CISA Urges Adoption of Microsoft Modern Auth

The Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies and private organizations to switch to Modern authentication in Exchange Online before the deadline of October 1, 2022.

Microsoft will begin permanently disabling Basic authorization, a legacy authentication method that requires the user’s password to be sent with each authentication request, on that date. Beginning in early 2021, Microsoft had already begun deprecating basic authentication for existing Exchange Online tenants with no reported usage, the company said.

Modern authentication provides security features like multifactor authentication (MFA) and security assertion markup language (SAML), which are both critical to preventing account takeover attacks against users that are relying on a potentially weak or compromised username/password.  

For the enterprise, enforcing MFA and providing integration with SSO providers by using SAML is crucial to securing employee accounts.

CISA noted that Basic auth does not support MFA, which is required for FCEB agencies per Executive Order 14028. 

The advisory said federal agencies should first determine their use of Basic auth and migrate users and applications to Modern auth. After completing the migration to Modern auth, agencies should block Basic auth.

Microsoft’s Disable Basic Authentication in Exchange Online documentation provides additional guidance for agencies and organizations making the switch. 

Disable Basic Auth

“Basic auth is most likely used by legacy applications or custom-built business applications,” the advisory noted. “Many user-facing applications, such as Outlook Desktop and Outlook Mobile App, have already been moved to Modern auth by agency implementation of Microsoft security updates.”

Aaron Turner, CTO, SaaS Protect at Vectra, an AI cybersecurity company, explained that Microsoft’s move to disable basic authentication in Exchange Online is a great thing for securing the Microsoft cloud ecosystem, as he has seen legacy protocols relying on basic authentication used to bypass multifactor authentication controls.

“Microsoft has provided some great guidance on how organizations should go about preparing to shift legacy applications away from the use of basic authentication, but in large organizations with a long tail of legacy applications and infrastructure, there are bound to be interruptions,” he added.

Turner explained that some of their customers have been strategizing workarounds for situations where there are hardware limitations on the use of modern authentication for sending email. 

For example, older printers are probably the largest set of systems that will not support modern authentication for email protocols.

In those cases, he said, customers have explored the possibility of setting up a dedicated hardened SMTP relay (for example, with any of the Linux email server distributions) within the on-premises network, using IP restrictions to only allow those printers to access that legacy SMTP relay. Then, the next step is to build a modern authentication-capable connection to the Exchange Online environment from that hardened on-premises SMTP relay, Turner explained.

“The same approach could be used with legacy applications which are no longer maintained and cannot be upgraded to Modern authentication,” he said. “While time-consuming and adding additional layers of complexity to the overall IT environment, the benefits of eliminating Basic authentication are worth it.”

Hardening Exchange Email Users

Turner explained by moving to a posture of disabling basic authentication by default, it essentially hardens all email users who rely on Microsoft Exchange Online.

This will make it more difficult for attackers to simply scrape a username and password from a vulnerable mobile device or browser session and then replay those credentials against the legacy Basic authentication interfaces to gain access to users’ inboxes through protocols like IMAP.

“Depending upon the number of legacy applications or the breadth of the use of legacy hardware that cannot support modern authentication, this can result in lengthy and costly changes. But these should be viewed as improvements that should have been made decades ago,” he said. 

Patrick Tiquet, vice president of security and architecture at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, added that since the workforce has become more distributed, it can be more of a challenge to securely distribute passwords, keys and authentication information over the internet.

“As a result, there are more opportunities for credentials to be leaked or stolen,” he said. “This is evidenced by the huge databases of leaked credentials available for download on the internet.”

From his perspective, a simple username and password is no longer secure, especially if those credentials have been re-used for multiple websites or services.

“MFA is an absolutely essential part of securing access to online services,” he said. “Because of the increase of a distributed workforce, MFA is now more important than ever.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 364 posts and counting.See all posts by nathan-eddy