From Basic to Modern Authentication: Implications for security and migrations
The use of Basic Authentication over the internet is as old as the basic standard for the world wide web. Its use was outlined in May 1996 as part of the standard for version 1.0 of the Hypertext Transfer Protocol.
At the time, it was acknowledged as being inherently insecure because a username and password are sent in clear text, and the authors called out the need for additional security.
Over time, subsequent RFCs improved on the security of the standard–most notably by encrypting the credential exchange—but at its core, Basic Authentication can still be thought of as authentication using only a username and password.
So… Basic Authentication has been around for more than 25 years. Given the current state of cybersecurity threats, its continued use is almost unconscionable.
Microsoft has recognised the high risk associated with this legacy authentication approach and has pushed for a shift to a more secure form of Modern Authentication.
There are only two exceptions. Basic Authentication will remain supported in Exchange Server on-premises products and for SMTP-AUTH in Exchange Online. The latter is to support multi-function devices such as devices and scanners that cannot be updated to use Modern Authentication.
Still, Microsoft urges customers to move away from using Basic Authentication with SMTP-AUTH whenever possible.
With those few exceptions, on December 31, 2022, Basic Authentication was disabled for good, which extends to migration projects. In our opinion, that’s a good thing.
Modern Authentication, as implemented by Microsoft, is more secure and provides a better user experience, given the distributed, federated nature of the modern web experience.
While it still requires user names and passwords as a first line of establishing identity, Modern Authentication minimises the number of times those credentials are exchanged or stored on separate servers.
Replacing usernames and passwords with tokens—packets of information that can be exchanged and validated by the parties to the transaction—is a far more secure way of confirming the identity of a user while verifying that they are authorised to access applications and resources.
Users get a single-sign-on experience when they access multiple resources that are related—an experience that they naturally expect.
Modern Authentication supports additional, extended methods for confirming user identity, especially when accessing from locations or devices that are new for that user, making it a vital tool for defending against phishing attacks that can lead to account takeovers, business email compromise, and ransomware attacks.
Modern Authentication in Exchange Online, as implemented by Microsoft, is built on three main components: Active Directory Authentication Library (ADAL), OAuth 2.0, and ID Connect.
It leverages ADAL to enable applications to support a variety of sign-in capabilities, including smart card+certificate-based authentication. Notably, it supports two-factor/multi-factor authentication (2FA/MFA), which allows additional authentication factors to further establish the user’s identity.
Additional factors may include possession of a device such as a smartphone or biometric factors such as a fingerprint or facial recognition. Once a user is authenticated, ADAL then obtains tokens for securing API calls on behalf of the user.
All Microsoft support and development for ADAL, including security fixes, will end in June 2023 in favour of an updated version now termed Microsoft Authentication Library (MSAL); ADAL on existing operating systems will continue to work, although according to Microsoft, ADAL will become increasingly vulnerable to new patterns of attack.
OAuth 2.0 is the industry-standard protocol for authorisation; note that “Auth” stands for authorisation, not authentication. Its primary role is to authorise applications to share data with each other on behalf of the user, using token exchanges to avoid resending username/password credentials.
Access tokens are specific to the applications and resources for which they are issued and have a limited lifetime, which prevents their reuse.
From the user perspective, the use of access and refresh tokens under OAuth 2.0 reduces the number of times users are prompted to reauthenticate with their primary credentials and perform 2FA/MFA.
While ADAL focuses on authentication and OAuth 2.0 on authorisation, as applications continued to share more data and account information among them, the need for a standard framework for single sign-on became evident.
Open ID Connect is an authentication layer built on top of OAuth 2.0. It provides for issuance of an access token, along with an ID token for proving the user’s identity. The ID token contains information about the authenticated user and is digitally signed by the identity provider.
The receiving application can then verify the ID token is valid by using the identity provider’s public key to confirm that the identity information has not been tampered with.
Modern Authentication is becoming a key element of Zero Trust security. Zero Trust is an approach that applies a set of security principles. The goal is to allow users to access only what they need without compromising security while still making that access convenient for the user.
At the core of Zero Trust is ‘never trust, always verify,’ regardless of where the request originates or the resources it accesses. The federated model of Modern Authentication provides an ideal framework for implementing a Zero Trust security model.
We understand that other available migration tools have taken a go-slow approach to supporting Modern Authentication. With the temporary exception of Coexistence and Hybrid Exchange, my company’s migration app now fully supports Modern Authentication in particular, on endpoints that are involved in mailbox migrations.
This makes organisations more secure and their migrations secure, too.
Techs might have the following questions about setting up and using a quality migration app to migrate mailboxes, documents and workloads under the new requirements of Modern Authentication.
How do users enable Modern Authentication?
To summarise, register Exchange Web Services with a delegated application in the tenant, and then supply the Client Id and Tenant Id on registering the app to use when authenticating with the Exchange Online tenant.
While we understand that some other available migration tools have taken a go-slow approach to supporting Modern Authentication. With the temporary exception of Coexistence and Hybrid Exchange, our own migration app now fully supports Modern Auth in particular, on endpoints that are involved in mailbox migrations.
Modern Authentication makes organisations more secure - and their migrations more secure, too.