Before we discuss about different authentications, let us first understand what Authentication is. Authentication is the process of verifying a user or device before allowing access to a system or resources. Basically, it means that a user or device must authenticate itself by providing registered login credentials. The system will then verify those credentials with the credentials which are stored in its database. If the credentials match, then the user can log into the account.
What Is Modern Authentication and Basic Authentication?
Basic Authentication is an old and simplest authentication service developed by Microsoft. It was developed with the purpose of providing an easy login interface for users while keeping their account secure. It allows users to sign into their Microsoft email accounts and applications simply with a login-id and password. When users enter their login credentials, those applications store their credentials into their settings.
Modern Authentication is a category of different authorization and authentication protocols which are SAML, WS-Federation, and OAuth. Modern authentication enables the use of multi-factor authentication (MFA) which adds multiple layers of security. In Modern Authentication, users can log into their accounts using their login-id and password. This login credentials are used to identify the user and to generate a temporary token for access. Once this token is verified at both ends, then the user is permitted to access the account.
Why Is It Important to Shift to Modern Authentication?
Today, cyberattacks are a critical threat to organizations. As more people are starting to work remotely cloud computing has become the standard across industries, the threat landscape has expanded exponentially in recent years. It is hard to go a single day without hearing about yet another data breach, a phishing incident, or some other form of security nightmare.
One of the most common cyberattacks is Password Spray Attack. It is a powerful attack in which the attacker tries many usernames with a list of common passwords against a target system to see if any will work. With the permutations and combinations, the account credentials are exposed.
As Basic Authentication does not support various levels of permissions, the accounts become extremely vulnerable to such cyberattacks. Basic Authentication has other limitations such as:
- In addition, Authentication headers are included in each request, hence the possibility of capturing credentials is limitless.
- Usernames and passwords can be cached in the browser, providing still another point of vulnerability.
- Basic authentication does not support scoping or grading permissions, hence any applications with the user login credentials gain potential access to all data.
Hence, the need for Modern Authentication has become inevitable. With multiple layers of authentication, usernames and passwords are not enough to gain access to accounts. In addition, users must authenticate themselves by going through multiple levels of authentication processes. Modern Authentication also provides other benefits such as:
- Modern authentication uses protocols like OAuth2.0 to allow admins and users to fine-tune authentication policy to better control access to resources.
- It allows admins to set privileges, thereby maintaining the data integrity of the accounts.
- It uses One Time Password (OTP) system in which a one-time PIN is an auto-generated password that is valid for one login session.
Types of Modern Authentication Methods
There are several types of Modern Authentication methods.
- Two-Factor Authentication
Two-factor authentication (2FA) adds a second layer of protection to your accounts. 2FA requires two factors of authentication:
- Username and password
- A security token or smart card
- Three-Factor Authentication
Three-factor authentication (3FA) adds a third layer of protection to your accounts.
- Username and password.
- A security token or smart card.
- Touch ID or other biometrics.
- One-Time Password
One Time Password (OTP) auto-generates a one-time PIN that is valid for one login session. When users enter their login credentials, it triggers the application to send an OTP to their registered phone or email. The users must input the code to complete the authentication and gain access to their account.
- Certificate-Based Authentication
Certificate-based authentication (CBA) uses a digital certificate to identify and authenticate a user, device, or machine. A digital certificate, also known as a public-key certificate, is an electronic document that stores the public key data, including information about the key, its owner, and the digital signature verifying the identity.
Biometric authentication uses biometrics like fingerprints, retinal scans, and facial scans to confirm a user’s identity. Once users present their biometric credentials, the system compares them to the biometric data in their database. If the credentials match, users can log into their accounts.
With these many authentication types, Modern Authentication has become unarguably the most powerful authentication service for modern businesses. Switching to Modern Authentication can help users to protect their accounts from any cyberattacks.
What Will Be the Impact of Disabling Basic Authentication?
Soon Microsoft will be disabling Basic Authentication. As it only supports a single layer of protection, users with Basic Authentication will not be able to log into their Microsoft Exchange email accounts. Additionally, other authentication protocols that are supported by Basic Authentication will also get deprecated.
Impact of disabling Basic Authentication on other Microsoft Exchange authentication protocols
These are the other Microsoft Exchange authentication protocols that are supported by Basic Authentication.
The POP is an Internet standard protocol on the application layer that the local email clients use for retrieving emails from any remote server over the TCP/IP connection. When Basic Authentication will be disabled, users will no longer be able to retrieve emails from other remote servers.
IMAP (Internet Messaging Access Protocol) is a protocol that enables distant users to access their emails directly from the server and read them on any device at any location feasible for them. Disabling Basic Authentication will not allow users to access their emails from any server.
- SMTP AUTH
SMTP AUTH is an extension of the Simple Mail Transfer Protocol (SMTP) which allows users to log into their accounts by using any authentication mechanism supported by the server. SMTP AUTH will still be available even after disabling Basic authentication. The reason is that many multi-function devices such as printers and scanners cannot be updated to use modern authentication. It is still highly recommended to stop using SMTP AUTH for Basic Authentication as it will no longer be receiving any security updates.
- Exchange ActiveSync (EAS)
Exchange ActiveSync (EAS) is an Exchange synchronization protocol which allows users to synchronize their Exchange mailbox with their mobile device. Disabling Basic Authentication will prevent the users from synchronizing their mailbox with a mobile device. This means, users will not be able to see their received emails from their mobile devices.
- Exchange Web Services (EWS)
Exchange Web Services (EWS) is a cross platform API that enables applications to access mailbox items such as email messages, meetings, and contacts from Exchange Online, or on-premises versions of Exchange. It also allows users to migrate Exchange data to a third-party host in the cloud. Disabling it will restrict users from registering any new applications on EWS and users will not be able to migrate their mailboxes to a third- party cloud.
Autodiscover is a feature which automatically discovers which Exchange server holds a user’s mailbox and configures the Outlook client to connect to that server. Disabling Basic Authentication will prevent Autodiscover from locating the server on which the user’s mailbox resides.
Can Organizations Still Use Microsoft Exchange Accounts?
To be able to use Microsoft Exchange, organizations must follow one of following methods.
Temporarily re-enable Basic Authentication for your organization
- You can re-enable Basic Authentication in your tenant by using self-service diagnostic.
- Go to the Microsoft 365 admin center.
- Click the Help & support button in the bottom right-hand corner of the screen:
- When you click the Help & support button, you enter the self-help system. Enter the phrase Diag: Enable Basic Auth in EXO and then run the tests. The test results will look like the following (results will vary depending on what have been disabled for your organization):
- You can enable basic authentication for each protocol you need (one by one). Within an hour, it will start to work again.
Re-enabling basic authentication for a protocol will make users data more vulnerable to security risks.
Stop Using Basic Authentication Permanently
- Go to the Microsoft 365 admin center.
- Navigate to Settings.
- Then, select Org Settings > Modern Authentication and uncheck the boxes to block Basic Authentication for all protocols.
Soon Microsoft will also be disabling the option to re-enable Basic Authentication as it exposes users accounts to various security threats. It is highly recommended to switch to Modern Authentication as soon as possible to safeguard your Exchange accounts.
Summary of Timelines and Actions
Refer to the following flow chart to help illustrate the changes and actions that you might need to take:
Basic Authentication Deprecation in Exchange Online – September 2022 Update
Apps4Rent Can Help with Exchange Online Services and Mail Client Issues
With increasing security threats, shifting to Modern Authentication has become an absolute necessity. Modern Authentication is not only safer than Basic Authentication, but it is also more user-friendly and simplifies the tasks of administrators.
As a Microsoft Gold Partner, Apps4Rent can help to safeguard your Exchange email accounts by shifting to Modern Authentication. If you & your users are facing any issues related to Exchange Online Services or Mail Clients, then you can always contact our support team for further assistance or information about this.