Skip to content

Microsoft is Forcing Modern Authentication – Is Your Business Ready?

Basic Authentication is now disabled

Barrett Dilger

Basic Authentication

Microsoft announced back in September 2019 that it will start depreciating Basic Authentication.  There hasn’t been too much talk about it since, until now.  Exactly 3 years to the month, Microsoft announced that it will begin turning off Basic Authentication on October 1

That wasn’t much lead time to make the change, but Microsoft is allowing a workaround until the end of the year..

What’s going on?

To improve security, Microsoft is removing support for Basic Authentication in Exchange Online. Basic Auth is a legacy (read: old) security protocol that doesn’t quite cut the snuff today.  Why? Because it transmits the username and password in plain text for verification. How can this sound even remotely secure in today’s world?  Top that with the fact that it doesn’t play nicely with modern tools like MFA (multi-factor authentication) so there isn’t a way to increase your security with its use.

Microsoft research shows that more than 99% of password spray attacks use outdated legacy protocols. Password spray attacks are essentially brute force attacks, the difference being that it tries a password across multiple accounts instead of multiple passwords against a single account.

Likewise, more than 97% of credential stuffing attacks also use legacy authentication protocols. Credential stuffing is when compromised credentials from a data breach are used to attempt to log into a completely different service.

Conversely, companies that have disabled legacy authentication experience 67% fewer compromises.

The statistics are staggering in support of this security change. This past June the US Cybersecurity and Infrastructure Security Agency (CISA) advised all Federal departments and private organizations to stop using Basic Authentication.

When is it happening?

While the September announcement didn’t give much notice, this has been in the works for years and many users have already moved away from Basic Auth. 

For those that haven’t, the October 1 deadline has already passed.

Microsoft acknowledges that there are still many companies out there that still use Basic Auth, and this is a disruption to them.  As a workaround, they are allowing a one-time re-enablement of Basic Auth protocols, on a specific one-by-one basis, to allow companies to still function. However, this workaround is only temporary and will only last until the end of the year.

The final deadline is December 31, 2022

What’s the impact?

If your business has not already made the change to modern authentication, the impact is quite severe.

Any use of Basic Authentication protocols will cease to work. These protocols are:

  • Authenticated SMTP
  • Autodiscover
  • Exchange ActiveSync (EAS)
  • Exchange Online PowerShell
  • Exchange Web Services (EWS)
  • IMAP4
  • MAPI over HTTP (MAPI/HTTP)
  • Offline Address Book (OAB)
  • Outlook Anywhere (RPC over HTTP)
  • POP3
  • Reporting Web Services
  • Universal Outlook

Even if you are not technically inclined, you might recognize some of these protocols such as POP, IMAP, and SMTP.  These have commonly been used in messaging applications for years.

What might this look like for your company?

Maybe your emails stopped working completely. Or do they still work on your PC but not on your phone? Perhaps you can no longer send documents from your ERP or accounting software. Are your statements and invoices not going through? Do you use a multi-functional printer in your office? Does it still seem to print but you can’t scan and send, or fax from email? Maybe you have older third-party applications that use your Microsoft credentials to authenticate and they stopped working.

These are some real-world scenarios that range from mildly frustrating to crippling your business.

What do you do?

Get in touch with your IT service company now.

You need to review what your business is doing and what protocols are you using to get it done.

Once the protocols in use are defined, you can re-enable them as previously mentioned.

This is only a temporary fix to get you through the rest of the year. You’ll need to implement Modern Authentication in its place. This might be as simple as changing Microsoft settings, or as complicated as talking with your software providers for update patches that enable more secure authentication.

If you don’t have an IT company, reach out to us and we’ll give you a quick consultation.  You can schedule a 15-minute meeting on our live calendar.