ABSTRACT
At Kyushu University, Information Infrastructure Initiative provides an email service named "Primary Mail Service" for students and staff members with Microsoft Office 365 Exchange Online. On September 20th, 2019, Microsoft announced the end of support for Basic Authentication for Exchange Online, which is considered vulnerable to identity leakages such as phishing and malware attacks. Microsoft would require users to use Modern Authentication such as Exchange protocol or OAuth 2.0 authorization with IMAP, POP, and SMTP. Historically we had instructed our users to use IMAP or POP and SMTP protocols for their email applications, including Microsoft Outlook and Mozilla Thunderbird, so disabling Basic Authentication would significantly impact our user population. In September 2021, Microsoft announced the end of September 2022 as the hard deadline for disabling Basic Authentication. Based on available information, we prepared migration documents from Basic Authentication to Modern Authentication and started to notify users to abandon Basic Authentication. Sending messages to users did not seem to be effective after a couple of notifications, so we tried to temporarily disable Basic Authentication to realize the remaining users through authentication failures. In this paper, we would like to share our experiences about the effect of retiring Basic Authentication for Exchange Online on our service and users.
- Dick Hardt. 2012. The OAuth 2.0 Authorization Framework. RFC 6749. https://doi.org/10.17487/RFC6749Google ScholarDigital Library
- Michael Jones and Dick Hardt. 2012. The OAuth 2.0 Authorization Framework: Bearer Token Usage. RFC 6750. https://doi.org/10.17487/RFC6750Google ScholarDigital Library
- Yoshiaki Kasahara, Eisuke Ito, and Naomi Fujimura. 2014. Introduction of New Kyushu University Primary Mail Service for Staff Members and Students. In Proceedings of the 42nd Annual ACM SIGUCCS Conference on User Services (Salt Lake City, Utah, USA) (SIGUCCS ’14). ACM, New York, NY, USA, 103–106. https://doi.org/10.1145/2661172.2662965Google ScholarDigital Library
- Yoshiaki Kasahara, Takao Shimayoshi, Eisuke Ito, and Naomi Fujimura. 2018. The Past, Current, and Future of Our Email Services in Kyushu University. In Proceedings of the 2018 ACM on SIGUCCS Annual Conference (Orlando, Florida, USA) (SIGUCCS ’18). ACM, New York, NY, USA, 103–106. https://doi.org/10.1145/3235715.3235737Google ScholarDigital Library
- Yoshiaki Kasahara, Takao Shimayoshi, Tadayuki Miyaguchi, and Naomi Fujimura. 2019. Migrate Legacy Email Services in Kyushu University to Exchange Online. In Proceedings of the 2019 ACM SIGUCCS Annual Conference (New Orleans, LA, USA) (SIGUCCS ’19). Association for Computing Machinery, New York, NY, USA, 127–131. https://doi.org/10.1145/3347709.3347817Google ScholarDigital Library
- Microsoft. 2019. Improving Security - Together. Retrieved September 13, 2022 from https://techcommunity.microsoft.com/t5/exchange-team-blog/improving-security-together/ba-p/805892Google Scholar
- Microsoft. 2020. Announcing OAuth 2.0 support for IMAP and SMTP AUTH protocols in Exchange Online. Retrieved September 13, 2022 from https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-oauth-2-0-support-for-imap-and-smtp-auth-protocols-in/ba-p/1330432Google Scholar
- Microsoft. 2020. Basic Authentication and Exchange Online – April 2020 Update. Retrieved September 15, 2022 from https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-april-2020-update/ba-p/1275508Google Scholar
- Microsoft. 2020. Basic Authentication Deprecation in Exchange Online – September 2022 Update. Retrieved September 15, 2022 from https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437Google Scholar
- Microsoft. 2022. Azure AD Conditional Access documentation. Retrieved September 16, 2022 from https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/Google Scholar
- Microsoft. 2022. Limits for automated, scheduled, and instant flows. Retrieved September 16, 2022 from https://docs.microsoft.com/en-us/power-automate/limits-and-configGoogle Scholar
- Microsoft. 2022. Microsoft Graph throttling guidance. Retrieved September 16, 2022 from https://docs.microsoft.com/en-us/graph/throttlingGoogle Scholar
- Microsoft. 2022. What is Identity Protection?Retrieved September 16, 2022 from https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protectionGoogle Scholar
- William Mills, Tim Showalter, and Hannes Tschofenig. 2015. A Set of Simple Authentication and Security Layer (SASL) Mechanisms for OAuth. RFC 7628. https://doi.org/10.17487/RFC7628Google ScholarDigital Library
Index Terms
- End of Basic Authentication and Migration to Modern Authentication for Exchange Online
Recommendations
A hash-based strong-password authentication scheme without using smart cards
So far, many strong-password authentication schemes have been proposed, however, none is secure enough. In 2003, Lin, Shen, and Hwang proposed a strong-password authentication scheme using smart cards, and claimed that their scheme can resist the ...
Remarks on fingerprint-based remote user authentication scheme using smart cards
In 2002, Lee, Ryu, and Yoo proposed a fingerprint-based remote user authentication scheme using smart cards. The scheme makes it possible for authenticating the legitimacy of each login user without any password table. In addition, the authors claimed ...
An enhanced anonymous authentication and key exchange scheme using smartcard
ICISC'12: Proceedings of the 15th international conference on Information Security and CryptologyNowadays, anonymity property of user authentication scheme becomes important. In 2003, Park et al. proposed an authentication and key exchange scheme using smart card. However, Juang et al. pointed out that Park et al.'s scheme did not provide the user ...
Comments