back to article Start using Modern Auth now for Exchange Online

The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October. In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted …

  1. steviebuk Silver badge

    Will be a..

    ...fuck up.

    Considering we still have some machines that used Office 2013 that UNDERSTANDS MFA, apparently. Yet, randomly, I'll have one fucking user where Outlook 2013 decides it doesn't understand MFA and will only accept the one time password setup.

    Fix you're fucking MFA setup Microsoft before turning off traditional logins.

    1. Anonymous Coward
      Anonymous Coward

      Re: Will be a..

      Since office 2013 is explicitly no longer supported in office 365, why are you surprised that things don't work properly?

      1. NeilPost Silver badge

        Re: Will be a..

        Is Office 365/Microsoft 365 ‘Exchange On-line’??

        Methinks not… and that leaves hundreds of millions of domestic and business users no further forward.

        Enabling MFA for my elderly Dad’s iPad to continue receiving his ISP’s ‘free’ e-mail hosted on Office 365 makes me cringe. He still doesn’t remotely understand CAPTCHA by comparison.

      2. steviebuk Silver badge

        Re: Will be a..

        Because its states in its documentation that it understands and is aware of MFA so will work with an MFA account.

        1. Anonymous Coward
          Anonymous Coward

          Re: Will be a..

          https://docs.microsoft.com/en-us/deployoffice/endofsupport/microsoft-365-services-connectivity#impact-of-using-older-office-clients-to-connect-to-microsoft-365-services

          As per this link, office versions older than office 2016 may experience performance and reliability issues as changes will not be tested on them.

    2. Anonymous Coward
      Anonymous Coward

      Re: Will be a..

      your*

  2. Anonymous Coward
    Anonymous Coward

    Hello trackers, now MS knows more accurately where you are

    I have worked in various companies that use Microsoft based authentication, and from what I have seen you have to invest WAY too much trust in Microsoft - the amount of data hauled to Redmond with every single transaction under the banner "authentication" is shocking.

    With this move, Microsoft adds mobile tracking to its already considerable data haul (I'm betting GPS location will at some point be folded in as a mandatory extra "security" measure)- of course, the US government and its plethory or agencies will promise never to attemp using that, right?

    Right?

    1. katrinab Silver badge
      Black Helicopters

      Re: Hello trackers, now MS knows more accurately where you are

      It already is.

      At any rate, reading emails while on holiday is a challenge as the account invariably gets locked out because I logged in from an unusual location.

      1. TonyJ Silver badge

        Re: Hello trackers, now MS knows more accurately where you are

        "...At any rate, reading emails while on holiday is a challenge as the account invariably gets locked out because I logged in from an unusual location..."

        Good. Do yourself a favour and stop reading work emails on holiday. There is rarely, if ever, anything of such importance that it won't wait until you return.

        It's your time off. Your time to unwind.

        Always remember this little mantra: "If you drop dead tomorrow, the company you work for will have replaced you within a couple of weeks. Your family will be impacted forever."

        I've posted before, but I point blank refuse to work beyond my contracted hours (except for the occasional, pre-planned requirement, or for say a P1 incident that affects me/my team). I've said that now for around the last 13/14 years.

        Weekends are family time. Evenings are family time.

        1. Roland6 Silver badge

          Re: Hello trackers, now MS knows more accurately where you are

          >Good. Do yourself a favour and stop reading work emails on holiday.

          Some people have managed to have separate work and personal email accounts.

          With so much stuff going "digital" you need a working email box so you can receive the e-tickets etc. you need to gain admission to trains, planes, hotels, theatres, attractions ...

          You might say you can use "the app", but it is surprising how many app's decide you need to reconfirm your security by sending an email to which you are expected to respond to within an hour or so...

          1. TonyJ Silver badge

            Re: Hello trackers, now MS knows more accurately where you are

            Or - and I know it's old school but you can print things out as a backup. And take screenshots of e.g. QR codes on your phone so they work offline.

            I am yet to check onto a flight or into a venue that requires an *online* version of anything.

            You can always, you know, try to plan ahead a little.

            1. Roland6 Silver badge

              Re: Hello trackers, now MS knows more accurately where you are

              >I am yet to check onto a flight or into a venue that requires an *online* version of anything.

              Yes it is lovely when everything works and goes according to plan, but then the real world impinges...

              >You can always, you know, try to plan ahead a little.

              Obviously don't have teenagers, but in general, people don't plan ahead in the way you suggest and to the extent, we did 10~20 years back - they have brought the advertising that mobile is available everywhere and that the Internet just works - and the app will have downloaded the QR code and not require an online connection to re-authenticate you to permit display...

              I like email clients that download messages and don't require a network connection to load and view the (previously sync'd) inbox, however, that now increasingly seems to be old school...

    2. steviebuk Silver badge

      Re: Hello trackers, now MS knows more accurately where you are

      Amazon I think already do the GPS location. I was just at one of their lockers that wouldn't connect to the fucking phone over BLUETOOTH, cause I had the VPN connected.

  3. Pascal Monett Silver badge
    Coat

    "it essentially hardens all email users who rely on Microsoft Exchange Online"

    Great.

    Unfortunately, they're still using Exchange.

    1. Halfmad

      Re: "it essentially hardens all email users who rely on Microsoft Exchange Online"

      Don't forget it also encourages them to adopt other related products to secure their Microsoft Exchange Online.

  4. CJ_C
    Unhappy

    IMAP and SMPT Support

    I am dependent on these. Are they going to end. MS already making them harder. I have had to givr up on Gmail.

    When I log into a new wifi, MS warns, but now having travelled to unsafe France, my accounts were suspended. Embarrassing when try to accesss flight tickets...

    Do I need to transition? If so to what? Needs to work with UBports and conventional Linux

    1. Paul Crawford Silver badge

      Re: IMAP and SMPT Support

      One reason I normally use a VPN is for the consistent end point IP address to reduce this stupidity.

      But then many sites piss me off with CAPATCHAs as they see a lot of 'unusual traffic', so typically I boycott them if possible.

  5. Will Godfrey Silver badge
    Facepalm

    The whole thing is a worsening nightmare

    The authentication 'experts' must all live in big city cocoons. Having a phone as part of the authentication is crazy. I can't rely on being able to authenticate when using a venue's internet just outside London (or sometimes even inside) if there is no phone service.

    Also, for years I could get by with a credit card and just a few pounds in cash. Now I have to take a wodge of cash, again in case there's no phone access for card authorisation.

    Even if all that is good. It's still not secure. It's not the phone that's the ID it's the information held on the SIM... which can be faked.

    1. TonyJ Silver badge

      Re: The whole thing is a worsening nightmare

      Genuine question - I've had a lot of prompts to prove it's me when buying online, which you expect but I've never had to approve a transaction made in person yet. Is it something that is common now?

      I have previously used MS Authenticator on a phone without a SIM in it, just a WiFi connection. Happy to stand corrected though, as that was a while ago now.

      I do know that my Barclays app used to shit itself on dual-SIM phones so I can well believe MS Authenticator IS tied into the SIM now.

      1. Spanners Silver badge
        Happy

        Re: The whole thing is a worsening nightmare

        I do know that my Barclays app used to shit itself on dual-SIM phones so I can well believe MS Authenticator IS tied into the SIM now.

        No problem for me. I have a work SIM and my own, in my Huawei phone. Barclays does not care and never has a problem. Is it that my phone is less accessible to US spooks?

    2. Tom 38 Silver badge

      Re: The whole thing is a worsening nightmare

      Phone is literally the worst MFA device. Just get everyone a hardware U2F/FIDO2 token with NFC, it works for every MFA application you'll need.

      Well, except for my bank, which as I re-read your post, is the target of your ire. Banks MFA is bonkers anyway, the factors should be independent, where as your card and your phone are both "something I have". HSBC's process these days allows for the app to generate OTP without any network access, so you aren't reliant on an SMS message to get your approval token.

      However, per TFA, hardware keys are the best thing for MFA for websites or services on your PC or phone. I even keep my SSH and GPG keys on them.

      1. Clausewitz4.0
        Devil

        Re: The whole thing is a worsening nightmare

        I totally agree with you. A FIDO/U2F or an RSA SecurID-like solution is the best MFA, provided the seeds are secured, and replacements can be made once/if they are compromised.

      2. stiine Silver badge
        Flame

        Re: The whole thing is a worsening nightmare

        I don't want any of them to know that I have a phone because its none of their business and I don't want anyone to link all of my logins to a single 2fa dongle. That means I have to have a non-USB one, actually I need one for each service because I don't want someone to find/take my 2fa dongle and then work backwards to find my accounts and my locations when accessing those accounts.

        the convenience isnt' worth it to me. just give me a 128character password limit and I'll be safe.

    3. CJ_C

      Re: The whole thing is a worsening nightmare

      The first embarrasdment on this holiday was booking new flight after the first was cancelled. No mobile data so logged into the wifi. MS bleated but safe UK so did not suspend. Ordered tickets. Bank wanted verfication. Was too slow realising why no txt, so bank froze account...

      Was able to get tickets later, but this is all getting too hard for me.

      1. Paul Crawford Silver badge

        Re: The whole thing is a worsening nightmare

        Get an email account with someone competent and not looking to rape your privacy like MS and Google.

        Even Yahoo! is better these days, they do insist on a generated token for login to get round P4 (piss-poor-password-practice) but sadly I have to report the purple palace now is easier and more reliable than Gmail/MS for simple POP/SMTP email access from Thunderbird.

        1. Anonymous Coward
          Anonymous Coward

          Re: The whole thing is a worsening nightmare

          If you don't mind paying $99 a year for a decent email service, check out hey.com

          1. Roland6 Silver badge

            Re: The whole thing is a worsening nightmare

            Funnily enough, I've been paying circa £7 pcm (£84 pa) since the late 1980's for an email service (and some other services now little used) from a small UK-based provider. The surprising thing is despite some changes in ownership, the service is still running and I've not had to change my email address in all that time.

            So I would agree for circa $/£ 100 a year you should be able to get a decent email service, from a dedicated provider.

  6. karlkarl Silver badge

    For people who like actual standards...

    For people wanting to continue to use real standards such as POP, IMAP and SMTP, do check out DavMail:

    http://davmail.sourceforge.net/

    IRC users will be familiar with the concept. It basically acts as a proxy / bridge between the internet standards and the nonsense proprietary bullsh*t that idiots tend to force on the industry.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022