SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
The users most at risk from Microsoft’s mass security step-up
Mon, 12th Sep 2022
FYI, this story is more than a year old

The countdown to end basic authentication is about to start, but too many email users remain unprepared.

A technology change three years in the making is finally about to start taking effect: the phasing out of ‘Basic Authentication’ for Outlook,  Exchange Online and related services, replaced with a decidedly more modern approach to logging into email.

Microsoft will specifically disable Basic Authentication for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell.

The length of the build-up to this was necessary: Outlook is estimated to have about 400 million users worldwide. Any change to the way they authenticate to their email service is just a massive undertaking. Add to that the anguish caused when users are locked out of their email accounts, and there is a lot riding on the change.

Microsoft is fully cognisant of the risks and challenges. “IT and change can be hard,” it said at the start of the month.

The vendor also made another change of its own. While acknowledging the three years it has spent communicating the authentication switch, it noted there were still some customers that weren’t ready.

“This effort has taken three years from initial communication until now, and even that has not been enough time to ensure that all customers know about this change and take all necessary steps,” it said. “Despite multiple blog posts, Message Center posts, interruptions of service, and coverage via tweets, videos, conference presentations and more, some customers are still unaware this change is coming. There are also many customers aware of the deadline who simply haven’t done the necessary work to avoid an outage.”

The result is a bit of extra leeway to allow customers to make the switch to Modern Authentication, ahead of Microsoft switching off Basic Authentication.

While this might buy some businesses a bit of extra time, it would be undesirable to have to avail oneself of this stopgap measure.

Instead, it should be considered far more preferential to treat this as a last-ditch opportunity to expedite a review of your environment to determine if you have users likely to be impacted by the switch and, if so, to craft a transition strategy that ensures they can continue to communicate over email uninterrupted.

Reasons to upgrade authentication

It’s worth contemplating why Microsoft is so keen to upgrade the authentication mechanisms for Outlook and Exchange Online in the first place.

The answer to that is user security.

Applications have traditionally been connecting to servers, services, and APIs using basic authentication - the practice of verifying the identity of a person connecting to a service or an application with a username and a password. These credentials are frequently saved on the user’s device as well.

As any security-conscious business knows, relying on passwords to protect access to business systems and data is no longer considered best practice. Instead, it opens organisations to a wide range of risks.

Passwords are famous for being easily compromised or broken, and people tend to make errors such as sharing these credentials or using them across many platforms. In addition, managing all those passwords at an organisational level puts the burden on understaffed IT teams.

For would-be attackers, functional username-password combinations are trivial to obtain. Scammers often use phishing to trick users into handing over their basic authentication credentials. They also use sophisticated tools to carry out brute force attacks to create random passwords and determine your login details. Additionally, it is possible to use keyloggers to record each keystroke made on the keyboard.

Once a username and password have been obtained, every transaction conducted with the credentials will be treated as legitimate and valid, even if the credentials are in the wrong hands. The Verizon Data Breach Investigations Report 2022 indicates that compromised credentials account for 60% of successful data breaches.

No surprise, then, that Microsoft is keen to enforce a new standard of login security when it comes to email accounts and tenants to raise the bar overall when it comes to user security.

That raised bar is to be delivered through the adoption of Modern Authentication. This will inevitably involve the use of multiple factors but also be more dynamic as well as context-aware.

Multi-factor authentication should be part of a modern authentication approach to protecting every employee. It asks people to authenticate with something they own - a smartphone or hardware authentication device - in addition to username and password.

In addition, instead of blindly trusting an authentication credential that may be used by a malicious actor to impersonate a user, strategies like Zero Trust and risk- and context-based authentication enable informed decisions about who is attempting to access what from where on which device.

Access decisions need to be constantly evaluated against the risk environment to ensure that only the right accounts can gain access to the right resources. Users are given rapid access when security requirements are satisfied. On the other hand, users are requested to increase security by supplying an additional authentication factor when their identity, or reasons for wanting to access a resource, can’t be immediately verified.

If your environment still has elements of Basic Authentication, or you’re unsure, it may be the eleventh hour, but there is still time to analyse your tenant configuration, identify uses of basic authentication, and prepare a migration plan to ensure your organisation is aligned with the latest security requirements.