Microsoft has announced an official end of its Basic Authentication for Exchange Online in all Microsoft Office 365 Tenants beginning October 1st.
What does that mean for your company’s security? What’s replacing it? How do I prepare? We’ll answer all of these questions for you and keep it non-techie.
How will it affect us if we don’t update?
Well, for starters, you won’t be able to log in. At all.
That sounds drastic! Why end Basic Authentication? Don’t we need that?
Of course, we do. But Basic Authentication is showing its age and is vulnerable to some well-known but effective attacks. Here are two of the attacks you should know about.
More than 99% of password spray attacks use legacy authentication. In a spray attack, an attacker will brute-force logins from a list of usernames that still use the default passwords to log into a certain app or website. Most people will never change their passwords from the default one unless the IT department mandates it.
More than 97% of credential stuffing attacks use legacy authentication. This type of attack uses stolen lists of millions of usernames, email addresses, and passwords. Ever hear on the news about data breaches with millions of accounts compromised? This is one of the things that happens to that breached data. Cyber-criminals sell these lists to the highest bidders. This attack works because so many people use the same passwords on multiple sites.
What’s wrong with Basic Authentication? What is better about Modern Authentication? According to Red Level’s Security & Compliance Consultant, Kevin Loges, “Basic Authentication is pretty much just a handshake: it’s your username and password. If they work, you’re in. Modern Authentication has the capabilities to check other variables, such as whether your location is recognized, or whether you’re coming in from a company device, and are you only allowing company devices?”
Microsoft’s replacement for Basic/Legacy Authentication is Modern Authentication which allows the use of MFA (Multi-Factor Authentication).
What apps and devices are affected? Will any devices or apps continue to use the old authentication?
The most common way you will be affected is on your cell phone. Unless your organization is using MAM (Mobile Application Management) or MDM (Mobile Device Management), you’re likely using your phone’s default mail application, which defaults to Basic Exchange Active Sync.
That’s going to break for a lot of organizations that are using email on their cell phones. If you have Basic Exchange Active Sync, there is a good chance that come October 1st, email on your cell phone may break for your organization.
Another place it will break is if you are using old versions of Microsoft Office. Office, version 2016 or newer, is required for Modern Authentication to function. For SMTP (email), they’re OK. That’s not going away anytime soon, but some are still using POP3 and IMAP. And those? They’re going to break.
So what do we do?
All companies still using Basic Authentication need to do this. It’s not a “nice-to-have”; the end of life for Basic Authentication is coming on October 1st. Contact a trained, certified IT company like Red Level to assess your security. We can quickly tell you what is needed to prepare for the changeover. For example, you will need to upgrade your plan to Business Premium to leverage Conditional Access policies. Microsoft says with MFA installed (Multi-Factor Authentication), you are 99.99% less likely to be compromised.
Call us or contact us today and we can give you a quick assessment and help you prepare.