Microsoft and Google postpone insecure authentication removal

Posted by & filed under Security Alerts.

Microsoft says that Basic Authentication’s removal from Exchange Online is being postponed until the second half of 2021 due to the current situation created by the COVID-19 pandemic.

“In response to the COVID-19 crisis and knowing that priorities have changed for many of our customers we have decided to postpone disabling Basic Authentication in Exchange Online for those tenants still actively using it until the second half of 2021,” Microsoft’s Exchange team announced.

However, starting October 2020, Microsoft will still automatically disable Basic Authentication for all newly created tenants and on those where it is not actively used.

“We will also continue to complete the roll-out of OAuth support for POP, IMAP, SMTP AUTH and Remote PowerShell and continue to improve our reporting capabilities,” Microsoft said.

“We still intend to move our customers away from Basic Authentication as we still very strongly believe improving security in Exchange Online benefits all of us, and so we’ll announce more accurate timelines for disabling Basic Authentication for tenants with usage at a later date.”

Previously planned removal in October 2020

Microsoft previously announced that Basic Authentication will be turned off in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, and Remote PowerShell starting with October 13, 2020.

That announcement came after a previous one made in July 2018 regarding Redmond’s plans to stop supporting and fully decommission Basic Authentication in Exchange Web Services (EWS) API for Office 365.

Basic Authentication (also known as proxy authentication or legacy authentication) is the process through which desktop and mobile apps are sending username/password pairs on every request made when connecting to servers, endpoints, or online services, with the users’ credentials often being stored locally on their device.

Even though it greatly simplifies the auth process, Basic Authentication makes it a lot easier for attackers to steal the credentials especially when they’re being sent over unencrypted channels and, even worse, where it is turned on, “multi-factor authentication (MFA) isn’t easy to enable when you are using Basic Authentication and so all too often it isn’t used.”

By disabling Basic Authentication and only allowing Modern Authentication in Exchange Online at the same time, Microsoft is trying to mitigate all these security issues.

Microsoft recommends enabling Modern Auth

Modern Authentication, actually Active Directory Authentication Library (ADAL) and OAuth 2.0 token-based authentication, allows apps to use OAuth access tokens that feature a limited lifetime and block their reuse on other resources.

After Modern Auth is toggled on, enabling and enforcing MFA also gets a lot simpler, with improved data security in Exchange Online being the immediate result.

A video demo on the steps needed to go through to add MFA to Exchange Online/on-premises mailboxes is embedded below.

To disable Exchange Online basic auth before its decommission time, you have to create and assign auth policies to individual users by following the procedure detailed on Microsoft’s Exchange Online support website.

A document on enabling Modern Auth in Exchange Online also says that, at the moment, “modern authentication is enabled by default in Exchange Online, Skype for Business Online and SharePoint Online.”

“Disabling Basic Authentication and requiring Modern Authentication with MFA is one of the best things you can do to improve the security of data in your tenant, and that has to be a good thing,” Microsoft explains.

“The last thing to make clear – this change only affects Exchange Online, we are not changing anything in the Exchange Server on-premises products.”

Google also delayed disabling G Suite legacy auth

While Google also announced in December 2019 that it will block less secure apps (LSAs) from accessing G Suite accounts’ data starting in February 2021, the company now says that the LSA turn-off is put on hold until further notice.

That decision followed the removal of the “Enforce access to less secure apps for all users” setting from the Google Admin console during October 2019.

“As many organizations deal with the impact of COVID-19 and are now focused on supporting a remote workforce, we want to minimize potential disruptions for customers unable to complete migrations in this timeframe,” Google said on March 30.

“As a result, we are suspending the LSA turn-off until further notice. All previously announced timeframes no longer apply.”

LSAs also use what Microsoft describes as Basic Authentication and they are non-Google apps that access Google accounts using username/password pairs thus exposing users who use them to account hijacking attacks.

Google previously planned to completely block LSAs’ access to all G Suite accounts and advised developers to update all their apps to use OAuth 2.0 to maintain G Suite account compatibility.

Google also advises users to migrate to applications that come with OAuth support as it protects their accounts from hijacking attacks.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.