Microsoft and U.S. cybersecurity officials renewing calls for organizations to switch from Basic Authentication (Basic Auth) in Microsoft Exchange Online to Modern Authentication before the company begins to disable Basic Auth in October.
Microsoft on Oct. 1 will begin turning off the ability to use Basic Auth in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, Remote PowerShell, Exchange Web Services (EWS), Offline Address Book (OAB), Outlook for Windows, and Mac.
In addition, Microsoft is disabling SMTP AUTH in all tenants in which it’s not being used.
According to Microsoft, this requires customers to move from apps that use basic authentication to apps that use modern authentication, including OAuth 2.0 token-based authorization. Modern authentication also allows admins to enable and enforce multifactor authentication more easily.
In an advisory, the U.S. Cybersecurity and Infrastructure Security Agency warns that Basic Auth is a legacy authentication method, and does not support multifactor authentication, which has been proven to be effective at preventing identity-based attacks, such as phishing.
The agency requires federal agencies to determine their use of Basic Auth and migrate users and apps to Modern Auth, and then block Basic Auth. CISA has published a guide that will help organizations identify where Basic Auth is being used and help migrate to Modern Auth.
Citing Microsoft, the agency says more than 99% of password spray attacks use legacy authentication protocols, and more than 97% of credential stuffing attacks use legacy authentication.
In addition, password attacks are running rampant, with 921 such attacks every second.
When legacy authentication is disabled, Azure AD accounts experience 67% fewer compromises, per the agency’s guide.
According to Microsoft, Basic Auth is still one of the most common ways customers get compromised, with attacks against those organizations still using the legacy method increasing.
“We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack,” the company said in a May blog post.
In documentation, Microsoft calls basic authentication an “outdated industry standard” that is a common attack vector for hackers.
The company will begin turning off Basic Auth in its worldwide multi-tenant service on Oct. 1, and will randomly select tenants, send seven-day warning messages and then turn off Basic Auth in the tenant. That process should be completed by the end of the year.