Skip to main content

Microsoft acted too late on major security threat, Okta exec says

Image Credit: Getty Images

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Microsoft’s plan to disable a highly insecure form of identity authentication later this year will give a major boost for cybersecurity efforts, but is also long overdue, according to an executive at Okta.

For some older Office 365 accounts, what’s known as “basic authentication” is the only option supported for log-in. Accounts with basic authentication, or “basic auth,” can only be secured with a standard username and password. This means that such accounts do not support multi-factor authentication (MFA) — which is considered a far more secure method.

Because basic auth accounts don’t support MFA, attackers heavily target the accounts — including with tactics such as password spraying that aim to compromise a weakly secured account, research from both Microsoft and Okta has found.

Microsoft has pledged to disable basic authentication, sometimes referred to as legacy authentication, in October (with the exception of printers, which are exempt.)

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

It’s a welcome move, and also very late, according to Marc Rogers, executive director of cybersecurity at Okta — the provider of a fast-growing identity and access management platform that integrates with most Microsoft products.

‘It’s bad’

Ultimately, Microsoft’s reluctance to act sooner on eliminating legacy identity authentication has allowed a major security risk to persist far longer than it should have, Rogers said.

“It’s bad that it’s taken this long to move on it,” he said in an interview with VentureBeat. “We’ve known that legacy authentication has been risky for well over a decade. It was only 2018 that Microsoft really put pressure on and said, ‘We’re going to do something about it.'”

Microsoft declined to comment for this article.

Calling identity the “new battleground” in cybersecurity, Microsoft indicated in its own report this month that it’s making an all-out push to accelerate adoption of MFA for Azure Active Directory and Office 365 account holders. MFA continues to have modest adoption, despite the proven effectiveness of requiring multiple forms of authentication at log-in.

As an example, Microsoft reported last month that it had uncovered a major new phishing campaign that used a novel tactic, device registration — but it was mainly successful in cases where MFA was not being used to secure accounts. MFA “foiled the campaign for most targets,” Microsoft said in a post. “For organizations that did not have MFA enabled, however, the attack progressed.”

Basic auth still ‘pervasive’

Microsoft declined to provide details on the number of basic authentication accounts that are actively in use currently. However, basic auth continues to be “pervasive enough that we still see large volumes of requests going through it,” Rogers said.

In its 2018 announcement, Microsoft said that it would disable basic auth in October 2020. But the end date has been postponed twice due to the pandemic, and is now scheduled for October 2022.

Rogers said he doesn’t blame Microsoft for the pandemic-related delays in phasing out basic authentication. “But if they had moved faster before, then we wouldn’t be in the situation,” he said.

An Okta report last month found that Office 365 accounts with basic auth are 10 times more likely to be targeted by attackers than accounts with modern authentication that supports MFA. For each legitimate log-in attempt to a basic auth account, there is an average of 53 malicious log-in attempts for the accounts, Okta found.

In other words, “you are far more likely to be attacked if you’ve got legacy authentication,” Rogers said.

For government and education, the ratio is even higher, Okta found. Those customers are seeing 104 malicious log-in attempts and 65 malicious log-in attempts, respectively, for every legitimate log-in attempt to a basic auth account.

Microsoft itself has provided a number of statistics showing the dangers of basic authentication. Based on an analysis of Azure Active Directory accounts, 99% of password spray attacks and 97% of credential stuffing attacks target basic auth accounts, according to the Microsoft data. Virtually none of these attacks are targeting accounts that support MFA.

For organizations that have disabled basic auth altogether, Azure AD accounts see 67% fewer compromises, Microsoft said.

Making the transition

Rogers said the release of these statistics shows that Microsoft is “starting to produce some solid material about how risky legacy auth is.”

“But why has it taken them this long to start pushing those messages?” he said.

Going forward, “we need to keep pushing those messages further — because in some cases, there are going to be organizations that haven’t heard the message,” Rogers said.

“Messaging is probably one of the most important things [Microsoft] can do. And direct support to the organizations that are [still on basic auth],” he said.

“They know who is using legacy authentication, because they control the endpoints that are being authenticated against,” Rogers said. “So they need to work hard to push out the messaging that this needs to be migrated away from. If necessary, they need to make it as cheap as possible for organizations to do that.”

For organizations that need to migrate off of basic authentication, Rogers provided details on the key steps for the transition. He provided the following to VentureBeat:

· Audit your logs for use of legacy authentication

· Assess what software apps or Outlook plug-ins etc are authenticating using legacy protocols. If those apps don’t support modern authentication, look for alternatives. In most cases, you’ll find there is a modern, OAuth2-compatible alternative app to migrate users to. (This is the part of the remediation that tends to take the most time, so it’s best to start here.)

· Determine future access policies for your users’ mail clients. If your organization is going to continue to allow access from unmanaged devices, decide which apps the IT team will support and tailor your advice to users accordingly.

· Configure factors (MFA) in preparation for accepting only modern authentication.

· Spin up your change management: Let users know what apps will be supported once you switch over, and prepare them for a slightly different authentication experience when they access their Exchange Online mailbox (a browser-based login screen will appear)

· Enable Modern Authentication in Exchange Online.

· Explicitly deny Legacy Authentication in all policies. If there are some apps/clients you have been unable to remediate before the cutover, create temporary exemptions that filter on user agent and location. The project doesn’t end until this list is whittled down to zero!

· This doesn’t have to be a costly exercise. It just requires commitment and time.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.