Microsoft is about to eliminate a method for logging into its Exchange Online email service that is widely considered vulnerable and outdated, but that some businesses still rely upon.
The company has said that as of Oct. 1, it will begin to disable what's known as "basic authentication" for customers that continue to use the system.
Basic authentication typically requires only a username and password for login; the system does not play well with multifactor authentication and is prone to a host of other heightened security risks. Microsoft has said that for several types of common password-based threats, attackers almost exclusively target accounts that use basic authentication.
At identity platform Okta, which manages logins for a large number of Microsoft Office 365 accounts, "we've seen these problems for years," said Todd McKinnon, co-founder and CEO. "When we block a threat, nine times out of 10 it's against a Microsoft account that has basic authentication. So we think this is a great thing."
Microsoft has been seeking to prod businesses to move off basic authentication for the past three years, but "unfortunately usage isn’t yet at zero," it said in a post earlier this month.
Microsoft has delayed the phase-out of basic authentication on several occasions to give those laggards an opportunity to adopt a "modern authentication" system, which supports a more-secure approach, known as OAuth 2.0, and is easier to use with MFA. Now, the company is in fact giving customers one last chance to buy some more time for the switch.
When we block a threat, nine times out of 10 it's against a Microsoft account that has basic authentication.
If a customer finds that it can no longer access its accounts after this weekend because basic authentication has been disabled, the customer will be allowed to re-enable basic authentication one more time for each Exchange Online protocol that it might use. Basic authentication will remain enabled until the end of December, but will be eliminated, for good, after that, according to Microsoft.
"Our goal with this effort has only ever been to protect your data and accounts from the increasing number of attacks we see that are leveraging basic auth," the company said in the post. "However, we understand that email is a mission-critical service for many of our customers and turning off basic auth for many of them could potentially be very impactful."
In essence, Microsoft's message to customers is that "we're forcing you down the path of better security," which overall is a win in the battle against cyberattacks, said Joseph Carson, chief security scientist at privileged access management vendor Delinea.
Still, for businesses that have been slow to adopt newer technology and have yet to move off basic authentication, the upcoming move could pose a significant disruption, Carson said.
"They're going to be struggling to move forward," he said. "It could prohibit the business from functioning for a while until they make the [modern authentication] investment."