Certified Information Systems Auditor (CISA) provides standard achievement for organizations for audit and assessing their information technology. CISA adjured government and private sectors to accelerate Microsoft’s Exchange cloud email platform from Basic Authentication methods to Modern Authentication alternatives without the need for Multifactor Authentication (MFA).
Basic Authentication is a proxy-based authentication with HTTP based scheme where incorporated credentials are sent as plain text to the servers. Whereas Modern Authentication or OAuth 2.0 token-based authentication uses OAuth tokens that are viable only between the owner and the server and can not be re-used to authenticate on other devices.
Sources say that apps using Basic Auth can let the attackers collect password credentials easily. Even Multifactor Auth can also be quite difficult to enable for the users and aren’t very user-friendly whereas Modern auths are.
According to reports, Federal Civilian Executive Branch (FCEB) was advised by Microsoft Corp. to block Basic Auth. Microsoft enabled Modern Auth which is designed to protect against threat actors targeting admin’s passwords and credentials.
According to CISA’s statement, “Basic Auth is a legacy authentication method that does not support multifactor authentication (MFA), which is a requirement for Federal Civilian Executive Branch (FCEB) agencies per Executive Order 14028.”
CISA has put up a guideline to disable Basic Auth after Microsoft announced it to their customers in May. Basic Auth will be disabled for everyone across the globe from October 1, 2022. However, the company has already started disabling Basic Auth for tenants who are no longer using it.
The company added, “We’ve disabled Basic Auth in millions of tenants that weren’t using it, and we’re currently disabling unused protocols within tenants that still use it, but every day your tenant has Basic Auth enabled, you are at risk from attack.”
