Adopt Modern Auth now for Exchange Online • The Register

The US government is urging federal agencies and private companies to adopt the modern authentication method in Exchange Online before Microsoft begins turning off basic authentication starting October 1.

In a consultation [PDF] This week, Uncle Sam’s Cybersecurity and Infrastructure Security Agency (CISA) found that the agencies of the Federal Executive Civil Branch (FCEB) — which includes organizations like the Federal Communications Commission, the Federal Trade Commission, and departments like Homeland Security, Justice, Treasury, and Status – are required to make the change should all organizations make the switch from Basic authentication.

“Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth,” CISA wrote. “After completing the migration to Modern Auth, agencies should block Basic Auth.”

The agency adds that Basic Auth is commonly used by legacy applications or custom enterprise software, and that many user-centric applications such as Outlook Desktop and Outlook Mobile App have already migrated to Modern Auth via Microsoft security updates.

“This is a big deal,” said John Gunn, CEO of authentication company Token The registry. “Security-conscious organizations have already made the switch, but many have not, and they are unnecessarily exposing themselves and others to attacks. Hopefully this message will speed up the process and motivate the laggards.”

Basic Auth is a legacy authentication method that, of course, does not support multi-factor authentication (MFA) and requires a user’s password to be sent with every authentication request. There are numerous protocols that Basic Auth can use, including Post Office Protocol/Internet Message Access Protocol (POP/IMAP), Exchange Web Services, ActiveSync, and Remote Procedure Call over HTTP (RPC over HTTP), the agency said.

MFA is required of FCEBs under President Joe Biden’s May 2021 Executive Order 14028 to enhance the country’s cybersecurity capabilities.

Ray Kelly, a fellow at Synopsys Software Integrity Group, reminded us that Basic Auth simply sends one’s username and password in encrypted form in the clear; You can use a base64 decoder to display the original credentials. It must be encapsulated in encryption to be used securely over a network.

“Microsoft’s move to disable Basic Authentication in Exchange Online is a great thing for securing the Microsoft cloud ecosystem as we’ve seen legacy protocols that rely on Basic Authentication being used to multi-factor bypass authentication controls,” said Aaron Turner, CTO at AI cybersecurity vendor Vectra The registry.

“By moving to an attitude of disabling basic authentication by default, it essentially hardens all email users who rely on Microsoft Exchange Online. This makes it harder for attackers to simply scrape a username and password from a vulnerable mobile device or browser session. “

Speaking of passwords, Microsoft has long been a vocal advocate of getting rid of these authentication passphrases as they are unreliable and a weak link in the cybersecurity chain. The Windows giant has also touted MFA as a way to reduce a user’s chances of being compromised by 99 percent.

Moving away from legacy authentication

In a 2020 document, two senior Microsofties said an analysis of Azure Active Directory traffic showed that 99 percent of password spray attacks and more than 97 percent of credential stuffing attacks used legacy authentication protocols. Additionally, Azure AD accounts in organizations that have disabled such authentication methods were 67 percent less likely to be compromised than those still using legacy authentication.

Microsoft announced last year that it would disable Basic Auth in Exchange Online starting October 1, 2022.

Garret Grajek, CEO of identity specialist YouAttest, called the use of two-factor (2FA) or multi-factor authentication “table stakes” in the modern IT world.

“There is no excuse for using single authentication in 2022,” Grajek said The registry. “The big players – Amazon, Microsoft, Google – have made it an option in their offerings. 2FA should be enabled for all resources. Attacks via zero-day bugs, source code injection, and supply chain vulnerabilities need to be monitored. “

He added that “having identities hacked through simple username/password hacks is unacceptable.

CISA recommends several steps for moving to Modern Auth, the first being to review Azure AD sign-in logs to find the applications and users authenticating with Basic Auth.

Next, he develops a plan to move those applications and users to Modern Auth by following the Microsoft documentation and the Exchange team’s blog post about the move. After that, organizations can use authentication policies to block Basic Auth before authentication occurs by setting the policy per mailbox or across the organization.

These steps mean a significant improvement in security, adds Token’s Gunn.

“Among the benefits of Modern Auth is the use of MFA [and] Don’t let apps save credentials,” he said. “Auth has a defined lifetime and the scope of permissions can be limited. All of this makes a huge difference in stopping attacks.” ® Adopt Modern Auth now for Exchange Online • The Register

Chrissy Callahan

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – The content will be deleted within 24 hours.

Related Articles

Back to top button