Legacy authentication could provide easy access to your network. Here's how you can mitigate the risk and set yourself on the path to passwordless.
You may or may not be aware, but Microsoft has made some serious steps forward in their cyber security offering over the last 18 months.
One of their most recent moves was to announce that on 13 October 2020 they will stop supporting and retire Basic Authentication for Exchange Active Sync (EAS), Post Office Protocol (POP), Internet Message Access Protocol (IMAP), and Remote PowerShell (RPS) in Exchange Online. Whilst this initially sounds like a bad thing, this is actually great news for your security.
In this blog, we will investigate the aspects of legacy authentication and why it is not fit for purpose in today’s digital world and, more importantly, we’ll explore ways of identifying, blocking and ultimately improving your security posture.
Attackers love legacy authentication. This is because it can circumvent the security controls you put in place and provide the attacker with an easier route into your network. Attackers always look for the ‘low-hanging fruit’.
Over recent years, there have been significant advances in the controls available to you to ensure your security. A lot of these are focused around modern authentication practices (superseding dated legacy authentication processes) to protect your identities at the front door.
Why protect identities? Because the identity serves as a door into your network. They are, by far, the most commonly attacked component within your digital estate.
Within the plethora of Office 365 services, legacy authentication is an authentication method that is most commonly used to access your e-mail services. You might be familiar with terms such as POP, IMAP and SMTP, these protocols are the mechanism that older software clients use to enable you to access and use your e-mail services.
Legacy authentication can often be based around the HTTP protocol where your username and password are sent in clear text to the service endpoint, where authentication is then proxied to the identity provider, most commonly Azure AD.
To protect this exchange of information, the transport layer is encrypted using the HTTPS protocol. As mentioned, the service endpoint proxies or checks that your credentials are correct and then – if successfully verified – will grant you access.
The problem, however, is that the legacy authentication protocol does not understand the flow that may be needed to assess your connection. As a result, additional layers of security, such as an MFA challenge or additional controls, cannot be applied.
A modern authentication protocol is based on a claim, whereupon presenting successful credentials, additional security controls, such as MFA, can be applied.
Microsoft has recently announced that they will be removing the ability to authenticate against Exchange Online using legacy authentication in October this year (2020).
Once you successfully satisfy the connection requirements, you have an appropriate claim described within a token. This token can then be presented to a service such as Exchange Online where your claim will be processed, and access granted.
Modern authentication protocols understand the flow needed to assess your connection request, the risk associated with it, and subsequently apply additional controls to reduce that risk. This is particularly important when considering a zero-trust approach to your environment.
As I mentioned earlier, Microsoft has recently announced that they will be removing the ability to authenticate against Exchange Online using legacy authentication in October this year (2020). So, if you’re currently using legacy authentication within Office 365, you’ll need a plan for your new authentication processes.
There are controls available to you within Azure AD (Plan 1) where you can block legacy authentication against your cloud services, but before you do this, you should understand the potential impact.
The first thing you will need to do is to review your sign-in activity within Office 365. You can do this by filtering a sign-in log search within the Azure AD portal.
Within the filters available, select ‘Client apps’ and then select ‘Other clients’. This will show you the connections that are authenticating using legacy authentication.
Through reviewing the results, you will be able to identify the users and apps involved.
Applications such as Office 2010 use legacy authentication, but it could be a whole host of other applications, including apps such as native e-mail clients on mobile devices.
Typically moving to the latest versions of the application will be your way forwards, or enforcing the use of apps such as Outlook Mobile on mobile devices. There are ways to reduce the risk of legacy authentication requests through the use of things like app passwords, but they should be avoided in favour of a modern auth capable application.
Once you have removed legacy authentication, you can now take advantage of several other controls available to you within Azure AD to further assess the connections into your environment.
First, you should apply controls such as MFA to protect your identities. Azure AD now allows all customers, regardless of their licensing position, to use MFA through the authenticator app free of charge. MFA is a must for every organisation.
MFA does present a required additional step for end-users, and whilst this is pretty straight forward, ensuring that you have considered this impact is critical to a successful implementation. For more info on the risks of legacy authentication and moving to MFA with conditional access policies, we recommend you watch our short demonstration video.
“Azure AD now allows all customers, regardless of their licensing position, to use MFA free of charge.”
Alongside MFA, you should consider deploying Azure Conditional Access – a powerful mechanism to ensure you have considered the risk involved with a given connection request.
With these tools in place you can better control access to your sensitive information and mitigate access risks in accordance with your organisations risk profile. As a minimum, protect your privileged accounts NOW!
It’s a good start. There are many other ways that you can apply additional protection and visibility against your identities.
The fundamental issue, however, is how we are presenting our credentials. I’m referring here to passwords. Passwords have long been recognised as an inferior mechanism to prove identity, and your strategy should include a move to a passwordless world.
MFA does mitigate the risk involved with your secret (password) being compromised but there are still issues with this approach.
Microsoft, and indeed the industry, have made significant advancements in making the password a thing of the past.
Microsoft now has solutions to enable a passwordless experience for all your authentication needs. Technologies such as Windows Hello, the authenticator app, certificate trust and key trust enable you to authenticate without a traditional password, ultimately providing access to both cloud services and services secured by your local Active Directory based on the Kerberos protocol.
The FIDO Alliance has also developed additional standards, providing the ability to use FIDO2 security keys against your services. Microsoft now supports these keys to authenticate against cloud and on-premises resources.
Find out how to fix your biggest security black hole - and realise the benefits of modern authentication. You'll learn:
Hopefully, you now understand that legacy authentication is a significant risk, why it is, and the options available to improve the security of your credentials.
Remember, your long-term goal should be to move to a passwordless world. Allowing your users to authenticate without a password is one of those rare security controls that has a positive impact on your users’ experience whilst significantly improving your security posture.
Next, watch our passwordless webinar on-demand to see it in action for yourself or explore how MFA and conditional access work in tandem to provide unparalleled security.
Simply request a free Vision Call. We can help you with solution ideas, technology education, best practice advice and more.Request Vision Call
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.