The Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance for users of Microsoft Exchange Online to switch from Basic Authentication, or “Basic Auth,” to Modern Authentication, or “Modern Auth” – which supports multi-factor authentication (MFA) – by the beginning of October.
On October 1, Microsoft will begin permanently disabling Basic Auth, a legacy authentication method that does not support MFA. Taking that step is a requirement of President Biden’s cybersecurity executive order for Federal civilian agencies issued in May 2021.
“Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth,” CISA said. “After completing the migration to Modern Auth, agencies should block Basic Auth. Basic Auth is most likely used by legacy applications or custom-built business applications.”
While the guidance is geared toward Federal civilian agencies, CISA urged “all organizations to switch to Modern Auth before October 1 and enable MFA.”
“Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing,” Microsoft said in a blog post. “We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack.”
Microsoft noted that October 1 is the day it will start to turn off Basic Auth, but added “this is not the date we turn it off for everyone.” The company said it will randomly select tenants and send seven-day warning Message Center posts before turning it off for the tenant.
“We expect to complete this by the end of this year. You should therefore be ready by October 1,” Microsoft said.