Last Friday Microsoft announced that they are getting rid of Basic Authentication in Exchange Online and we think this is excellent news. For years, their client apps have used Basic Authentication, where the application sends a username and password with every request, to connect to servers, services and endpoints.
In 2018 they announced they were turning off Basic Authentication for Exchange Web Services on October 13, 2020. But writing on the Exchange Team blog on Friday, Microsoft announced that they were also going to turn off Basic Authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP and Remote PowerShell on October 13, 2020.
"Simplicity isn’t at all bad in itself, but Basic Authentication makes it easier for attackers armed with today’s tools and methods to capture users’ credentials (particularly if not TLS protected), which in turn increases the risk of credential re-use against other endpoints or services. Multi-factor authentication (MFA) isn’t easy to enable when you are using Basic Authentication and so all too often it isn’t used.
"Simply put, there are better and more effective alternatives to authenticate users available today, and we are actively recommending to customers to adopt security strategies such as Zero Trust (i.e. Trust but Verify) or apply real time assessment policies when users and devices are accessing corporate information. This allows for intelligent decisions to be made about who is trying to access what from where on which device rather than simply trusting an authentication credential which could be a Bad Actor impersonating a user."
Bridgeway Managing Director Jason Holloway says: “It’s great to see such an influential organisation come to realise the inherent dangers of basic authentication and the improved productivity and security afforded by modern authentication. Zero Trust and password-less authentication are here to stay. The challenge is of course enabling this for a modern, mobile workforce needing to access multiple cloud services (not just O365) and legacy on-premise solutions. Whilst that requires more effort, it also delivers even greater benefits. It’s where we can add significant value too.”
The changes happening here might well affect some of your users or apps, and Microsoft have provided some additional information on Remote PowerShell, POP and IMAP, Exchange ActiveSync and how to assess client impact - regarding the latter they say they are going to make a new tool available.
However, Bridgeway's experts are here to help you navigate the changes smoothly and safely. We already work with organisations that are adopting a Zero-Trust, password-less approach to their information security and we 'd be more than happy to discuss how we can help you too.
Please get in touch now via Live Chat or call 01223 979 090 and speak to a member of our team. Alternatively, email firstname.lastname@example.org