Windows Security but Sec Basics/Functionality of XBOX App Lacking

Post Edits Applied

* Deleted from Windows and re-post to more appropriate Gaming & XBOX

* Spelling errors (hate that) - there still might be a few and grammatical errors but so be it

* Removed some unnecessary sarcasm

* Restructuring and rewording

* Tried to provide more clarity and brevity for replicating/testing (dunno how well the brevity thing worked out!)

Tl;dr version: XBOX App users are still unable to truly logout - FIX IT PLEASE Microsoft! I would respectfully invite an MS rep to actually respond to this thread

Seems to me this issue has been around for so long that in the year 2022 I would have thought Microsoft would have done something about it with so many people indicating the same concerns - but alas, nope.

See here: Microsoft Community filtered Results for search term "can't sign out of xbox app"

In addition to the results found at this very Microsoft Community as linked to above, all you have to do is Google - the proof is out there.

As per the title of this thread, Microsoft spruiked the security of Windows 11 and the reductions in malware etc the requirements provide.

However, when using XBOX app on PC there seems to be a glowing lack of security IMO. It also seems that any solutions provided never properly address the issue regardless of how many times these solutions are put forth, by whomever responded, regardless of their technical know how and no matter how the issue has been relayed by the concerned party.

That said, I would respectfully invite an MS rep to actually respond to this thread, as I and many others would be super pleased to hear from you

In all honesty I don't know what is not to understand. Others have described the issue and it's pretty simple really, but here is my own attempt in doing so and I do apologize for making this lengthy to any potential readers but unfortunately Microsoft just don't seem to get it so the more description the better I feel.

Here goes:

On an XBOX Console > Settings > Account > Sign-in, security & passkey > (set as) "Ask for passkey" > results in the following:

• On XBOX App Phone (Android) > Logout works properly and requires user to enter Email + Password + Authenticator Code (if applicable) to log back in (Re: Authenticator Code E.g., from Google Authenticator) == GOOD SECURITY
  

• On XBOX App PC > Profile & settings (I.e., Click gamerpic) > Sign out > Close App > Re-open app > Profile & settings > Sign in > Click SIGN IN in popup windows > select previously signed in account > Continue > Automatically signed in WITHOUT ANY REQUIREMENT to enter associated account password OR 2FA code == POOR SECURITY
  

PROBLEMS with XBOX App for PC and What Users Expect:

• Profile & settings > Sign out > they are ACTUALLY signed out
  

• If this is somewhat resembling what is meant to be a session based Sign in / Sign out routine that the session is actually cleared properly
  

• Common sense security implementation which in this case would constitute that the Email + Password + Authenticator code (if applicable) are entered again so as to block unauthorized access to account abilities such as paying for content via a connected payment method and the viewing/editing/alteration of any account settings/PII/etcetera (it seems that asking for 2FA code has not been implemented at this point in time but at the very least the password should be required)
  

• The requirement to enter Email + Password (at the very least) just as they must with other MS services such as Outlook webmail, Office365, Skype and right here at this Community Forum as prime examples
  

• If user has single Windows PC login for multiple household users and either single or multiple household users are added as Child accounts in XBOX App on PC > accounts are separated by an effective Sign out and NOT as it currently stands, able to be accessed with a single click by any user as is the unfortunate case for the last used account
  

• If "Ask for passkey" + "Ask for passkey to make purchases" settings are applied on XBOX console THEN in the XBOX App on PC at Profile & Settings > Account > Purchase Sign in > "I want to buy without a password, for faster checkout" toggle REMAINS toggled OFF ... regardless of whether or not a Sign out (attempted at this point because non functioning) has occurred either within the XBOX App, and/or the Windows Store (E.g., Win 10 Windows Store) or the System itself or any any combination of these and furthermore, this should apply even if the user has multiple systems running the XBOX App for PC and performs any combination of the previously mentioned - my personal testing seems to indicate that this toggle has a mind of its own and can in fact turn itself ON
  

• In the case of a Parent account who thinks they signed out because they selected Profile & settings > Sign out > they will be afforded protection from unauthorized purchases made via the Child account which is NOT possible right now because Profile & settings > Sign out does not truly sign you out (sheesh!!!) ... anyone for a massive child spending debt on their CC cause I know I've heard of it ... another example might be say a thief stealing a laptop from an airport lounge who proceeds to have a good old time playing every game from the XBOX Ultimate catalogue + Store purchases at the improperly signed out users expense on the thieves 18 hour flight to Achievement Land - think about it
  

• That the XBOX App under whichever moniker it comes (E.g., XBOX App/XBOX App for Windows/XBOX Companion App etc) + the Windows Store (on whichever Windows variant) stop bashing heads with each other particularly in regard to sign in conflicts ... Microsoft Store and XBOX are different from what I'm led to believe ... but when a user signs up to XBOX using the exact same credentials as their Microsoft account, credentials which get them into Outlook webmail, Office365, Skype, this forum, etcetera as previously mentioned then why "Your Microsoft store account is different than your Xbox account" messages and such? Once and for all could you PLEASE, for the love of all that is good in the World, SORT OUT the conflicts and get the Windows Store working properly - try harder PLEASE!
  

I am aware that some of the above can be solved by using the XBOX Console "Lock it down" security feature, and in my own testing, this seems to ensure that the Purchase sign-in toggle in the XBOX App for PC remains where it should (IMO and in case you haven't already guessed ... "where it should" means requiring credentials of some sort).

BUT ... and again this is JMO, this is no excuse for the issues discussed so:

Questions for Microsoft

• Why in 2022 are things that have been repeatedly bought up over several years such as the XBOX App Sign out and Microsoft Store issues not been remedied?
  

• Do you not see these things as time consuming, recurring annoyances/problems for the consumers of your products or do you just not understand what hundreds/thousands of people seem to have been trying to explain to you and constantly post issues about to forums such as this?
  

• Why is it not possible to actually logout of the XBOX App for PC when you clearly have a Logout option in the UI because it is obvious that what eventuates when a user clicks this option is NOT a logout as any logically thinking human would think of such when using hundreds? thousands? of apps/programs/websites where logout means logout in the way people have become accustomed to?
  

• Let us just pretend for a second that if a user were actually logged out when they clicked the logout option in the XBOX App for PC UI (you getting my point how ridiculous this is yet because that's not the case but we're pretending remember?), then when the user logs back in, why can you not implement the requirement for the user to enter their password AND a code from their authenticator application of preference just like on the XBOX App for phones
  

• Again, pretending for a second that the XBOX App for PC logged out a user properly (which I'm pretty sure I have adequately demonstrated is not the case by now), why would you not also make them enter the email address of the account which they would like to log into? Retaining even this == POOR SECURITY because in the case of anyone not using 2FA (which again you have zero implementation of in the case of XBOX App for PC) a password may be able to be guessed ... considering the application remembers the email address you are therefore already supplying half of the login equation on opening the app ... convenient for some but == POOR SECURITY for others
  

Constructive Criticism

Please don't tell everyone all about security with your latest OS if you are not even willing to implement basic, common sense security practices in for one, the application I have discussed here which is one of your very own.

This is not an isolated incident and I have provided links proving such so I will not be running tests on your behalf and reporting back to you - I already feel I have wasted enough time both figuring out in my own mind what seems a confusing mess of improperly configured sync settings between any or all of XBOX App variants/XBOX Console/Windows Stores ... and security flaws that leave doors open.

There is no excuse for this type of thing ESPECIALLY from a Company of Microsoft's magnitude.

There is no reason to say it isn't planned, can't be done, is too hard, oh we forget or overlooked that or whatever!

MS is a multi billion dollar company with what you seem to think are all your resources correctly fitted into their appropriate holes of the well-oiled machine, however, your users keep trying to tell you what your issues are so stop ignoring them - LISTEN!

It is not, or at least it should not, be the user/s who test your product/s for you - this should be occurring pre-release unless of course one chooses to be an Insider and help you ... nor should we be your fall person/s when something isn't tested properly and you mess up our systems ... AND, in general, we should not have to point out and repeat again and again what should be glaringly obvious to you!

We are not your employees, you do not pay us ... in fact YOU make money from us by correlating our data ... so do your job - get to it and FIX IT!

Late Addition Ideas / Spitballing

The XBOX Console itself (same as the XBOX App for PC if per-se the latter logged the user out properly) does not ask for a 2FA code either - why? Surely it could be implemented considering that the XBOX Console UI is just a trimmed down version of Windows if I'm not mistaken right?

Therefore, here's some ideas for various security settings ... maybe they make sense and maybe they don't but I leave that to the experts.

1) For those that don't want to login and simply want to turn on their XBOX Console and play then let them at their own risk and take them straight to the UI after they hit the ON button on their XBOX and turn on their remote (I assume the same people would want the "I want to buy without a password, for faster checkout" toggled to ON in the XBOX App - easy one there

2) For those that only want to use an XBOX remote to login then sure, link the remote to the XBOX console OR via Bluetooth on their PC to the XBOX App for PC and be done with that use case (is that even possible with the switch from Classic to BLE either via the PC's Bluetooth card or a MS branded XBOX Bluetooth/WiFi dongle in conjunction with the XBOX App for PC? Dunno ... but just saying)

3) If the user simply wants to use a passkey then fine ... but make sure that the passkey is also required to be entered into XBOX App for PC ... Possible? Somehow? Again, this would imply that the Logout option in the XBOX App for PC ACTUALLY logged the user out properly in the first place which is NOT currently the case as we know

4) If the user chooses to "Lock it down" via the XBOX Console then a) make the XBOX console the ONLY device that can reconfigure anything in relation to other synced devices (E.g., PC's running the XBOX App) which thereby makes it b) not possible to switch the "I want to buy without a password, for faster checkout" toggle from the OFF to the ON position and c) would ensure that on the XBOX App for PC side of things that a password at the very least would be required to make a purchase under any account ... I believe this may require something along the lines of session virtualization if that's not what is already happening but if it is then ATM it's a broke machine ... oh and session virtualization works in both directions? I dunno, maybe I'm talking outta my freckle

5) Custom security settings in the XBOX then another kettle of fish

Last idea from me here (as collective applause rings out over Microsoft Community) ... MS tries to push Edge and Bing on us all the time trying for heavier adoption ... considering I have already mentioned that the XBOX UI is basically a trimmed down version of Windows (again if I am not sorely mistaken) then why not make the starting application in the XBOX the Edge browser and same to get into the XBOX App for PC? By no means am I a programmers butthole but by sending a security conscious user directly to Edge you could then ask them for all I have mentioned being a) their email b) their password and c) their 2FA authentication code (I.e., all which constitutes a somewhat secure login to that which make up an entire set of Microsoft account credentials ... just spit-balling here is all I guess

Thanks

Thanks for reading, considering, taking constructive criticisms on board, listening ... if you got this far lol

:)