Basic Authentication has been the standard for years to connect servers, services and endpoints. By default it is enabled on most servers and services because it is so simple to set up and implement. Applications use basic authentication to send a username and password with every request (often saved on the device) which makes it easier for attackers to capture these credentials. Especially, if TLS protection is not enabled. This in turn, increases the risk that credentials will be tested against other endpoints and services as well. Unfortunately, multi-factor authentication (MFA) isn’t as simple to implement from basic authentication so it’s not used often.
Simply put, there are better and more effective alternatives to basic authentication available today including Zero Trust(i.e. Trust but Verify) or real-time assessment policies to determine who is trying to access data, from where and which device, to determine if there is an imposter.
Microsoft is taking these security threats to basic authentication seriously by rolling out new improvements to data security in Exchange Online, turning off Basic Auth and requiring Modern Authentication.
NOTE: This change only effects Exchange Online NOT the Exchange Server on-premise products. But Microsoft does recommend turning Basic Authentication off, on-premise as well in favor of MFA.
What is Changing
Basic Authentication for Exchange Web Services has been turned off on October 13, 2020. This includes Basic Authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP and Remote PowerShell at the same time – October 13, 2020.
Microsoft states:
“We want your help in getting users to move away from apps that use Basic Authentication, to apps that use Modern Authentication. Modern Authentication (which is OAuth 2.0 token based auth) has many benefits and improvements that help mitigate the issues present in Basic Authentication. For example, OAuth access tokens have a limited usable lifetime and are specific to the applications and resources they are issued for so they can’t be re-used. Enabling and enforcing MFA is also very simple with Modern Auth.
Please note this change does not affect SMTP AUTH – we will continue supporting Basic Authentication for the time being. There is a huge number of devices and appliances that use SMTP for sending mail, and so we’re not including SMTP in this change – though we are working on ways to further secure SMTP AUTH and we’ll share more on that in due course. Nor does this change affect Outlook for Windows or Mac assuming they are already configured and using Modern Auth (and they really should be). ”
How This Could Impact You
This change might affect some of your users or apps:
POP and IMAP
In the next few months, Microsoft will be adding OAuth support to both POP and IMAP. However, if you want to keep using these protocols, you’ll need to update the app to one that supports Modern Auth. Microsoft, of course, recommends Outlook – which now has shared mailbox support for iOS and Android – A common reason people have been using POP and IMAP).
Exchange ActiveSync
If Basic Auth is being used, we believe the best mobile device client to use when connecting to Exchange Online is Outlook mobile. Outlook mobile helps you secure your users and your corporate data, and it natively supports Modern Authentication.
