Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

CISA Calls for Expedited Adoption of Modern Authentication Ahead of Deadline

The US Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies and private organizations to switch to Modern Auth in Exchange Online before October 1, 2022.

The US Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies and private organizations to switch to Modern Auth in Exchange Online before October 1, 2022.

A legacy authentication method, Basic Auth does not support multi-factor authentication and requires that the user’s password is sent with each authentication request. It is used in protocols such as ActiveSync, Exchange Web Services (EWS), Post Office Protocol/Internet Message Access Protocol (POP/IMAP), and Remote Procedure Call over HTTP (RPC over HTTP).

Per Executive Order 14028, “Improving the Nation’s Cybersecurity,” federal civilian executive branch (FCEB) agencies are required to adopt MFA within their environments, and switching to Modern Auth is a first step in this direction.

Last year, Microsoft announced plans to disable Basic Auth in Exchange Online starting October 1, 2022, which calls for an expedited migration to Modern Auth, CISA says. Organizations with on-premises Exchange servers should migrate to hybrid Modern Auth.

“We’re turning off Basic Auth for the following protocols: MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell,” Microsoft announced last month.

The tech giant has long promoted the adoption of modern authentication, explaining in a 2020 blog post that nearly all password spray and credential stuffing attacks rely on legacy authentication and that successful compromise had dropped by 67% within organizations that disabled legacy authentication.

“Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth. After completing the migration to Modern Auth, agencies should block Basic Auth,” CISA notes.

Legacy or custom-built business applications are likely still relying on Basic Auth, but user-facing applications such as Outlook for desktop and mobile have already switched to Modern Auth.

To identify applications and users still relying on legacy authentication, organizations should review Azure Active Directory (AAD) sign-in logs. Next, they should plan for a phased migration to Modern Auth, for both apps and users.

Once the migration has been completed, organizations are advised to block legacy authentication. This can be done by creating a new policy in Exchange Online or by creating a conditional access policy in AAD, thus blocking Basic Auth before or after authentication occurs, respectively.

Related: NIST Releases New macOS Security Guidance for Organizations

Related: US, UK, New Zealand Issue PowerShell Security Guidance

Related: CISA Releases Final IPv6 Security Guidance for Federal Agencies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.