If you’re familiar with our blog, you’ll find a common theme of cyber security. And for good reason. Cybercrime is a hot topic today and when Microsoft makes big changes, other industry vendors tend to follow.
Microsoft’s latest major announcement centers around disabling basic authentication which is scheduled to take place October 2022.
Here’s what you need to know.
What is Basic Authentication?
Basic authentication is the simplest form of security we are all accustomed to. An example is logging into an app, service or add-in with a login and password. When this happens, those applications store credentials within their settings, presenting a huge opportunity for bad actors to gain access.
In addition, basic authentication doesn’t support various levels of permissions. In other words, if someone gains access to your login and password, they get the keys to the kingdom. In a perfect, modern-day world, the security best practice would be to only allow access to the data and resources required for an application to function.
What is Modern Authentication?
Modern authentication prevents apps from saving Microsoft 365 account credentials. In order to grant access, a user first needs to log into their account using the traditional Microsoft 365 login experience. Once they log in, they need to accept an app’s request to access their account.
Temporary access is then granted using a token, which has an expiration. To put it simply, modern authentication (also known as OAuth 2.0) is a standard that can grant access to other system’s information without giving them the password.
In addition, modern authentication enables the use of multi-factor authentication (MFA) which adds yet another layer of security.
How Will This Impact Organizations and Businesses?
This shift to modern authentication requires that every app, program or service connected to Microsoft 365 authenticates itself. If actions are not taken, all applications using basic authentication to access Exchange Online will stop working.
Is your organization utilizing any of the following uses?
If so, you need to take action today. Need help? Call Ontech’s support team at 262-522-8560.
ACTION IS REQUIRED IF YOU ARE USING:
- Any third-party apps, add-ins or mobile email clients that don’t support modern authentication.
- Remote PowerShell – needs to utilize modern Exchange Online module V2) Unattended scripts connected to Exchange Online that use basic authentication will stop working.
- Outlook 2011 for Mac – does not support modern authentication.
- Outlook 2010 or older – unable to connect to Microsoft 365 with basic authentication disabled
- Outlook 2013 – will require some registry changes if Oauth 2.0 is enabled.
If you are able to get a head start on this update, some tenants may be qualified to disable basic authentication, but IT technicians will need either upgrade or update software across multiple workstations.
Basic Authentication – Office 365 End of Life Timeline
As you’ll see below, Microsoft has been planning this update for several years, but were forced to postpone updates due to Covid-19 and its impact on businesses, among other reasons.
- October 22, 2019: Microsoft enabled Security Defaults to block all legacy authentication protocols for all new users.
- October 13, 2020: Microsoft planned to disable basic authentication in Exchange Online for all tenants, but this update was since postponed.
- October 2020: Basic authentication is disabled for tenants who do not use it.
- Latter half of 2021: Microsoft disables basic authentication for all tenants. This update was also postponed.
- February 2021: Microsoft announced basic authentication will not be blocked for any protocols that a tenant is using. They did block basic authentication for unused protocols with a 30 day warning in the Microsoft 365 Message Center.
- October 2022: Microsoft will completely shut down basic authentication for connections to Exchange Online. This announcement came in September of 2021, providing businesses with plenty of time to move to modern authentication.
Beyond modern authentication, many noteworthy businesses like Google, Microsoft and Citrix today are adopting the zero trust security model which was created on the premise of “trust nothing, verify everything”. The concept requires multiple checkpoints both inside and outside a network such as multifactor authentication.
With the cost of an average data breach reaching $4.24 million in 2021, according to a recent IBM report, cyber criminals are making a killing and businesses are losing – big time.
Whether you need help disabling basic authentication or you’re in need of assistance in developing a layered cyber security plan for your greater Milwaukee area business or organization, we encourage you to request a free network discovery to identify the high risk vulnerabilities in your network.
If you’re ready to jump right in, you can schedule a complementary introduction to learn more about our Network Security Assessments where you get 6 comprehensive reports that will deliver an in-depth look at the most vulnerable areas of your network.