Cloud providers moving to ban basic authentication

Basic Authentication

Basic authentication has been the first line of cyber defense for decades. For many individuals and companies, it’s been the only line of defense (probably for too long, honestly). Despite the warnings of countless IT and cybersecurity experts (including us), too many companies still rely exclusively on on basic authentication to protect their IT infrastructure, corporate IP, etc. To that end, Microsoft and other cloud services providers are about to (or already did, in the case of Microsoft) ban basic authentication for enterprise clients.

Here’s what you need to know.

Basic authentication becomes mandatory MFA

On Oct. 1, Microsoft removed the ability to “use basic authentication for its Exchange Online service … requiring that its customers use token-based authentication instead,” Robert Lemos with Dark Reading wrote. “Google meanwhile has auto-enrolled 150 million people in its two-step verification process, and online cloud provider Rackspace plans to turn off cleartext email protocols by the end of the year.”

Major IT infrastructure providers are forcing companies’ hands into embracing token-based or multi-factor authentication. This is certainly for the better when it comes to cyberdefense, even if it can be a little annoying for companies.

Why this shift is happening

Most of the companies we work with can’t exist without access to cloud services — too much of the way modern companies operate rely on cloud access. Furthermore, our clients have been counseled consistently about the importance of complex basic authentication plus multi-factor authentication methods… which means the shift hasn’t impacted a ton of our partners. But a lot of companies (namely, those that don’t yet work with us) have to be prodded into modern defensive postures, and companies like Microsoft are increasingly willing to do just that because identity-related breaches are rapidly intensifying. In 2022, 84% of companies suffered an identity-related breach, up from 79% in the previous two years, according to the Identity Defined Security Alliance‘s “2022 Trends in Securing Digital Identities” report.

Turning off cloud access via basic authentication is one of the simplest ways to block attackers. Cyber attacks are increasingly relying on  credential stuffing and other mass access attempts as step one to compromising victims. To that end, enterprises relying on weaker authentication methods are leaving themselves open to intrusions from credential theft via phishing, abuse of reused passwords, brute-force attacks, and hijacked sessions.

The results of some of this prodding? Google found that auto-enrolling people in its two-step verification process resulted in a 50% decrease in account compromises. Nearly half the companies that suffered a breach (43%) said that if they had had multifactor authentication, it probably could have stopped the attackers according to the IDSA’s “2022 Trends in Securing Digital Identities” report.

Obstacles still remain

There isn’t a major cloud provider that doesn’t offer multifactor authentication over secure channels and/or using secure tokens (like OAuth 2.0). Opting into these features may be relatively simple in theory, but managing secure access can lead to an increase in work for respective IT departments. Your business needs to be ready for that increase (/that’s where we come in!).

For so many small and medium-sized businesses, implementing or managing a zero-trust architecture can feel pretty daunting. We’re experts in conceptualizing, designing, implementing and managing cybersecurity protocols to keep your business, its data and your bottom line safe. Give us a call today to see how we can help your business stay protected.