It's happening, Microsoft is making the decision to disable basic authentication. With the latest threats to cybersecurity, it's important to know whether this is going to be a helpful decision, or not. So, let's get into everything you need to know about Microsoft disabling basic auth this fall.
What is Basic Auth?
Come October 2022, Microsoft will be turning off basic auth in an effort to protect millions of Exchange Online users.
Basic Authentication is a standardized way of sending your username and password. Like the name suggests, it is the very basic method of implementing usernames and passwords.
It does not include any encryption or high level security.
And in today's age of constant cybersecurity threats, that's not going to fly.
Basic Auth Account Already Starting to Go
Following the Covid-19 outbreak, Microsoft had to delay the removal of Basic Authentication from Exchange online. The new date for the termination is set for October. 1st, 2022... which is coming up fast.
We are already seeing Microsoft removing basic auth from several dormant accounts this month.
For those users, you will have the option to re-enable protocols up until the full removal of basic auth.
On the other hand, if you are an Exchange Online user and you DO want to get rid of basic auth before Microsoft plans to, you can.
In order to disable basic auth you'll have to create and assign authentication policies to users using the steps on the Exchange Online support page.
When Microsoft originally made this announcement two years ago, they made us aware that by disabling basic authentication you will be required to use modern authentication with multi-factor authentication.
In my opinion, multi-factor auth is one of the best things you can do for your networks security.
To note, this removal of basic auth will only impact Exchange Online and not Exchange Servers on-premise products.
Why is Microsoft Disabling Basic Auth?
Microsoft did not come right out and explain why they made the decision to disable basic auth this year.
We can speculate and say it was probably after the Guardicore report. Which details the hundreds of thousands of Windows domain credentials being leaked due to misconfigured basic auth emails.
The reporting disclosed an attack called "The ol' switcheroo" which forces Exchange clients to negotiate in basic authentication.
Basic Authentication Is No Longer Safe
Basic Authentication, also known as proxy authentication, is an HTTP-based authentication method that allows apps to communicate username/password combinations.
While basic authentication does makes it simpler to authenticate, but when connections are not encrypted using the Transport Layer Security (TLS) cryptographic protocol, it also makes it easier for attackers to obtain credentials.
Even worse, basic auth makes it difficult to enable multi-factor authentication (MFA), and frequently there is no utilization at all.
Apps can utilize OAuth access tokens with a limited lifetime and can't be re-used to authenticate on other services except those for which they were provided thanks to modern authentication (Active Directory Authentication Library (ADAL) and OAuth 2.0 token-based authentication).
After you enable modern auth, it will be simpler to enable and enforce MFA, which will directly and immediately increase data security in Exchange Online.
This is all a good thing Microsoft is disabling basic auth this fall. They are doing it to continually ensure network safety. I will make sure to update you as more information about this switch comes out.
Check out our recent YouTube video talking about The Worst Hacks of 2022!
If you need help enabling modern authentication, feel free to book a time to chat with us via the Calendly link below. I'd be happy to discuss ways to optimize your company's IT.
STG IT Consulting Group proudly provides IT Service for Small to Medium Businesses in Greater Los Angeles. We'd love to see if we can help you too!