Microsoft, Cloud Providers Move to Ban Basic Authentication

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft, Cloud Providers Move to Ban Basic Authentication


Microsoft moves ahead with a plan to sunset basic authentication, and other providers are moving — or have moved — to requiring more secure authentication as well. Is your company ready?



Microsoft and major cloud providers are starting to take steps to move their business customers toward more secure forms of authentication and the elimination of basic security weaknesses — such as using usernames and passwords over unencrypted channels to access cloud services.
Microsoft, for example, will remove the ability to use basic authentication for its Exchange Online service starting Oct. 1, requiring that its customers use token-based authentication instead. Google meanwhile has auto-enrolled 150 million people in its two-step verification process, and online cloud provider Rackspace plans to turn off cleartext email protocols by the end of the year.
The deadlines are a warning to companies that efforts to secure their access to cloud services can no longer be put off, says Pieter Arntz, malware intelligence researcher at Malwarebytes, who
penned a recent blog post
highlighting the coming deadline for Microsoft Exchange Online users.
I think the balance is shifting to the point where they feel they can convince users that the extra security is in their best interest, while trying to offer solutions that are still relatively easy to use, he says. Microsoft is often a trendsetter and announced these plans years ago, but you will still find organizations straggling and struggling to take the appropriate measures.
While some security-conscious companies have taken the initiative to secure access to cloud services, others have to be prodded — something that cloud providers,
such as Microsoft
, are increasingly willing to do, especially as companies struggle with more identity-related breaches. In 2022, 84% of companies suffered an identity-related breach, up from 79% in the previous two years, according to the
Identity Defined Security Alliance
s 2022 Trends in Securing Digital Identities report.
Turning off basic forms of authentication is a simple way to block attackers, which are increasingly using credential stuffing and other mass access attempts as a first step to compromising victims. Companies with weak authentication leave themselves open to brute-force attacks, abuse of reused passwords, credentials stolen through phishing, and hijacked sessions.
And once attackers have gained access to corporate email services, they can exfiltrate sensitive information or conduct damaging attacks, such as business email compromise (BEC) and ransomware attacks, says Igal Gofman, head of research for Ermetic, a provider of identity security for cloud services.
The use of weak authentication protocols, especially in the cloud, can be very dangerous and lead to major data leaks, he says. Nation-states and cybercriminals are constantly abusing weak authentication protocols by executing a variety of different brute-force attacks against cloud services.
The benefits of shoring up the security of authentication can have immediate benefits. Google found that auto-enrolling people in its two-step verification process
resulted in a 50% decrease in account compromises
. A significant portion of companies that suffered a breach (43%) believe that having multifactor authentication could have stopped the attackers, according to the IDSAs 2022 Trends in Securing Digital Identities report.
In addition, cloud and
zero-trust initiatives
have driven the pursuit of more secure identities, with more than half of companies investing in identity security as part of those initiatives, according to the IDSAs Technical Working Group, in an email to Dark Reading.
For many companies, the move away from simple authentication mechanisms that rely on merely a users credentials has been spurred by ransomware and other threats, which have caused companies to look to minimizing their attack surface area and hardening defenses where they can, the IDSAs Technical Working Group wrote.
As the majority of companies accelerate their zero-trust initiatives, they are also implementing stronger authentication where feasible — although, it is surprising that there are still some companies struggling with the basics, or [that] haven’t yet embraced zero trust, leaving them exposed, researchers there wrote.
Every major cloud provider offers multifactor authentication over secure channels and using secure tokens, such as OAuth 2.0. While turning on the feature may be simple, managing secure access can lead to an increase in work for the IT department — something for which businesses need to be ready, says Malwarebytes Arntz.
Companies sometimes fail when it comes to managing who has access to the service and which permissions they require, he says. It is the extra amount of work for IT staff that comes with a higher authentication level — that is the bottleneck.
Researchers at the IDSAs Technical Working Group explained that legacy infrastructure is also a hurdle.  
While Microsoft has been in the process of moving their authentication protocols forward for some time, the challenge of migrating and backward compatibility for legacy apps, protocols, and devices has delayed their adoption, they noted. Its good news that the end is in sight for basic auth.
Consumer-focused services are also slow to adopt more secure approaches to authentication. While Googles move has improved security for many consumers, and Apple has enabled two-factor authentication for more than 95% of its users, for the most part consumers continue to only use multifactor authentication for a few services.
While almost two-thirds of companies (64%) have identified initiatives to secure digital identities as one of their top three priorities in 2022, only 12% of organizations have implemented multifactor authentication for their users, according to the IDSAs report. However, firms are looking to provide the option, with 29% of consumer-focused cloud providers currently implementing better authentication and 21% planning on it for the future.

Last News

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft, Cloud Providers Move to Ban Basic Authentication