More secure file sharing for OneDrive Personal
Today a shared folder or document ist just protected by the link to it. If someone captures the email containing the link, then he has access to all the shared files.
To share more confidential files I would like to share with a specific microsoft account. Then the files are at least as secure as the microsoft account of the person i shared the files with.
Why to pay for office 365 home for 5 family members when I can't share the 1 TB of OneDrive space securely with them?
We’re working on the ability to share a file or folder with a specific Microsoft Account.
Microsoft shooting its customers in the head.
For those of you who have never seen or used it: Here is an article from 2014 that shows how sharing in onedrive was back then. Sharing could be restricted to a MS account with login!
Stuart Britt commented
This is crazy. So you used to simply be able to tick a checkbox to require a sign-in, or leave it blank if you wanted it only protected by the link. And then you remove the option? Really? What harm was it doing? Anyone that didnt want the "complication" or requiring sign-in simply didn't tick the checkbox.
And now, there is no way to have any guarantee of security, privacy, or traceability of who is viewing editing your files, even if you only share a file with one person?
Wow....I've been recommending onedrive to friends and family for the last few years. And this one thing has instantly changed that. It's no longer fit for purpose, and I'll have to go through the hassle of finding something else.
I thought the people share option disappearing would be only for short time. I am still using this feature to share files between my main and my secondary MS account. It still seems to work. Is it still secure? I dont know. Guess I have to be very careful with this not to brake something.
MS bring it back or I am out of onedrive and in consequence also out of the rest of office365.
What is to stop a web-crawler finding the shared OneDrive site and including the URL in responses to a search-engine enquiry?
A couple of years ago I decided to store a copy of our corporate Disaster Recovery documentation in OneDrive, since clearly our own resources may not be accessible in a disaster. We are largely an MS site and it seemed the logical place to use since it was as secure as any cloud storage, and provided a way to force sharing with only registered users. All good.
Then recently I was updating some permissions due to staff changes, and found there was NO LONGER an option to require the end user to sign in. All you get to do is send a link, which is clearly an insecure thing that will be breached the moment someone's email account is hacked, or in numerous other ways.
I could not believe this had changed, but after some research including reading below I find MS have intentionally shot themselves in the foot on this one. If they claim people find it easier not to enforce a login I can't argue. By that logic obviously we should abandon all authentication and just let everyone access anything they wish as "it will be easier".
Come on MS you surely can't be that disconnected from the real world and what it needs. An extra step is sometimes the price we pay for keeping our information secure. My DR documents (and other stuff I store) has lots of sensitive information which I don't want to be easily hacked into by others. With the huge increase in sensitivity to security incidents (and risks) in recent years I can't believe this stupidity will last - or will it?
For now though despite my personal dislike of Google, Apple etc. and my many years of allegiance to MS solutions, I have been forced to drop use of OneDrive for everything our company does and virtually everything personal but the photo sync from my (Windows) phone. I can't take the risk that an errant email will expose a sharing link in this way. I am being forced to reconsider my use of Microsoft products in other areas too, where facilities lag the market, but this one really pains me. It is such a simple fix, just restore a mechanism that was there before! Yet I suppose I will be stuck with Google Docs or worse still Dropbox.
Dav Clark commented
This is idiotic. I have started migrating folders I need to share to Google Drive. As an academic who helps drive adoption of technology in my organization, this is a way that MS is shooting themselves in the foot. At present, I have to recommend we get google apps for business on the basis of this one incredibly essential feature.
Sean W commented
What makes this worse it that the functionality used to exist. Sometime around March 2016 months ago it was removed. See the post by Omar Shahine in the office blogs on March 14, 2016.
I have old explicit shares that were shared to explicit MS Users that are still there. However, when I try to add new shares, it now only gives the option to share via link.
This should be a bug fix, or a "replace existing feature that was removed".
In the article they say they did A B testing with 28,000 users. I wonder if they explained to general users that the experience is easier because they are opening their files to anyone who has the link!
Is the Microsoft saying it cannot design a UI that is easy to use but also allows users to share securely, at least starting with other MS users? Perhaps look at the competition?
Douglas Pearce please get the team to do better!
Is that it? Thinking about it.
What if I want to place pics of my kids on onedrive. I am sure 100 of thousands of us do exactly that.
Does this mean that anyone with or without a LIve Id can browse about looking at them.
Does this really need 9 months to think about?
Everyday secure photos share.
Dear Microsoft, our data should be protected and can only be shared with people who have a share authorization (Username / Password >> Live ID). At the moment, there is no reliable protection when sharing my data in the OneDrive. It can read all people who know the shared link also the people who abuse the shared link or the shared link stolen (sharing the shared links by third). Also the topic secret service which has a simple game by intercepting the shared link and used for its purposes. Microsoft should do everything to ensure that our data is protected.
Thank you very much
A consideration on this idea is to create links that expire. in other words, I would like the ability to create a link that is active for x days (1, 7, 30, etc.) so that that link isn't 'live' forever. An option to add a password would be nice as well.
I agree with -
...People who have been given access to edit a shared folder shouldn't be able to create a link or add new persons unless they were given an option to do so. This was available before but was changed in the recent update to satisfy the needs of your casual user. We need more options to improve security in our end since we may be sharing sensitive files. They should just put "advanced options" below the simplified sharing buttons like Google Drive...
...I still want to password protect access when the drive is opened... ...
...Granting permission on an account basis instead of "whoever has the link" is a much more secure way of sharing files...- ***I think this should include sharing files with users that do NOT avean MS account. My parents refuse to have their data/activity recorded by MS so do not have MS accounts.***
...1DRV simply does not provide a way to share with a restricted, limited access that allows me know who edits my files. Essentially, all 1DRV links are insecure and can be accessed and edited by anyone who obtains them...
Andrew Allord commented
Really, no way to require passwords on folders in OneDrive even after all this time?
Security has become primary concerns for everyone. I share work stuff on my one drive on my work computer but I still want to password protect access when the drive is opened...
Amazing the response is "Thinking about it"?
Jessica Mangum commented
I'd like that only my voice can get into any of my photos or videos
Microsoft, you really do need to make this a very high priority.
We all need to know that when we share a file or a folder full of files with someone, that only that person or persons will get access, be it read or write as specified by us when a share is initialted.
Currently if a link or email gets into the wild, we are basically giving away the crown jewels.
Sean Frisbey commented
I agree. Granting permission on an account basis instead of "whoever has the link" is a much more secure way of sharing files.
The final word from the 1DRV Team on 8/28/2016:
"As stated, with Edit links, anyone who has access to the link can edit the file. View only links will require them to sign in, but Edit links will allow anyone with access to that link to edit it without signing in."
So for anyone wanting to collaborate with specific users by giving them an edit permission, know that your files are merely protected by the user's account /email log-in. In fact, the user doesn't even have to sign into their account to edit the file. So there's no way to track who made the edits.
If their account is breached, the hacker will have access to any and all of the linked information.
Seriously, MSFT, how lame in this day and age to make your file sharing system this vulnerable (and make the official file sharing instructions obfuscate this inherent vulnerability!)
The confusion arises from the fact that while you are able to share with a specific email/1DRV account, the user you shared with is NOT required to log in to view/edit/re-share the file. I just spent over a MONTH exchanging email messages with 1DRV support regarding this.
They wouldn't provide me a straightforward confirmation of the fact that there is NOT a way to restrict sharing to only one user in a way that requires that user (to whom the email is sent) to sign in to their 1DRV account.
1DRV simply does not provide a way to share with a restricted, limited access that allows me know who edits my files. Essentially, all 1DRV links are insecure and can be accessed and edited by anyone who obtains them.
So if the recipient's email / 1DRV account is ever hacked and they get a hold of the links I shared, I cannot block their unauthorized access except by deleting all links I've ever shared.
Time to research alternate cloud-based sharing products.
Lyle Philip P. Legaspi commented
People who have been given access to edit a shared folder shouldn't be able to create a link or add new persons unless they were given an option to do so. This was available before but was changed in the recent update to satisfy the needs of your casual user. We need more options to improve security in our end since we may be sharing sensitive files. They should just put "advanced options" below the simplified sharing buttons like Google Drive. Seriously Microsoft, stop moving backwards!