Microsoft: The deadline to get off Basic Auth is approaching
Exchange Online face Halloween deadline
Don't say you weren't warned.
Three years ago, Microsoft announced that it was going to start weaning its software offerings off Basic Authentication for more modern and secure user authentication methods. Since then, the software giant has moved a number of customer-facing applications, including Outlook Desktop and Outlook Mobile App, to Modern Auth via security updates.
Now Microsoft is telling users that on October 1 it is going to start disabling Basic Auth for protocols in Exchange Online that have yet to be turned off, including MAPI, RPC, Offline Address Book, Exchange Web Services, POP, IMAP, Exchange ActiveSync, and Remote PowerShell.
Millions of users already have moved away from Basic Auth over the past three years and Microsoft has disabled it in millions of tenants. However, many are still using it, despite additional reminders in September 2021 and again in May.
Redmond is giving those who have yet to move off Basic Auth a three-month reprieve of sorts. In a blog post this week, Microsoft said it is updating its plan for customers who don't know about, or are not ready for, the change.
After Basic Auth is turned off October 1, customers will be able to use a self-service diagnostic to re-enable it for whatever protocols they need. This can only be done once per protocol, with the re-enablement starting once the diagnostic is run. That said, it will only last through the end of December. During the first week of January 2023, Basic Auth will be permanently turned off for all protocols.
"We recognize that unfortunately there are still many tenants unprepared for this change," the Exchange Team wrote. "Despite multiple blog posts, Message Center posts, interruptions of service, and coverage via tweets, videos, conference presentations and more, some customers are still unaware this change is coming. There are also many customers aware of the deadline who simply haven't done the necessary work to avoid an outage."
Microsoft updated its plan with the extra three months re-enablement because "we understand that email is a mission-critical service for many of our customers and turning off basic auth for many of them could potentially be very impactful," the team wrote.
To keep Basic Auth for any protocols, users will be able to run the diagnostics during September and Microsoft will not disable it for those specific protocols, though it will be ended for the other protocols. However, customers will be able to re-enable those protocols after October 1 until the end of the year.
Microsoft will announce the move again in the Windows Message Center seven days before the disabling begins and tenants will be alerted through the Service Health Dashboard notifications when Basic Auth is turned off.
- Start using Modern Auth now for Exchange Online
- Microsoft delays disabling Basic Authentication for several Exchange Online protocols 'until further notice'
- Two-factor auth totally locks down Office 365? You may want to check all your services...
Basic Auth essentially is a legacy authentication method that involves sending credentials in plain text to systems and often which was offered by default. It doesn't naturally support multi-factor authentication (MFA), making it difficult for organizations using Basic Auth to use the modern security tool.
Shifting to Modern Auth is important as threat groups and cybercriminals use increasingly sophisticated means to steal credentials as companies continue to migrate to the cloud, embrace remote work models, and expand third-party access to corporate resources. According to a report by cybersecurity vendor CyberArk last year, 97 percent of senior security executives said attackers are ramping up efforts to steal one or more types of credentials.
Microsoft defines modern authentication as an umbrella term for methods between a client endpoint and a server or security measures that include such access policies as MFA, smart cards, Open Authorization, mobile access management, and certificate-based authentication.
In June the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory [PDF] that federal executive civilian agencies like the Federal Communications Commission, Federal Trade Commission and departments as Homeland Security and Justice are required to move off Basic Auth. At the same time, the agency also urged private organizations to do the same.
John Bambenek, principal threat hunter at cybersecurity company Netenrich, told The Register that making the switch to Modern Auth is a trivial matter for administrators but more challenging for apps and users that are still using legacy protocols, and that much of the focus will need to be.
"With encryption advances, password theft is becoming more difficult," Bambenek said. "Legacy methods don't have some of the same protections. This is why so many attacks are using legacy methods. At this point, it's a basic best practice, but changing now will also prevent disruption in October when Microsoft disables legacy protocols."
Many attacks begin with stolen credentials, he said, adding that moving to more modern authentications methods "makes it incrementally more difficult for attackers." ®