Basic authentication has, for many years, been the security protocol for a variety of applications. As apps connect to servers, they usually send a username and password request, and this information is most likely stored on the device. This comes as default on most servers and is simple to set up. The caveat is that it can expose confidential user data, making it easier for hackers to find, increasing the risk of the stolen credentials being used at other endpoints or services.
Ineffectiveness of basic authentication and possible alternatives
Considering the increasing number of cyber-attacks in the UK, basic authentication has become an outdated industry standard. There are better alternatives to ensure robust data security. For instance, deployment of multifactor authentication (MFA) may help, but in most cases, set-up requires basic authentication to remain enabled.
Another alternative would be to implement a Zero Trust security model. This security framework requires all users (internal staff or visitors) to be authenticated, authorized, and continuously verified before being granted access to an organisation’s data and applications. A Zero Trust policy is critical in mitigating cyber security issues in today’s modern digital transformation, including the security of remote workers, hybrid cloud platforms, and ransomware threats.
Switching from basic authentication in Exchange Online
Effective on October 1 2022, Microsoft turned off Basic authentication in Exchange Online for various applications. They include Exchange ActiveSync (EAS), IMAP, POP, Remote PowerShell, Offline Address Book (OAB), Exchange Web Services (EWS), and Outlook for Windows and Mac. It will also disable SMTP AUTH for all users not currently using it.
How might the deprecation of basic authentication impact your organisation?
The changes will affect any applications that use basic authentication. If you are using the latest version of Microsoft Outlook, the change won’t affect you, however, if you use built-in mail apps, you will need to switch as soon as possible. There are multiple applications that support MFA, however, Akita recommends transitioning to Microsoft Outlook. There are likely other applications your organisation uses that may use basic authentication, and Akita can support in updating or replacing these too.
Remote PowerShell
If you use Remote PowerShell to access Exchange Online, you should consider switching some of your daily usages to the PowerShell within Azure Cloud Shell.
POP, IMAP, and SMTP AUTH
Most organizations using POP, IMAP, and SMTP AUTH already have the latest OAuth 2.0 support. However, more updates have been made to support various authentication types to allow users with the latest version to configure their authentication programs to include OAuth.
Exchange ActiveSync (EAS)
The change in EAS will mostly impact mobile users who use Basic authentication. Microsoft recommends they switch to Outlook for iOS and Android to access Exchange Online. That’s because Outlook integrates with Microsoft Enterprise Mobility and Security, adding conditional access and app protection capabilities.
Exchange Web Services (EWS)
Many apps have been created using EWS to access mailbox and calendar data. Microsoft halted feature updates for EWS, and thus, it is advisable to switch to Microsoft Graph. For any apps that haven’t been moved to Graph, you can use Modern authorization with EWS.
Outlook, MAPI, RPC, and Offline Address Book
Outlook for Windows uses Modern authentication, but RPC (Outlook Anywhere) has been deprecated in Exchange Online. Instead of that, users have to switch to MAPI over HTTP. Outlook uses MAPI for EWS, OAB, and HTTP for various functions, including mail access, setting free/busy or out of office, and OAB downloads.
In the now tech-rich business world, huge amounts of data are stored online, increasing the risk of attacks. Basic authentication doesn’t guarantee your security, so its depreciation in Exchange Online eventually increases security for your personal information and business data.
For more info on how Akita can support in updating or replacing your business applications:
Find Out More
