As part of their move to security defaults (a pre-configured set of security settings rolled out to users as standard), Microsoft is disabling Basic Authentication (Basic Auth) on all its hosted services, a move designed to protect organisations from cyberattacks.
They initially announced they would be disabling Basic Authentication in 2020 but postponed this timeline due to the number of legacy systems still reliant on basic authentication. This delay was a rest bite for many customers; however, it is vital to understand the risks of legacy authentication and take steps now to ensure all your systems are supporting the latest security protocols.
What is basic authentication?
Every single application, service, or program connecting to Microsoft 365 needs to authenticate. The traditional method of authentication involved sending an encoded set of credentials between the client and the server.
Why is basic authentication being disabled?
With basic authentication, the user’s credentials are not encrypted but simply encoded; they would often be protected in transit using other secure protocols like HTTPS / SMTPS; however, the underlying data was vulnerable to being intercepted and decoded.
Modern Authentication (OAuth2.0) offers a much more secure method of authenticating users and users are being urged to move to applications, systems, and hardware that support these methods.
How will this affect me?
While these changes have been postponed once already, it is critical to start planning now and avoid any potential disruption in the future. It is also critical to ensure you are doing all you can to protect against vulnerabilities and secure your network and services.
If not correctly managed these changes have the potential to cause issues to third-party applications, websites, old devices (such as scanners), and legacy systems connecting to Office 365 for example, if you use Office 2010 or older (and consequently Outlook 2010 or older), your email client will no longer be able to connect to Microsoft
For later versions of Office, there may be technical changes required in order to enable OAuth to keep you working when the changeover is made.
What do I need to do?
If you aren’t sure what this means, our best advice is to get in touch with your IT provider and ask them if any of these changes apply to you.
Prodigy is already working with our current support clients to assess what legacy authentication mechanisms are still in use and put together action plans for retiring these services, if you think now might be the time to get your systems looked at or are looking for a pro-active support partner, please get in touch we’d love to hear from you.