Microsoft Ends Support for Basic Authentication: Impacts on Users
Microsoft recently announced that they would disable Basic Authentication on all protocols for their tenants using Exchange Online service. The date for the disabling is October 1, 2022, when they will permanently disable Basic Auth for all tenants regardless of usage, except for SMTP Auth.
Microsoft will roll out the necessary changes to support this effort in early 2022. The process will be temporary and on a short-term basis. They will randomly select tenants and disable them in 12-48 hours, and every client and app using Basic Auth will not connect. After this time, they will re-enable the protocols.
Reasons for Disabling Basic Auth
According to Microsoft, Basic Auth is currently an outdated industry susceptible to cyber threats, making it a big security risk in the current technological landscape. However, it has been in use for many years, and it's always enabled by default.
Most tenants love it due to its simplicity and streamlined operation for logging in services, apps, add-ons with a password-username pair. The applications used will store credentials somewhere on every device and in user settings.
Basic Auth helps simplify clients' authentication process, increasing the risk of attackers accessing credentials using brute force or password spray attacks. Password spray attacks refer to using common passwords, testing them against a pool of users, and finding a common weak password.
The passwords allow malicious actors to easily access the IT environment, since many users opt for weak passwords for easy remembrance.
Security Flaws of Basic Authentication
Basic authentication is convenient and straightforward for most businesses. However, it has various security issues that users need to know and participate in as Microsoft is taking a step to disable it. It will be adequate to prevent unintentional access from malicious parties or add another encryption technology like SSL.
Here are the security flaws that you may need to know.
When using basic authentication on your apps or services that require you to use a username and password, it may send them across a network in a form that is easy to decode. The secret password you use is sent clearly and is easy for other people to read and capture.Also, using the base-34 encoding will obscure the username and passwords, making it more difficult for friendly parties to glean them through an accidental network observation.
However, a base 64-encoded username and password will prompt decoding to allow a trivial reversal of the encoding process.
Any motivated third party can intercept your usernames and passwords using basic authentication. You can solve this concern by sending all the HTTP transactions over an SSL encrypted channel when this is your concern. Also, you can have a more secure authentication protocol like digest authentication.
Sometimes, even when the username and password get decoded in a scheme that is complicated to interpret, a third party may still capture garbled passwords and replay that information to original servers over and over again to access your data. There is no effort that is possible to prevent these replay attacks.
Impact on Organization and Users
Every app, program, service that connects Microsoft 365 users has to authenticate with itself. Therefore, when the basic authentication is disabled, all applications using this legacy authentication protocol to access Exchange Online will stop working. Therefore, users are required to take action if their company still uses:
- Outlook 2010 and older: After the basic authentication gets disabled, all email clients will not connect with Microsoft 365.
- Outlook 2013: Users need to enable OAuth in Outlook 2013 by making necessary changes in the registry.
- Outlook 2011 for Mac: In the case of Outlook 2010, it will stop supporting modern authentication.
- Remote PowerShell: Users need to use the modern Exchange Online module V2. If there are any unattended scripts where you use basic authentication to establish a connection to Exchange Online, they will stop working.
- Third-party apps and add-ins and mobile clients: Users who require such usage don't support modern checking on their actions.
Some tenants may have already got the qualifications for disabling basic authentication. In other cases, IT departments will need them to update or upgrade the required software on multiple workstations.
The bottom line is that Microsoft 365 administrators have to prepare for the upcoming change resulting from disabling basic authentication. If you were not interested in authentication, you could now look at the key differences between basic and modern authentication.
Users Alternatives to Basic Auth
Microsoft has gone through several stages of introducing the Modern Authentication that has increased security for authentication and authorization on the Exchange Online.
Microsoft refers to their OAuth 2.0 authorization framework for their server/client as Modern Auth. It acts as a method for authentication between the user's computer and phone to a server, yet you can still use it to protect all the cloud-based resources.
Also, the Modern Auth will not allow the apps to save any credentials for Microsoft 365 but will rely on token-based claims. Still, the user will need to input their username and password to authenticate as an identity provider to generate an access token. The token has the information regarding the specific outlines that the requester has. It boosts security since the token can expire or get revoked.
To compare the two solutions, you can think of Modern Authentication as a hotel key that offers access to your hotel room, pool, and gym floor. However, its coding does not allow access to any other guests' doors, including the kitchen. When you leave the hotel, the key gets disabled, and it will remain specific to you and no one else. The Modern Authority will only allow you to access what you need when you need it.
Otherwise, Basic Authentication is like keys to a house. By unlocking the front floor, you have access to all the rooms at once. It allows you to do everything at one time and is therefore not efficient security control.
Contact us at Velocity IT for any Microsoft support and Microsoft networking needs your business may have. We will help you prepare for the future, offer a smooth transition to modern authentication protocols, and keep your business secure.