End of Basic Authentication and Migration to Modern Authentication for Exchange Online
Pages 32 - 35
Abstract
At Kyushu University, Information Infrastructure Initiative provides an email service named "Primary Mail Service" for students and staff members with Microsoft Office 365 Exchange Online. On September 20th, 2019, Microsoft announced the end of support for Basic Authentication for Exchange Online, which is considered vulnerable to identity leakages such as phishing and malware attacks. Microsoft would require users to use Modern Authentication such as Exchange protocol or OAuth 2.0 authorization with IMAP, POP, and SMTP. Historically we had instructed our users to use IMAP or POP and SMTP protocols for their email applications, including Microsoft Outlook and Mozilla Thunderbird, so disabling Basic Authentication would significantly impact our user population. In September 2021, Microsoft announced the end of September 2022 as the hard deadline for disabling Basic Authentication. Based on available information, we prepared migration documents from Basic Authentication to Modern Authentication and started to notify users to abandon Basic Authentication. Sending messages to users did not seem to be effective after a couple of notifications, so we tried to temporarily disable Basic Authentication to realize the remaining users through authentication failures. In this paper, we would like to share our experiences about the effect of retiring Basic Authentication for Exchange Online on our service and users.
References
[1]
Dick Hardt. 2012. The OAuth 2.0 Authorization Framework. RFC 6749. https://doi.org/10.17487/RFC6749
[2]
Michael Jones and Dick Hardt. 2012. The OAuth 2.0 Authorization Framework: Bearer Token Usage. RFC 6750. https://doi.org/10.17487/RFC6750
[3]
Yoshiaki Kasahara, Eisuke Ito, and Naomi Fujimura. 2014. Introduction of New Kyushu University Primary Mail Service for Staff Members and Students. In Proceedings of the 42nd Annual ACM SIGUCCS Conference on User Services (Salt Lake City, Utah, USA) (SIGUCCS ’14). ACM, New York, NY, USA, 103–106. https://doi.org/10.1145/2661172.2662965
[4]
Yoshiaki Kasahara, Takao Shimayoshi, Eisuke Ito, and Naomi Fujimura. 2018. The Past, Current, and Future of Our Email Services in Kyushu University. In Proceedings of the 2018 ACM on SIGUCCS Annual Conference (Orlando, Florida, USA) (SIGUCCS ’18). ACM, New York, NY, USA, 103–106. https://doi.org/10.1145/3235715.3235737
[5]
Yoshiaki Kasahara, Takao Shimayoshi, Tadayuki Miyaguchi, and Naomi Fujimura. 2019. Migrate Legacy Email Services in Kyushu University to Exchange Online. In Proceedings of the 2019 ACM SIGUCCS Annual Conference (New Orleans, LA, USA) (SIGUCCS ’19). Association for Computing Machinery, New York, NY, USA, 127–131. https://doi.org/10.1145/3347709.3347817
[6]
Microsoft. 2019. Improving Security - Together. Retrieved September 13, 2022 from https://techcommunity.microsoft.com/t5/exchange-team-blog/improving-security-together/ba-p/805892
[7]
Microsoft. 2020. Announcing OAuth 2.0 support for IMAP and SMTP AUTH protocols in Exchange Online. Retrieved September 13, 2022 from https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-oauth-2-0-support-for-imap-and-smtp-auth-protocols-in/ba-p/1330432
[8]
Microsoft. 2020. Basic Authentication and Exchange Online – April 2020 Update. Retrieved September 15, 2022 from https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508
[9]
Microsoft. 2020. Basic Authentication Deprecation in Exchange Online – September 2022 Update. Retrieved September 15, 2022 from https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437
[10]
Microsoft. 2022. Azure AD Conditional Access documentation. Retrieved September 16, 2022 from https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/
[11]
Microsoft. 2022. Limits for automated, scheduled, and instant flows. Retrieved September 16, 2022 from https://docs.microsoft.com/en-us/power-automate/limits-and-config
[12]
Microsoft. 2022. Microsoft Graph throttling guidance. Retrieved September 16, 2022 from https://docs.microsoft.com/en-us/graph/throttling
[13]
Microsoft. 2022. What is Identity Protection?Retrieved September 16, 2022 from https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
[14]
William Mills, Tim Showalter, and Hannes Tschofenig. 2015. A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth. RFC 7628. https://doi.org/10.17487/RFC7628
Index Terms
- End of Basic Authentication and Migration to Modern Authentication for Exchange Online
Recommendations
A hash-based strong-password authentication scheme without using smart cards
So far, many strong-password authentication schemes have been proposed, however, none is secure enough. In 2003, Lin, Shen, and Hwang proposed a strong-password authentication scheme using smart cards, and claimed that their scheme can resist the ...
Remarks on fingerprint-based remote user authentication scheme using smart cards
In 2002, Lee, Ryu, and Yoo proposed a fingerprint-based remote user authentication scheme using smart cards. The scheme makes it possible for authenticating the legitimacy of each login user without any password table. In addition, the authors claimed ...
An enhanced anonymous authentication and key exchange scheme using smartcard
ICISC'12: Proceedings of the 15th international conference on Information Security and CryptologyNowadays, anonymity property of user authentication scheme becomes important. In 2003, Park et al. proposed an authentication and key exchange scheme using smart card. However, Juang et al. pointed out that Park et al.'s scheme did not provide the user ...
Comments
Information & Contributors
Information
Published In
March 2023
97 pages
Copyright © 2023 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 20 March 2023
Check for updates
Author Tags
Qualifiers
- Poster
- Research
- Refereed limited
Conference
SIGUCCS '23
Sponsor:
Acceptance Rates
Overall Acceptance Rate 192 of 261 submissions, 74%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 62Total Downloads
- Downloads (Last 12 months)15
- Downloads (Last 6 weeks)1
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
Cited By
View allView Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format