The Cybersecurity and Infrastructure Security Agency (CISA) is urging U.S. federal civilian executive branch agencies to expedite migration to Modern Authentication (Modern Auth) for the Exchange Online mail server before Microsoft’s Oct. 1 deadline.
For years, applications have relied by default on Basic Authentication (Basic Auth), where applications send a username and password with each unique request, and those credentials are saved on the device. This authentication standard is considered outdated, however, especially with the proliferation of password spray and credential stuffing attacks that take advantage of end users reusing their passwords or using weak passwords.
Modern Auth, or OAuth 2.0 token-based authentication, aims to mitigate these issues with several measures, including support for multi-factor authentication (MFA). OAuth access tokens have a limited timeframe for use and are specific to the applications they are issued for, so they can’t be reused. According to Microsoft, Microsoft Entra ID accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled.
Microsoft in September 2021 said it would begin to permanently disable Basic Auth for Outlook, Exchange ActiveSync (EAS), Exchange Web Services (EWS), Remote PowerShell (RPS), Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) in Exchange Online starting Oct. 1, 2022. CISA's guidance takes this deadline into account, with a recommendation for both U.S. agencies and private sector firms to take “urgent” steps to switch to Modern Auth before October.
“Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth,” said CISA in Tuesday guidance. “After completing the migration to Modern Auth, agencies should block Basic Auth. Basic Auth is most likely used by legacy applications or custom-built business applications.”
Agencies should first review their Microsoft Entra ID sign-in logs to identify any applications or users authenticating with Basic Auth, and then create a plan for moving these identified applications and users to Modern Auth. At the same time, agencies can block the usage of Basic Auth by either creating an authentication policy in Exchange Online (in order to block Basic Auth before the authentication occurs) or creating a Conditional Access policy in Microsoft Entra ID (in order to block Basic Auth after authentication has occurred). Many user-facing applications, such as Outlook Desktop and Outlook Mobile App, have already been moved to Modern Auth by agency implementation of Microsoft security updates, according to CISA.
The move to migrate to Modern Auth is significant from a security perspective, but it also allows federal civilian executive branch agencies to enable MFA, one of the requirements outlined by the Biden administration’s 2021 executive order, “Improving the Nation’s Cybersecurity.”
Mark Montgomery, executive director of the Cyberspace Solarium Commission, said this recommendation by CISA is absolutely necessary.
"Effective and widespread use of multi-factor authentication is very helpful to overall cyber hygiene in the federal government," said Montgomery. "My only surprise was that CISA could not mandate this guidance to federal agencies."