Microsoft has announced that the Basic Authentication option for Exchange Online will be disabled starting Oct. 1, 2022.
Basic authentication is a security problem for any service, not just Exchange Online. Microsoft is in a difficult position because its products are spread across all markets and often share the same credentials. That’s one reason criminals go after these types of credentials so often.
Because the decision affects so many people and enterprises, Microsoft gave everyone a year before it actually starts to turn it off for everyone. Even so, many companies will likely have to deal with Microsoft’s decision after Oct. 1, 2022.
“Basic authentication in Exchange Online uses a username and a password for client access requests,” said Microsoft. “Blocking Basic authentication can help protect your Exchange Online organization from brute force or password spray attacks. When you disable Basic authentication for users in Exchange Online, their email clients and apps must support modern authentication.”
Of course, this doesn’t mean that people won’t be able to log in into their services, just that they will have to use extra layers of security, such as multi-factor authentication. This measure alone will force criminals to look for other ways to steal credentials. Since basic authentication will be useless on its own, these types of attacks will likely diminish.
Products affected by the change include the following:
- Outlook 2013 or later (Outlook 2013 requires a registry key change. See Enable Modern Authentication for Office 2013 on Windows devices for more information.)
- Outlook 2016 for Mac or later
- Outlook for iOS and Android
- Mail for iOS 11.3.1 or later
Companies with no legacy clients can use authentication policies in Exchange Online to disable Basic authentication requests, which forces all client access requests to use modern authentication.
Basic authentication is also used in several other related services and protocols, such as IMAP4, POP3, Authenticated SMTP, and even PowerShell. The scope of the solution proposed by Microsoft is difficult to quantify, but it will affect numerous companies and users. The good news is that it will help create a safer online world.