back to article Microsoft: The deadline to get off Basic Auth is approaching

Don't say you weren't warned. Three years ago, Microsoft announced that it was going to start weaning its software offerings off Basic Authentication for more modern and secure user authentication methods. Since then, the software giant has moved a number of customer-facing applications, including Outlook Desktop and Outlook …

  1. Psy-Q

    I wish they wouldn't call it basic auth when it has nothing to do with HTTP basic auth.

    1. Anonymous Coward
      Anonymous Coward

      Thanks, I couldn't make sense of the article.

      1. Strahd Ivarius Silver badge

        don't forget Visual Basic Auth available in Excel macros

  2. Joe W Silver badge

    Even I...

    ... don't fault MS. This time.

    Seriously. While I did not see the blog entries and all the other suff, my Outlook mail account (from when I had a windows phone, which I still miss) did complain when installing a new machine (and cell phone app). The (non-MS) mail readers did offer me a quick new setup, and it just... works. Good job everyone (also the programmers for the email software), have one!

    1. Anonymous Coward
      Anonymous Coward

      Re: Even I...

      It would be half as bad if MS (and Apple, I may add) would not use your email address as the login UID. That's 50% of the credentials exposed, right there.

      In addition, it would be so much better if Microsoft could actually stick to a standard instead of trying to "enhance" it which generally results in weakening it as you cut off half a world of improvements to achieve lock in. Let's take MS Authenticator, for instance. While the rest of the world ensures it's compatible with OATH's RFC 6238, Microsoft, of course, had to go a different route because God Help Us if anything outside the monopoly could ever integrate. That said, Apple has brewed its own as well, and it's quite annoying at time to be prompted on all devices at once, but at least that provides a degree of redundancy (and no, I am not going to store my passwords in an iCloud keychain, thanks. Not happening).

      WIth Apple I've had to change my login UID a few times until I got tired of f*ckwits trying to log in as me and locking up the account. I made an alias email address which instantly ended that problem as it's complex and never used for communication. I do this by default now for most logons I value.

      Adding 2FA is a good step, but it's rather important to note exactly what kind of 2FA you use. RFC 6238 compliant TOTP or FIDO compliant, fine. Just not this home-brew "trust us because we're big" rubbish, thanks, and certainly nothing that forces me into using one specific OS - do that, and you will lose me as a client overnight.

      1. YetAnotherXyzzy

        Re: Even I...

        "I made an alias email address which instantly ended that problem as it's complex and never used for communication. I do this by default now for most logons I value."

        Excellent idea! Have a beer.

  3. A Non e-mouse Silver badge

    We've been forcing users onto MFA. As we do, we're finding the number of hacked accounts dropping. There are some who complain that it's too hard, too intrusive, etc, but the benefits are far outwaying the complainers.

    1. Khaptain Silver badge

      Exactlly the same here, we had quite a few users complaining that it was not normal that they had to use their own phones for MS Authenticator...

      We offered them the alternative of using the company desktop phone which meant that they had to be physically on-site. It reduced the complaints to 0...

      And for once we are ready, we finished the last MFA activation last week :-)

      1. Anonymous Coward
        Anonymous Coward

        It reduced the complaints to 0...

        I'm not taking a position either way on MFA here, but it might be worth considering that "no complaints" is not the same as a lack of employee resentment. Still, I suppose at least that's not an IT problem!

        1. Anonymous Coward
          Anonymous Coward

          Re: It reduced the complaints to 0...

          For the BOFH, user resentment is actually a goal :)

      2. tiggity Silver badge


        Looks like a fuck the users approach

        Also assumes a user has a smartphone on which to run an authenticator.

        Some people have feature phones, not smart phones (or no mobile at all).

        Some may not use iPhones / Android (e.g. someone runs Sailfish, that tries to be compatible with android apps, but chance a given app e.g. the authenticator might not work)

        .. If authenticator for company use I can see why employees were grumpy and wanted a company provided bit of kit.

        And as most of the authenticators want a phone number, also assumes employer should have access to your mobile number .... personal data which you may want to keep private*

        Also as most MFA boil down to either a text or authenticator app on a phone, too often nicking a phone (quite easy) is a good help in a "keys to the kingdom" attack. With the victims phone in your hand, a bad actor is a big step closer to being able to wreak havoc.

        * My employer has my landline, they do not have my mobile number, very few people do (just close family & friends (does include a work colleague but I know she will not pass the number on**) )

        ** not a workplace relationship, just a colleague who has elevated themselves into "proper" friends circle rather than just acquaintances)

        1. Anonymous Coward
          Anonymous Coward

          Any MFA

          It does not have to be the actual user's MFA. Can be any MFA. So if they don't have a phone, elderly, still using pigeon post, etc then just set it up on your own phone for them. It is rare it is needed, and I guess you'd be the one setting up any new mailbox, etc for them anyway.

        2. Screepy


          Although it does feel like a 'f the users' approach some orgs have no choice.

          In my org (+-3000) employees we have to enable MFA otherwise a good chunk of insurers won't even quote to insure us - others will, but at far higher (unaffordable in our case) rates.

          Moving across to MFA for us was pretty smooth. But it needed good clear communication to the user base and good clear training for the helpdesk who would answer the inevitable calls that would come through.

          If some users didn't want to use their own mobiles we provided a work one - not ideal as they then had to carry two mobiles (but their choice)

          We've been on MFA at our org for 4 years now, the user base is pretty comfortable with the concept by now and it hardly generates any noise on the helpdesk.

        3. Anonymous Coward
          Anonymous Coward

          Not always

          And as most of the authenticators want a phone number

          Step Two, OTP Auth, Authy, (Google) Authenticator (Google), Authenticator (not Google) and FreeOTP are all TOTP based 2FAs, and none of these have ever tried to get my phone number, not even the Google one.

      3. Anonymous Coward
        Anonymous Coward

        Requiring employees use their personal kit for MFA seems like a bad thing.

        Especially in the case of phones, where some employees would likely end up using that same device for both MFA as well as email reading under your scheme. Perhaps not entirely defeating the MFA concept (e.g. if the phone helpfully remembers the users password for them) but maybe not the best combination either.

        Maybe a better idea to provide a separate fob/key plugin gadget, at least as an option.

        At $WORK-1 IT complained and whinged about it ("it costs money!" and "people lose them!"), and defaulted to telling people "just use your phone app", but ultimately would go ahead with a separate auth gadget when pushback happened from people (and managers) who didn't want to use personal phones for corporate functions, MFA or otherwise.

    2. ThatOne Silver badge

      > We've been forcing users onto MFA.

      So if my smartphone is checking my mail (using K9 mail) every 10 minutes, I need to expect and enter somewhere a SMS every 10 minutes? In the streets, while shopping, at the dentist's?

      How is that supposed to work? Genuine question, so before you set your inner Hulk free, please be so kind (and patient) to explain.

      1. Screepy


        You can set your mail client not too ask each time. So on setup you obviously need to follow the MFA request, but you get the option to 'trust this device' so it won't prompt again until you reinstall the app or do anything else that will reset the MFA settings.

        If anyone else tries to log into your mail on another device they will obviously get a MFA prompt which will certainly make the baddie's lives more inconvenient.

        1. ThatOne Silver badge
          Thumb Up

          > the option to 'trust this device'

          I see. Thanks for taking the time to explain.

      2. A Non e-mouse Silver badge

        The basic way oauth works is that you first sign in to your email app and then you have to use MFA. Once you've signed in, your email app gets an authentication token from the authentication server. The email app then uses that authentication token whenever it needs to re-authenticate.

        The authentication tokens have a short lifetime and the email app can refresh its token without human intervention. Peridoically, the authentication server can ask for the human again (password & MFA)

  4. Anonymous Coward
    Anonymous Coward

    So does this mean Everyone now has to use 2FA?

    Asking for a lazy friend - so does this mean everyone on M365 now has to use 2FA? Either register a mobile phone number or use an app?

    Or is this just "stop using IMAP"?

    I know of a few offices where only Outlook on the desktop is used. Do they all need to add mobile phone numbers or an Auth App even if it is only ever Outlook that logs in from the desktop?

    Some clients are easy to bump into more secure MFA - but some are just a pain to deal with....

    1. Missing Semicolon Silver badge

      Re: So does this mean Everyone now has to use 2FA?

      And now we come to the nub. No IMAP tied-into-Microsoft-clients only.

    2. Hawkeye Pierce

      Re: So does this mean Everyone now has to use 2FA?

      No it doesn't mean you have to use 2FA.

      Basic Auth is basically (pun intended) sending the username & password with every request.

      Alternatives to Basic Auth would include schemes such as OAuth whereby a tme-limited token is used once the username & password have been authenticated.

    3. Jim Mitchell

      Re: So does this mean Everyone now has to use 2FA?

      "I know of a few offices where only Outlook on the desktop is used" The article says that Outlook Desktop is already using what MS describes as Modern Authentication methods. So you should be able to answer your own question.

      quote from article: "Since then, the software giant has moved a number of customer-facing applications, including Outlook Desktop and Outlook Mobile App, to Modern Auth via security updates."

      1. A Non e-mouse Silver badge

        Re: So does this mean Everyone now has to use 2FA?

        Be careful. Some older versions of Outlook don't support modern authentication by default and need a registry key to kick it into life. (But, to be honest, if you're using an Outlook that old...)

    4. EricB123 Bronze badge

      Re: So does this mean Everyone now has to use 2FA?

      Are you REALLY asking for a "lazy friend"?

      1. Anonymous Coward
        Anonymous Coward

        Re: So does this mean Everyone now has to use 2FA?

        > Are you REALLY asking for a "lazy friend"?

        Well, I was talking to myself and asking one of the other personalities if it is worth reading through all that MS BS that is full of TLAs and talking in circles... One of the commenters above has basically reassured me all is fine. Outlook on the desktop is all that is needed to deal with this. And mobile phones logging in via Exchange. I don't think anyone is still using Basic Auth anyway... I'm just trying to avoid more phone calls.

        I've already been going through most of my clients blocking IMAP and SMTP options manually. Been doing that for years. If I speed up on those blocks now it will soon make someone scream if they actually need it.

        I am working through most of my clients and scaring them into enabling MFA anyway. So I am not a total muppet. Just you know the hard to deal with users who it is a headache to explain why they need to bother... "but no one would want to hack my account". ARGH!

        1. Anonymous Coward
          Anonymous Coward

          Re: So does this mean Everyone now has to use 2FA?

          The impending move from MS to stop access via IMAP and SMTP was actually the last straw to make us move away from Exchange towards more Open Standards based facilities. If you make a lock-in so blatant that even the Board starts asking questions you've gone too far, and I am personally very happy about that.

  5. steviebuk Silver badge

    This will be fun

    We have a large section at work who we haven't moved over to MFA all because the original head of service (quite rightly) wanted to get them using IT kit first. She new if we turned MFA on for them they'd just find it so annoying they'd not use the kit. Passwords would be set for them and never handed over. But now we're gonna have to force MFA on for them. They've had enough time to get use to the kit but no doubt, some will still moan.

    1. Anonymous Coward
      Anonymous Coward

      Re: This will be fun

      I think you'll find that they are going to log into the web client and set up a forwarding rule, and then your MFA will be all for naught.

      1. Anonymous Coward
        Anonymous Coward

        Re: and set up a forwarding rule,

        This can, unfortunately, be removed as an option. :-(

        ... athough presumably for the pro-MS admin types, this would instead be :-)


    2. Anonymous Coward
      Anonymous Coward

      Re: This will be fun

      The resentment we saw from moves like this wasn't about MFA as a concept -- most people got it, understood the benefit, and eventually accepted the need even in the face of inconvenience.

      Rather, the problem was the Microsoft implementation, which was apparently proprietary and therefore effectively allowed only a Microsoft email client. So the Mac people couldn't use the Mac client anymore, and the Linux people were shut out entirely.

      IT claimed this wasn't their intent, but experience, further conversion projects, and history showed otherwise. IT is an all-Microsoft org, which you'd think would be unusual for a company with products based on Linux, but the company isn't unique in that regard. "IT is hard".

      1. Anonymous Coward
        Anonymous Coward

        Re: This will be fun

        If I remember well, the most difficult issue we had when switching to MFA a few years ago was with the Apple Mail client on iPhones: you had basically to fully reset the phone to be able to switch to MFA if the client was initially setup using Basic Auth...

        It was deemed far easier to convince first the users to use the Outlook app on their phone, and then switch the authentication method.

  6. karlkarl Silver badge

    If you use DavMail (, you can bridge between Microsoft's niche protocol and actual secure IMAP(s)/SMTP(s) standards.

    If many of you have this kind of bridge between your IRC client and crap like Discord/Slack, then you are likely already familiar with the concept.

  7. Anonymous Coward
    Anonymous Coward

    Pegasus email managed an Oauth workround for Google's mail service. They hope to get a more technically complicated version working soon - if the Google certification hurdles stop moving..

    Having heard nothing from Namesco - who are my official email service supplier - I am not sure what will happen with their delegated O365 users like me.

  8. Anonymous Coward
    Anonymous Coward

    Anybody any idea what will happen with non-MS clients, like Thunderbird, Evolution (EWS), or simple *nix "You've got new mail" (most likely POP/ IMAP) notifier plug-ins?

    1. Anonymous Coward
      Anonymous Coward

      Assuming your using a version that isn't more than 5 years old, it shouldn't affect you at all. You will enter your credentials into the app and the app will use them to authenticate with the exchange server/O365 via a secure protocol (probably OAuth 2, a quick inspection of the settings shows that is what my thunderbird is using to authenticate to O365). In fact its probably already doing that unless you explicitly set it to use the BasicAuth mechanism.

      The first time you authenticate you get a browser popup to the O365 login portal asking you to log in, then asking you to confirm that you want to grant thunderbird access to your account. After that unless you cancel the OAuth token issued to thunderbird or delete it from thunderbird you will probably never see the login prompt again.

    2. Anonymous Coward
      Anonymous Coward

      I have spent the afternoon trying to work out how to configure my Pegasus email to meet the new MS 365 requirement. Total brick wall.

      The Gmail transition was fairly painless - but apparently was only an interim until (hopefully) v4.81 is fully certified by Google. However it looks likely that every email service will have its own arcane way of interpreting OAuth2. What happened to standards?

      I wondered why I hadn't seen any messages from anyone about the change. I have found that my O365 email licence was set up by Namesco so that they receive any admin messages from MS - not me as my email administrator. Presumably MS have been warning them that I still use IMAP for access.

      Not sure what the answer is going to be to continue using my own domain with multiple alias addresses. Looked at Thunderbird but it doesn't appeal to me from their promotional blurb (viz no apparent technical description).

      Unfortunately email access has now become an essential service for life in the UK. Have Microsoft effectively created a walled garden where you have to pay for their tools just to access your email subscription with them?

      1. Anonymous Coward
        Anonymous Coward

        Have Microsoft effectively created a walled garden where you have to pay for their tools just to access your email subscription with them?

        You say that as if that is news to you. They've been playing that game for literally decades, and don't let all the apparent 'playing nice with Linux' fool you into thinking that their end goal has somehow changed.

        Combine that with a basically horrific code quality and you see why you really, really don't want them to have a walled garden: the incentive would completely vanish to at least try to get some decent code out there (although, given the petabytes of updates and security fixes since Windows 3.1 I don't think they're even trying much right now).

        1. Anonymous Coward
          Anonymous Coward

          It was a case of a frog being slowly boiled. First Vodafone shafted us by removing our Demon email service. - and transferred us to Namesco. They seemed to have their own email service - but actually delegated us to the MS 365 licence at a price. Then Vodafone shafted us again by killing the Demon domain completely - and Namesco picked up the business of us needing our own domains.

          Since then the annual charges for both have kept escalating. My IT bill keeps increasing every year to be a substantial part of my utility costs (Yes - I know electricity & gas will leapfrog that this year).

          At least A&A have maintained their price for my broadband for several years - even though they must start to feel inflationary pain soon.

          1. Anonymous Coward
            Anonymous Coward

            Comms suppliers' price increases above inflation giving a windfall

            Some UK comms suppliers apparently raise their prices each year by the inflation rate plus a few percent more. See this Guardian article.

    3. Cheshire Cat

      Thunderbird and Evolution both have plugins to support EWS protocol. Evolution-ews is free, but Thunderbird will set you back E10/y IIRC.

  9. Anonymous Coward
    Anonymous Coward

    The big plot behind it ..

    .. is, of course, that now Microsoft is in charge of your credentials. Not only does that offer excellent license fee blackmail opportunities, it also makes it easier for them to comply with the US Cloud Act 2018 they helped into existence to legalise their activities - after all, they have their hands on your keys to knowledge, IP, secrets - you name it. BTW, through a combination of their (IMHO plain illegal) telemetry and the proxy authentication requests they get via URLdefense and other fun data taps they also know what you have been up to online in likely more detail than even Google. Add to that monopoly lock-in attempt v2 (aka the recent Azure restrictions) and you can see that all the fines and convictions did not change the spots on this diseases leopard in any meaningful manner.

    We're having a fun session in a well known company later where we will show their upper management what they got themselves into. To avoid the usual excuse of "improvements" and "updates" since the issues we'll show were observed (aka "better camouflaged") we will do all of it live.

    If there was ever a time to abandon Microsoft it's now.

    1. Strahd Ivarius Silver badge

      Re: The big plot behind it ..

      MS / Google / Apple telemetry is fully legal, it has been authorized by the NSA (and they get a copy)

  10. Strahd Ivarius Silver badge

    Switch off BasicAuth immediately

    and allow users complain by mail only

  11. keith_w

    Scan to Email

    We just got finished setting up a printer to do scan to email using SMTP. Am I going to have to get it a smart phone to MFA to?

    1. Anonymous Coward
      Anonymous Coward

      Re: Am I going to have to get it a smart phone to MFA to?

      I'm getting my MS mfa via an sms'ed code sent to a dumb phone, so it seems that a smartphone is not always required (although perhaps it would be shinier and more fun? :-)

  12. Anonymous Coward
    Anonymous Coward

    It could be worse ..

    You could work in federal government where you havent even started offloading legacy auth .. and are too big to do it quickly ..

    "You! Yes, You, malcontent! Get in the queue! dont push in, you will all get your turn"

  13. daneriksson

    Legacy equipment


    Anyone knows if there´s possible to keep basic auth for certain devices? We have a case with old screens for booking conference rooms that only supports basic auth. I read somewhere that you could prolong basic auth for this year but we need it longer if possible for this particular accounts

    1. Anonymous Coward
      Anonymous Coward

      Re: Legacy equipment

      User KarlKarl posted a link to DavMail earlier. This link will take you to KarlKarl's posting.

      I looked at DavMail as a gateway that would possibly do the job - but it looked like it might not be easy to get it running.

      1. Anonymous Coward
        Anonymous Coward

        Re: Legacy equipment

        Yeah, it does look a bit non-trivial to configure. Also, at least on Slackware, the version seems to require a particular version of java, and having multiple java versions on a system has never played out well for me (since other java reliant things can also be picky about versions, and the versions required are - inevitably - all different).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like