actively malicious with
| its products in order to sell more of them.
| Spivak wrote:
| I mean it's not really malicious to design a single-user
| system. At best it's passively malicious. Sure, you can
| always share your personal pizza but you have to deal with
| the consequences that it was sized for one person and you
| both might be hungry after.
|
| Are you upset about the fact that you can't have multiple
| isolated user-accounts on an iPhone?
| contravariant wrote:
| Oh wow, I've seen some mind bending arguments so far but
| I sure didn't expect you to defend Apple's condescending
| way of telling their customers what to do by telling
| people how they should eat their pizza.
| Spivak wrote:
| I actually meant the opposite. Nobody is going to stop
| you from sharing your personal pizza, like it's yours do
| whatever you want. But it's weird to complain to the
| pizza joint about the portion sizes and that you're still
| hungry after splitting one.
|
| Like Apple isn't misleading anyone, you know when you buy
| it that it's a single user system with all the downsides
| that entails. It's fine to say "I think Apple should
| support multiple users to cover my use-case" but not "how
| dare Apple not support my use-case."
|
| How dare my toaster not fit bagels! It's a conspiracy I
| tell you to get you to also buy a separate bagel toaster!
|
| Like are people really just blind buying devices without
| even looking to see if they do what you want them to do?
| If you're requirements are "I need a tablet to share
| between me and my kids" why is an iPad even on the table?
| contravariant wrote:
| Sure not buying Apple is always a solution but if we're
| continuing the pizza analogy then surely a restaurant
| that would refuse to bring you an extra plate and
| tableware would be considered to have bad service?
| dukeyukey wrote:
| My bet is that the user research would say the cast
| majority of iPhone usage is indeed personal, but that a
| major amount if iPad usage is shared, especially among
| children (and even moreso in poorer areas where an iPad-
| per-child isn't affordable). And I'd bet Apple knows
| this, but wants to maintain the fiction to encourage more
| sales.
|
| It's like Amazon waiting forever to include Chromecast
| functionality to sell more Fire Sticks. I understand, but
| it's still degrading the user experience, and that just
| grates my cheese.
| ctvo wrote:
| > Are you upset about the fact that you can't have
| multiple isolated user-accounts on an iPhone?
|
| The iPhone was mentioned once, to connect it's not
| possible on either iPhone or iPad. This is about the
| iPad, a completely different class of device, where it
| makes sense it would be shared, at least within a family,
| and has nothing to do with personal pizzas.
|
| It'a small point here, but the way you moved the goal
| post so your analogy applied more really bothered me.
| Spivak wrote:
| "I want device to be shareable" is very different than
| "Apple is malicious for not making device shareable."
|
| I'm not trying to move the goalposts because I think of
| my iPad as just a larger iPhone. To me they're the same.
|
| It's such an odd dynamic because I see so many families
| sharing an iPad which isn't multi-user but then treating
| laptops as personal.
| Aaargh20318 wrote:
| > This is about the iPad, a completely different class of
| device, where it makes sense it would be shared, at least
| within a family, and has nothing to do with personal
| pizzas.
|
| It would be very awkward, even if you had multiple user
| accounts. How do you deal with things like notifications
| on the lock screen for messages, which can be very
| personal. There is so much personal stuff on my iPad, it
| would be like sharing a toothbrush. Sure, you _could_ do
| it, but why would you ever want to ?
|
| Computers have become deeply personal devices, to the
| point that having to keep personal stuff off them would
| negate a lot of their utility. Is there still a point to
| having shared computers ? Do people still do that ? Even
| my parents, who are in their late 60's and care little
| about technology both have their own personal laptops.
| __david__ wrote:
| iOS doesn't show messages on my phone lock screen until
| it's authenticated me via Face ID. Presumably on a
| theoretical multi-user iPad, it'd do Face ID and then
| show me _my_ lock screen messages and not anyone else's
| who happens to have an account.
|
| Sharing a computer doesn't mean keeping personal
| information off of it, it just means you want a device
| that respects your personal information and keeps it
| private (non-readable by other user accounts) by default.
| Monory wrote:
| Macs are definitely not personal -- you can trivially set up
| multiple user accounts.
| yarcob wrote:
| You can, but the experience sucks for families. If you want
| shared access to your family photos or music collection,
| you kinda need a shared account. But you probably don't
| want your family members to read all your email, so you
| need separate accounts. And what if you want to email a
| photo from the shared account? You end up having to switch
| accounts all the time, and the experience sucks.
|
| The result is that people just use web apps like Gmail
| instead of native apps, because it's a lot easier to sign
| in and out of services.
| Terretta wrote:
| > _Apple considers iPads (and iPhones /Macs) as personal
| devices. You aren't expected to share an iPad, you're
| expected to buy an iPad for each user._
|
| Categorically not true. iPads in particular can be set up for
| multi-user with hand off.
|
| Shared iPad Overview: https://support.apple.com/en-
| gb/guide/mdm/cad7e2e0cf56/web
|
| Shared iPad for Education:
| https://developer.apple.com/education/shared-ipad/
|
| Shared iPad for Business (MSFT Intune MDM docs):
| https://docs.microsoft.com/en-
| us/mem/intune/enrollment/devic...
| donmcronald wrote:
| That doesn't work for a personal account.
| [deleted]
| swinglock wrote:
| > Shared iPad requires a mobile device management (MDM)
| solution and Managed Apple IDs that are issued and owned by
| the organisation. Shared iPad requires a mobile device
| management (MDM) solution and Managed Apple IDs that are
| issued and owned by the organisation. Users with a Managed
| Apple ID can then sign in to Shared iPad, which is owned by
| the organisation. Note: Managed Apple IDs don't support
| Family Sharing.
|
| Practically not false.
| elzbardico wrote:
| Create a kid's account in a family, set up the device using
| this apple id. that's the correct way of setting up kid's
| devices anyway.
| Terretta wrote:
| I feel like several of your problems where you "have to" do
| this or that, you're missing the value of iCloud "child"
| accounts that can be enabled to use the parent account's things
| they didn't pay for.
|
| Especially for the literal kids, use a child account. But also
| use a child account for the work machine so it can use your
| apps but isn't your personal messages and photos.
| yarcob wrote:
| Child accounts don't fix the problem that it is a shared
| device.
|
| I've never considered creating a fake child account for
| business use, but I have tried to create some fake Apple IDs
| for shared devices, so I didn't need to use personal
| credentials. Unfortunately Apple has blocked these fake
| accounts from accessing some services, so I had to fall back
| to using personal accounts.
| vageli wrote:
| > It's shared by multiple people. I need to log in with my
| personal credentials to download software from the Mac App
| store.
|
| I thought this was solved with managed Apple IDs?
| https://support.apple.com/en-us/HT210737
| kelnos wrote:
| This is one of the things Google actually got right with
| Android. I can add as many Google accounts to my phone as I
| want. Anything that needs to be associated with a Google
| account lets me choose which account to use, and I can
| selectively decide what gets (and does not get) synced from
| each account (mail, contacts, photos, store purchases, etc.).
| Many apps will even let me switch between accounts easily and
| seamlessly.
| tyingq wrote:
| I especially don't want AWS to tie my personal stuff to my work
| stuff. That would mean my work would then credibly have some
| rights over my personal stuff.
| kodah wrote:
| AWS doesn't deserve that kind of responsibility, no tech giant
| does. I'm surprised anyone would propose that without considering
| the consequences of this statement:
|
| The richest man in the world now controls the _idea_ of your
| identity.
|
| I will give crayons to every angry third grader willing to color
| all over that idea until it is unrecognizable.
|
| Real cryptography based identities with derived keys _are_
| possible. PGP allows this today. With some organization you could
| use PGP with twice derived keys for various identities that can
| be corralled under a single identity. Again, all possible today
| for the aspiring entrepreneur. What I think will be infinitely
| tricky is creating an organization that is international to
| manage them without influence. They can 't be beholden to a
| single nation or continent. Being able to be influenced by any
| nation would need to be a P1 bug in the corporate architecture.
| You'd need a stupidly secure facility with offline data gaps, the
| kind that are proposed for things like SCADA.
|
| Anyway, I've thought about this problem a good bit over the
| years. I'm interested in others thoughts.
| [deleted]
| StreamBright wrote:
| Sorry, but I disagree. The less any of these FAAMNG companies
| know about me or the identities I use is the better.
___________________________________________________________________
(page generated 2021-08-22 23:01 UTC)