On June 28, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) released an advisory stressing that government agencies and private sector organizations using Microsoft Exchange’s cloud email platform should expedite switching from Basic Authentication legacy methods without multifactor authentication (MFA) support to Modern Authentication alternatives.
Basic Authentication (proxy authentication) uses an HTTP-based authentication scheme, which sends credentials in plain text to servers, endpoints or online services. Modern Authentication (Active Directory Authentication Library and OAuth 2.0 token-based authentication) uses OAuth access tokens with a limited lifetime and cannot be reused to authenticate on any other resources besides the ones for which they were specifically issued.
Applications that use Basic Authentication can allow an attacker to capture credentials in man-in-the-middle attacks over transport layer security (TLS). Additionally, MFA is much more complicated to configure within Basic Authentication, which may lead to misconfigurations or a lack of any configurations.
Microsoft had announced in September 2021 that they would be disabling Basic Authentication in Exchange Online for all tenants starting Oct. 1, 2022. However, CISA urges you to act sooner.
Nuspire is currently utilizing Modern Authentication as recommended by Microsoft and CISA.
Nuspire recommends organizations using Basic Authentication should plan to migrate to Modern Authentication as soon as feasible. Administrators can use CISA’s advisory for resources and technical guidance on how to make the switch to Modern Authentication and block Basic Authentication.