Moving Beyond Basic Authentication

Adopting modern authentication protocols and methods can be a daunting task, but it is essential to preventing data breaches.

Another day, another security breach. Or rather, another day, another twenty security breaches. In the first half of 2019, according to Risk Based Security research, there were more than 3,800 publicly disclosed data breaches that compromised approximately 4.1 billion records. In 65% of the breaches, the exposed date was made up of credential pairs, usernames, and passwords. 

As long as sensitive and confidential data is protected only with a username and password, we will continue to read reports of data breaches. Threat actors will continue to go after the low hanging fruit, which is easy to find considering that 60% of data breaches reported in the first half of 2019 were the result of human error. Additionally, according to the 2019 Global Password Security Report, 50% of users globally continue to reuse passwords across multiple sites and services and only 31% globally are utilizing multi-factor authentication to protect their identities.  

Basic authentication leaves data vulnerable to breach

The low multi-factor adoption rate can partially be attributed to the fact that many organizations continue to allow basic authentication on mission-critical systems. Protocols and services like IMAP, POP, SMTP, Exchange ActiveSync, Outlook Anywhere (RPC over HTTP), etc., are only capable of authenticating users using basic credential pairs, i.e., username and password. The task of disabling basic authentication and allowing only modern authentication protocols and methods can be a daunting task but is one that must be undertaken to prevent data breaches. According to research from Symantec (now part of Broadcom), 80% of data breaches can be prevented by using multi-factor authentication. 

Microsoft announced on November 20, 2019 that basic authentication to Exchange Online services like Exchange Web Services, Exchange ActiveSync, POP, IMAP and Remote PowerShell would be disabled by October 13, 2020 (though authenticated SMTP will continue to be supported with basic authentication). Due to the COVID-19 pandemic, this has been postponed until the second half of 2021. However, now is a good time to begin your journey beyond basic authentication, enabling the adoption of modern authentication and multi-factor security throughout your enterprise.  

How do you get started? 

First, you need to know if users have apps that are currently utilizing legacy authentication and how it affects your overall directory. If you are using Azure Active Directory as your identity provider, you can use the Azure AD sign-in logs to capture this information. The sign-in logs can be filtered by Client App and Status to give you a clear indication of which users and which applications are using legacy authentication allowing you to target remediation.  

With this information in hand, you can start upgrading your environment to leverage modern authentication with enhanced security methods. 

Looking to the future

Basic authentication using username and password are not enough to protect your data. With the rise of credential stuffing and similar attacks, it is imperative that basic authentication be disabled wherever possible and that modern authentication with multi-factor authentication be adopted by all. Forward–looking organizations are moving beyond basic password security and are reaping the rewards of enhanced security without disrupting the user experience. Don’t get stuck in the past! 

Read more in Frank’s previous blog “Hybrid Modern Authentication: What is it? How can your organization benefit?“