Don’t say you weren’t warned.
Microsoft three years ago announced that it would begin weaning its software offerings from basic authentication in favor of more modern and secure user authentication methods. Since then, the software giant has transitioned a number of customer-facing apps, including Outlook desktop and Outlook mobile app, to Modern Auth via security updates.
Now Microsoft is telling users that on October 1st it will start disabling Basic Auth for protocols in Exchange Online that have yet to be disabled, including MAPI, RPC, Offline Address Book, Exchange Web Services, POP, IMAP, Exchange ActiveSync, and remote PowerShell.
Millions of users have already moved away from Basic Auth in the last three years, and Microsoft has disabled it in millions of tenants. However, many still use it, despite additional reminders Sep 2021 and back in Can.
Redmond is giving a three-month grace period to those who haven’t yet left Basic Auth. in one blog entry This week Microsoft announced that it is updating its plan for customers who are unaware or not ready for the change.
After Basic Authentication was disabled on October 1, customers can use a self-service diagnostic to re-enable it for any protocols they need. This can only be done once per protocol, with re-enabling beginning once the diagnostics are run. That means it will only last until the end of December. In the first week of January 2023, Basic Auth will be permanently disabled for all protocols.
“We recognize that unfortunately many tenants are still unprepared for this change,” the Exchange team wrote. “Despite numerous blog posts, message center posts, service disruptions and coverage of tweets, videos, conference presentations and more, some customers are still unaware this change is coming. There are also many customers who are aware of the deadline who simply have not done the necessary work to avoid an outage.”
Microsoft updated its plan with the additional three-month reactivation because “we understand that email is a mission-critical service for many of our customers and disabling basic authentication could potentially be very impactful for many of them,” the team wrote.
In order to keep Basic Auth for all protocols, users can run the diagnostics in September and Microsoft will not disable it for those specific protocols, although it will be stopped for the other protocols. However, customers can re-enable these logs after October 1 through the end of the year.
Microsoft will again announce the move in Windows Message Center seven days before the deactivation begins, and tenants will be notified via the Service Health Dashboard notifications when Basic Auth is deactivated.
Basic Auth is essentially a legacy authentication method that sent credentials to systems in the clear, and was often offered by default. It obviously doesn’t support multi-factor authentication (MFA), making it difficult for organizations using Basic Auth to use the modern security tool.
The shift to modern authentication is important as threat groups and cybercriminals use increasingly sophisticated means to steal credentials while organizations continue to migrate to the cloud, embrace remote working models, and expand third-party access to corporate resources. according to a report by cybersecurity provider CyberArk last year, 97 percent of senior security managers said attackers are increasing their efforts to steal one or more types of credentials.
Microsoft defines modern authentication as an umbrella term for methods between a client endpoint and a server or security measures that include access policies such as MFA, smart cards, open authorization, mobile access management, and certificate-based authentication.
In June, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a recommendation [PDF] that federal civilian law enforcement agencies such as the Federal Communications Commission, the Federal Trade Commission, and departments such as Homeland Security and Justice are required to do so away from Basic Auth. At the same time, the agency also called on private organizations to do the same.
John Bambenek, principal threat hunter at cybersecurity firm Netenrich, said The registry that moving to Modern Auth is trivial for admins, but more of a challenge for applications and users still using legacy protocols, and that much of the focus needs to be on it.
“Advances in encryption are making password theft increasingly difficult,” Bambenek said. “Legacy methods sometimes don’t offer the same protection. This is why so many attacks use legacy methods. For now, this is a basic best practice, but changing it now will also prevent disruptions in October when Microsoft disables legacy logs.”
Many attacks start with stolen credentials, he said, adding that the shift to more modern authentication methods “makes it increasingly difficult for attackers”. ®
https://www.theregister.com/2022/09/05/microsoft_basic_auth_deadline/ Deadline to phase out Basic Auth is approaching • The Register