The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

In an advisory [PDF] this week, Uncle Sam’s Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

“Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth,” CISA wrote. “After completing the migration to Modern Auth, agencies should block Basic Auth.”

The agency adds that Basic Auth is often used by legacy applications or custom-built business software, and that many user-facing applications, such as Outlook Desktop and Outlook Mobile App, already have been moved to Modern Auth via Microsoft security updates.

“This is a big deal,” John Gunn, CEO of authentication outfit Token, told The Register. “Security-conscious organizations have already made the switch, but many have not, and they are needlessly exposing themselves and others to attack. Hopefully this message will accelerate the process and motivate the stragglers.”

Basic Auth is a legacy authentication method that doesn’t naturally support multifactor authentication (MFA) and requires a user’s password be sent with each authentication request. There are numerous protocols that can use Basic Auth, including the Post Office Protocol/Internet Message Access Protocol (POP/IMAP), Exchange Web Services, ActiveSync, and Remote Procedure Call over HTTP (RPC over HTTP), the agency said.

MFA is required of FCEBs per President Joe Biden’s May 2021 Executive Order 14028 to improve the country’s cybersecurity capabilities.

Ray Kelly, a fellow at Synopsys Software Integrity Group, reminded us that Basic Auth simply sends one’s username and password in a plaintext, encoded form; you can use a Base64 decoder to view the original credentials. It needs to be encapsulated in encryption to be used securely over a network.

“Microsoft’s move to disable basic authentication in Exchange Online is a great thing for securing the Microsoft cloud ecosystem, as we have seen legacy protocols relying on basic authentication used to bypass multi-factor authentication controls,” Aaron Turner, CTO at AI cybersecurity vendor Vectra, told The Register.

“By moving to a posture of disabling basic authentication by default, it essentially hardens all email users who rely on Microsoft Exchange Online. This will make it more difficult for attackers to simply scrape a username and password from a vulnerable mobile device or browser session.”

Speaking of passwords, Microsoft has long been a vocal advocate for doing away with these passphrases for authentication, saying they are unreliable and a weak link in the cybersecurity chain. The Windows giant also has promoted MFA as a way of reducing by 99 percent the likelihood that a user will be compromised.

Moving away from legacy authentication

In a document dated 2020, two senior Microsofties said an analysis of Azure Active Directory traffic showed that 99 percent of password spray attacks and more than 97 percent of credential-stuffing attacks leveraged legacy authentication protocols. In addition, Azure AD accounts in organizations that disabled such authentication methods saw 67 percent fewer compromises than those still using legacy authentication.

Microsoft last year announced it will disable Basic Auth in Exchange Online starting October 1, 2022.

Garret Grajek, CEO of identity specialist YouAttest, called the use of two-factor (2FA) or multifactor authentication “table stakes” in the modern IT world.

“There is no excuse for use of single authentication in 2022,” Grajek told The Register. “The major vendors – Amazon, Microsoft, Google – have made it an option in their offerings. 2FA should be turned on for all resources. The attacks via zero-day flaws, source-code injections and supply chain vulnerabilities need to be monitored.”

He added that “to get hacked by simple username/password hacks on identities is unacceptable. The real challenge going forward is implementing a zero-trust architecture and real identity governance across all users and systems.”

CISA recommends several steps for moving to Modern Auth, with the first one being to review Azure AD sign-in logs to find the applications and users that are authenticating with Basic Auth.

Next is developing a plan to move those applications and users to Modern Auth by following Microsoft’s documentation and Exchange Team blog post about the shift. After that’s done, organizations can use authentication policies to block Basic Auth before authentication occurs, setting the policy per-mailbox or across the business.

Taking these steps means a significant improvement in security, Token’s Gunn adds.

“The advantages of Modern Auth include using MFA [and] not letting apps save credentials,” he said. “Auth has a defined lifetime and the scope of permissions can be limited. All of these make a big difference in stopping attacks.” ®