Users most at risk from Microsoft’s mass security tightening

The countdown to ending basic authentication is about to begin, but too many email users are still unprepared.

A technology change that’s been in the works for three years is finally about to start taking effect: the phasing out of “basic authentication” for Outlook, Exchange Online and related services, replaced by a decidedly more modern approach to login to email.

Microsoft will specifically disable Basic Authentication for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell.

The preparation time was necessary: ​​it is estimated that Outlook has around 400 million users worldwide. Any change to how they authenticate to their email service is just a colossal undertaking. Add to that the angst caused when users get locked out of their email accounts, and there’s a lot to be done about change.

Microsoft is fully aware of the risks and challenges. “IT and change can be tough,” he said earlier this month.

The seller also made another change of its own. While acknowledging the three years spent communicating the authentication switch, he noted that there were still customers who weren’t ready.

“This effort has taken three years from initial communication to now, and even that hasn’t been enough to ensure all customers are aware of this change and take all necessary steps,” he said. -he declares. “Despite multiple blog posts, message center posts, service disruptions, and coverage via tweets, videos, conference presentations, and more, some customers are still unaware of this upcoming change. There are also many delay-aware customers who simply haven’t done the work necessary to avoid a breakdown.

The result is a bit more wiggle room to allow customers to switch to modern authentication, before Microsoft disables basic authentication.

While this may save some businesses some time, it would be undesirable to have to rely on this interim measure.

Instead, it should be considered far more preferable to treat this as a last resort opportunity to expedite a review of your environment to determine if you have any users who may be impacted by the change and, if so, is the case, develop a transition strategy that ensures they can continue to communicate via email without interruption.

Reasons to Upgrade Authentication

It’s worth wondering why Microsoft is so keen on upgrading the authentication mechanisms for Outlook and Exchange Online in the first place.

The answer to this is user security.

Applications traditionally connect to servers, services, and APIs using basic authentication – the practice of verifying the identity of someone logging into a service or application with a user name. user and a password. These credentials are also frequently saved on the user’s device.

As any security-conscious company knows, relying on passwords to protect access to corporate systems and data is no longer considered best practice. Instead, it exposes organizations to a wide range of risks.

Passwords are notorious for being easily compromised or broken, and people tend to make mistakes like sharing these credentials or using them across many platforms. Additionally, managing all those passwords at the organizational level places a burden on understaffed IT teams.

For would-be attackers, functional username-password combinations are easy to obtain. Scammers often use phishing to trick users into handing over their basic authentication credentials. They also use sophisticated tools to carry out brute force attacks to create random passwords and determine your login credentials. Additionally, it is possible to use keyloggers to record every keystroke made on the keyboard.

Once a username and password have been obtained, every transaction made with the credentials will be considered legitimate and valid, even if the credentials are in the wrong hands. The Verizon Data Breach Investigations 2022 report indicates that compromised credentials account for 60% of successful data breaches.

So it’s no surprise that Microsoft wants to implement a new login security standard when it comes to email accounts and tenants to raise the bar on user security.

This raised bar must be delivered through the adoption of modern authentication. This will inevitably involve the use of multiple factors, but will also be more dynamic and context sensitive.

Multi-factor authentication should be part of a modern authentication approach to protect every employee. It requires users to authenticate with something they own – a smartphone or hardware authentication device – in addition to username and password.

Additionally, instead of blindly trusting an authentication credential that can be used by a malicious actor to impersonate a user, strategies such as Zero Trust and risk and context-based authentication allow make informed decisions about who is trying to access what from where on what device. .

Access decisions must be constantly evaluated against the risk environment to ensure that only the right accounts can access the right resources. Users get quick access when security requirements are met. On the other hand, users are asked to increase security by providing an additional authentication factor when their identity, or the reasons for wanting to access a resource, cannot be immediately verified.

If your environment still contains basic authentication elements, or if you are unsure, this may be the last hour, but there is still time to analyze your tenant configuration, identify uses of basic authentication and prepare a migration plan to ensure your organization is compliant with the latest security requirements.

Comments are closed.