In an effort to protect data and accounts from the increasing number of attacks leveraging basic authentication protocols, effective October 1, 2022, Microsoft will begin disabling basic authentication access for Exchange Online. Since the initial announcement back in 2019, millions of Exchange Online users have proactively transitioned to modern authentication.
What does this mean and why does this matter?
Basic Authentication
Basic authentication (also referred to as legacy authentication) is a widely used, industry-standard framework used to validate a request to reach a server. An example of basic authentication is logging into an app or website with only a username and password. Since usernames and passwords are sent across the network in an unencrypted form, applications and websites are able to store your credentials within their settings, which means if their site is compromised, your credentials are compromised. Another disadvantage of basic authentication is that it is not integrated with multi-factor authentication (MFA), which provides an additional layer of protection against compromised usernames and passwords. While username-and-password-based authentication is widely used, it is significantly less secure than other methods. A recent Microsoft study found that 99% of password spray attacks leverage the presence of basic authentication.
Modern Authentication
Modern authentication (also known as OAuth 2.0 token-based authentication) is an umbrella term used to describe a variety of different authentication and authorization methods. Most importantly, though, is the fact that modern authentication doesn’t pass Microsoft 365 account credentials to apps or websites. Instead, they only process a browser token issued by a trusted authentication provider such as Azure AD. When the user securely authenticates to the authentication provider, gets their token, and provides it to the website or application, they gain access because the application also trusts the same authentication provider, and thus trusts the token. Unlike basic authorization, modern authorization does enable the use of multi-factor authentication (MFA), adding yet another layer of security. Modern authentication methods can include security tokens, certificates, fingerprints, iris scans, or smartphones.
The Shift Toward Zero Trust
Zero trust is a “trust no one, verify everything” security strategy with three core principles: verify explicitly, use least privileged access, and assume breach. Every access is fully authenticated, authorized, and encrypted before being granted. As a user, this means you will only see and be able to access the applications that are relevant to you. Think of it like being given a temporary guest pass when visiting an office building. You check in at the front desk, verify your identity, and state who you are there to see. The receptionist issues you a guest pass that will only open the doors that need to be opened in order to get you where you need to go. If you try to access an unauthorized area, either intentionally or by accident, your pass will not open the door. To avoid the possibility of guest passes falling into the wrong hands, the pass is returned to the front desk and deactivated at the end of your visit. By disabling basic authentication in Exchange Online in favor of modern authentication, Microsoft continues to push towards a future built on zero-trust initiatives.
Why Does This Matter?
As cybercriminals continue to evolve and become more advanced in their attacks, Microsoft is dedicated to raising awareness of the importance of transitioning away from basic authentication methods. A recent analysis by Microsoft showed that customers who have disabled basic authentication experienced 67% fewer compromises than those who haven’t. With 84% of companies experiencing an identity-related breach in 2022, safeguarding identities is something that should be at the top of every organization’s priority list.
This shift to modern authentication requires that every app, program, or service connected to Microsoft 365 authenticates itself. If actions are not taken, all applications using basic authentication to access Exchange Online will stop working. If you are ready to improve your tenants’ protection and begin disabling and blocking basic authentication, you can do this with conditional access. As always, your Connection resources are here to help. Reach out to your Account Manager or Account Executive to learn more.