Microsoft: The deadline to get off Basic Auth is approaching Don't say you weren't warned. Three years ago, Microsoft announced that it was going to start weaning its software offerings off Basic Authentication for more modern and secure user authentication methods. Since then, the software giant has moved a number of customer-facing applications, including Outlook Desktop and Outlook …
... don't fault MS. This time.
Seriously. While I did not see the blog entries and all the other suff, my Outlook mail account (from when I had a windows phone, which I still miss) did complain when installing a new machine (and cell phone app). The (non-MS) mail readers did offer me a quick new setup, and it just... works. Good job everyone (also the programmers for the email software), have one!
It would be half as bad if MS (and Apple, I may add) would not use your email address as the login UID. That's 50% of the credentials exposed, right there.
In addition, it would be so much better if Microsoft could actually stick to a standard instead of trying to "enhance" it which generally results in weakening it as you cut off half a world of improvements to achieve lock in. Let's take MS Authenticator, for instance. While the rest of the world ensures it's compatible with OATH's RFC 6238, Microsoft, of course, had to go a different route because God Help Us if anything outside the monopoly could ever integrate. That said, Apple has brewed its own as well, and it's quite annoying at time to be prompted on all devices at once, but at least that provides a degree of redundancy (and no, I am not going to store my passwords in an iCloud keychain, thanks. Not happening).
WIth Apple I've had to change my login UID a few times until I got tired of f*ckwits trying to log in as me and locking up the account. I made an alias email address which instantly ended that problem as it's complex and never used for communication. I do this by default now for most logons I value.
Adding 2FA is a good step, but it's rather important to note exactly what kind of 2FA you use. RFC 6238 compliant TOTP or FIDO compliant, fine. Just not this home-brew "trust us because we're big" rubbish, thanks, and certainly nothing that forces me into using one specific OS - do that, and you will lose me as a client overnight.
Exactlly the same here, we had quite a few users complaining that it was not normal that they had to use their own phones for MS Authenticator...
We offered them the alternative of using the company desktop phone which meant that they had to be physically on-site. It reduced the complaints to 0...
And for once we are ready, we finished the last MFA activation last week :-)
@Khaptain
Looks like a fuck the users approach
Also assumes a user has a smartphone on which to run an authenticator.
Some people have feature phones, not smart phones (or no mobile at all).
Some may not use iPhones / Android (e.g. someone runs Sailfish, that tries to be compatible with android apps, but chance a given app e.g. the authenticator might not work)
.. If authenticator for company use I can see why employees were grumpy and wanted a company provided bit of kit.
And as most of the authenticators want a phone number, also assumes employer should have access to your mobile number .... personal data which you may want to keep private*
Also as most MFA boil down to either a text or authenticator app on a phone, too often nicking a phone (quite easy) is a good help in a "keys to the kingdom" attack. With the victims phone in your hand, a bad actor is a big step closer to being able to wreak havoc.
* My employer has my landline, they do not have my mobile number, very few people do (just close family & friends (does include a work colleague but I know she will not pass the number on**) )
** not a workplace relationship, just a colleague who has elevated themselves into "proper" friends circle rather than just acquaintances)
@tiggity
Although it does feel like a 'f the users' approach some orgs have no choice.
In my org (+-3000) employees we have to enable MFA otherwise a good chunk of insurers won't even quote to insure us - others will, but at far higher (unaffordable in our case) rates.
Moving across to MFA for us was pretty smooth. But it needed good clear communication to the user base and good clear training for the helpdesk who would answer the inevitable calls that would come through.
If some users didn't want to use their own mobiles we provided a work one - not ideal as they then had to carry two mobiles (but their choice)
We've been on MFA at our org for 4 years now, the user base is pretty comfortable with the concept by now and it hardly generates any noise on the helpdesk.
Requiring employees use their personal kit for MFA seems like a bad thing.
Especially in the case of phones, where some employees would likely end up using that same device for both MFA as well as email reading under your scheme. Perhaps not entirely defeating the MFA concept (e.g. if the phone helpfully remembers the users password for them) but maybe not the best combination either.
Maybe a better idea to provide a separate fob/key plugin gadget, at least as an option.
At $WORK-1 IT complained and whinged about it ("it costs money!" and "people lose them!"), and defaulted to telling people "just use your phone app", but ultimately would go ahead with a separate auth gadget when pushback happened from people (and managers) who didn't want to use personal phones for corporate functions, MFA or otherwise.
> We've been forcing users onto MFA.
So if my smartphone is checking my mail (using K9 mail) every 10 minutes, I need to expect and enter somewhere a SMS every 10 minutes? In the streets, while shopping, at the dentist's?
How is that supposed to work? Genuine question, so before you set your inner Hulk free, please be so kind (and patient) to explain.
@ThatOne
You can set your mail client not too ask each time. So on setup you obviously need to follow the MFA request, but you get the option to 'trust this device' so it won't prompt again until you reinstall the app or do anything else that will reset the MFA settings.
If anyone else tries to log into your mail on another device they will obviously get a MFA prompt which will certainly make the baddie's lives more inconvenient.
The basic way oauth works is that you first sign in to your email app and then you have to use MFA. Once you've signed in, your email app gets an authentication token from the authentication server. The email app then uses that authentication token whenever it needs to re-authenticate.
The authentication tokens have a short lifetime and the email app can refresh its token without human intervention. Peridoically, the authentication server can ask for the human again (password & MFA)
Asking for a lazy friend - so does this mean everyone on M365 now has to use 2FA? Either register a mobile phone number or use an app?
Or is this just "stop using IMAP"?
I know of a few offices where only Outlook on the desktop is used. Do they all need to add mobile phone numbers or an Auth App even if it is only ever Outlook that logs in from the desktop?
Some clients are easy to bump into more secure MFA - but some are just a pain to deal with....
No it doesn't mean you have to use 2FA.
Basic Auth is basically (pun intended) sending the username & password with every request.
Alternatives to Basic Auth would include schemes such as OAuth whereby a tme-limited token is used once the username & password have been authenticated.
"I know of a few offices where only Outlook on the desktop is used" The article says that Outlook Desktop is already using what MS describes as Modern Authentication methods. So you should be able to answer your own question.
quote from article: "Since then, the software giant has moved a number of customer-facing applications, including Outlook Desktop and Outlook Mobile App, to Modern Auth via security updates."
> Are you REALLY asking for a "lazy friend"?
Well, I was talking to myself and asking one of the other personalities if it is worth reading through all that MS BS that is full of TLAs and talking in circles... One of the commenters above has basically reassured me all is fine. Outlook on the desktop is all that is needed to deal with this. And mobile phones logging in via Exchange. I don't think anyone is still using Basic Auth anyway... I'm just trying to avoid more phone calls.
I've already been going through most of my clients blocking IMAP and SMTP options manually. Been doing that for years. If I speed up on those blocks now it will soon make someone scream if they actually need it.
I am working through most of my clients and scaring them into enabling MFA anyway. So I am not a total muppet. Just you know the hard to deal with users who it is a headache to explain why they need to bother... "but no one would want to hack my account". ARGH!
The impending move from MS to stop access via IMAP and SMTP was actually the last straw to make us move away from Exchange towards more Open Standards based facilities. If you make a lock-in so blatant that even the Board starts asking questions you've gone too far, and I am personally very happy about that.
We have a large section at work who we haven't moved over to MFA all because the original head of service (quite rightly) wanted to get them using IT kit first. She new if we turned MFA on for them they'd just find it so annoying they'd not use the kit. Passwords would be set for them and never handed over. But now we're gonna have to force MFA on for them. They've had enough time to get use to the kit but no doubt, some will still moan.
The resentment we saw from moves like this wasn't about MFA as a concept -- most people got it, understood the benefit, and eventually accepted the need even in the face of inconvenience.
Rather, the problem was the Microsoft implementation, which was apparently proprietary and therefore effectively allowed only a Microsoft email client. So the Mac people couldn't use the Mac client anymore, and the Linux people were shut out entirely.
IT claimed this wasn't their intent, but experience, further conversion projects, and history showed otherwise. IT is an all-Microsoft org, which you'd think would be unusual for a company with products based on Linux, but the company isn't unique in that regard. "IT is hard".
If I remember well, the most difficult issue we had when switching to MFA a few years ago was with the Apple Mail client on iPhones: you had basically to fully reset the phone to be able to switch to MFA if the client was initially setup using Basic Auth...
It was deemed far easier to convince first the users to use the Outlook app on their phone, and then switch the authentication method.
If you use DavMail (http://davmail.sourceforge.net/), you can bridge between Microsoft's niche protocol and actual secure IMAP(s)/SMTP(s) standards.
If many of you have this kind of bridge between your IRC client and crap like Discord/Slack, then you are likely already familiar with the concept.
Pegasus email managed an Oauth workround for Google's mail service. They hope to get a more technically complicated version working soon - if the Google certification hurdles stop moving..
Having heard nothing from Namesco - who are my official email service supplier - I am not sure what will happen with their delegated O365 users like me.
Assuming your using a version that isn't more than 5 years old, it shouldn't affect you at all. You will enter your credentials into the app and the app will use them to authenticate with the exchange server/O365 via a secure protocol (probably OAuth 2, a quick inspection of the settings shows that is what my thunderbird is using to authenticate to O365). In fact its probably already doing that unless you explicitly set it to use the BasicAuth mechanism.
The first time you authenticate you get a browser popup to the O365 login portal asking you to log in, then asking you to confirm that you want to grant thunderbird access to your account. After that unless you cancel the OAuth token issued to thunderbird or delete it from thunderbird you will probably never see the login prompt again.
I have spent the afternoon trying to work out how to configure my Pegasus email to meet the new MS 365 requirement. Total brick wall.
The Gmail transition was fairly painless - but apparently was only an interim until (hopefully) v4.81 is fully certified by Google. However it looks likely that every email service will have its own arcane way of interpreting OAuth2. What happened to standards?
I wondered why I hadn't seen any messages from anyone about the change. I have found that my O365 email licence was set up by Namesco so that they receive any admin messages from MS - not me as my email administrator. Presumably MS have been warning them that I still use IMAP for access.
Not sure what the answer is going to be to continue using my own domain with multiple alias addresses. Looked at Thunderbird but it doesn't appeal to me from their promotional blurb (viz no apparent technical description).
Unfortunately email access has now become an essential service for life in the UK. Have Microsoft effectively created a walled garden where you have to pay for their tools just to access your email subscription with them?
Have Microsoft effectively created a walled garden where you have to pay for their tools just to access your email subscription with them?
You say that as if that is news to you. They've been playing that game for literally decades, and don't let all the apparent 'playing nice with Linux' fool you into thinking that their end goal has somehow changed.
Combine that with a basically horrific code quality and you see why you really, really don't want them to have a walled garden: the incentive would completely vanish to at least try to get some decent code out there (although, given the petabytes of updates and security fixes since Windows 3.1 I don't think they're even trying much right now).
It was a case of a frog being slowly boiled. First Vodafone shafted us by removing our Demon email service. - and transferred us to Namesco. They seemed to have their own email service - but actually delegated us to the MS 365 licence at a price. Then Vodafone shafted us again by killing the Demon domain completely - and Namesco picked up the business of us needing our own domains.
Since then the annual charges for both have kept escalating. My IT bill keeps increasing every year to be a substantial part of my utility costs (Yes - I know electricity & gas will leapfrog that this year).
At least A&A have maintained their price for my broadband for several years - even though they must start to feel inflationary pain soon.
Some UK comms suppliers apparently raise their prices each year by the inflation rate plus a few percent more. See this Guardian article.
.. is, of course, that now Microsoft is in charge of your credentials. Not only does that offer excellent license fee blackmail opportunities, it also makes it easier for them to comply with the US Cloud Act 2018 they helped into existence to legalise their activities - after all, they have their hands on your keys to knowledge, IP, secrets - you name it. BTW, through a combination of their (IMHO plain illegal) telemetry and the proxy authentication requests they get via URLdefense and other fun data taps they also know what you have been up to online in likely more detail than even Google. Add to that monopoly lock-in attempt v2 (aka the recent Azure restrictions) and you can see that all the fines and convictions did not change the spots on this diseases leopard in any meaningful manner.
We're having a fun session in a well known company later where we will show their upper management what they got themselves into. To avoid the usual excuse of "improvements" and "updates" since the issues we'll show were observed (aka "better camouflaged") we will do all of it live.
If there was ever a time to abandon Microsoft it's now.
Hi,
Anyone knows if there´s possible to keep basic auth for certain devices? We have a case with old screens for booking conference rooms that only supports basic auth. I read somewhere that you could prolong basic auth for this year but we need it longer if possible for this particular accounts
User KarlKarl posted a link to DavMail earlier. This link will take you to KarlKarl's posting. https://forums.theregister.com/forum/all/2022/09/05/microsoft_basic_auth_deadline/#c_4526100
I looked at DavMail as a gateway that would possibly do the job - but it looked like it might not be easy to get it running.
Yeah, it does look a bit non-trivial to configure. Also, at least on Slackware, the slackbuilds.org version seems to require a particular version of java, and having multiple java versions on a system has never played out well for me (since other java reliant things can also be picky about versions, and the versions required are - inevitably - all different).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
