What Is Happening With Exchange Online, Basic Authentication and Modern Authentication

  • Updated

This article applies to Riva On-Premise and Riva Cloud.

Riva uses the Microsoft-provided data-access API, primarily the "Exchange Web Services" (EWS) technology, using HTTP with TLS/SSL to provide secure communication with Microsoft Exchange for Office 365, hosted Exchange, and Exchange on-premises.

Latest update: April 2020

As announced in July 2018, Microsoft had previously planned to end support by October 13, 2020.

Microsoft recently announced, with the world focused on COVID-19 pandemic responses, a delay to planned changes related to Basic Authentication.

As of this update, current dates have not yet been announced with a target for the second half of 2021.

Microsoft Announced End-Of-Life for Exchange Online "Basic Authentication"

In July 2018, Microsoft announced that Basic Authentication would be decommissioned since OAuth 2.0 had proven to be a reliable replacement.  This was in line with the Microsoft Office 365 planned transition to Modern Authentication which also includes Outlook Web Access, Outlook desktop, Outlook on Mac, SMTP, IMAP, POP - and all other Office 365 services.

In that same announcement, the Graph API Program Manager indicated that Exchange Web Services (EWS) would continue to receive security updates, and certain non-security updates, product design, and features would remain unchanged.  Microsoft will now move its focus to the newer Graph API.  Some have read this to mean the EWS was also being deprecated or that there were security issues with the EWS itself - this is not the case.  There has been no announcement from Microsoft that identifies EWS is deprecated or any planned date when it will no longer be supported.  The same Modern Authentication that is used with the Graph API is available today with EWS - fully supported by Riva.

How does Riva communicate with Microsoft Exchange?

This article has a full breakdown of how Riva communicates with Microsoft Exchange Online (Office 365) or Exchange On-Premise.

Your Exchange messaging team is likely already familiar with the technologies and processes used by Riva. If you have questions or require additional information, contact the Riva Success Team.

What is Basic Authentication?

HTTP basic authentication is a simple challenge-and-response mechanism with which a server can request authentication information (a user ID and password) from a client. The client (in this case, Riva) passes the authentication information to the server (in this case, the Exchange "edge service") in an HTTP Authorization header. The authentication information is encoded before being transmitted.

Warning: The HTTP basic authentication scheme can be considered secure only when the connection between the web client and the server is secure.  Even when encrypted, the concern with sending the credentials on every request is that if the communication channel is not trustworthy, it may technically be possible that the communication itself is recorded and processed offline by taking advantage of weaknesses in SSL/TLS encryption.  Implementing a rotating password policy is often the recommended solution to avoid this possibility - however, rotating passwords with service accounts is often difficult and time-consuming.

Microsoft has a detailed article on how Basic Authentication works in Exchange Online and how to disable it.

Why is Microsoft moving to disable Basic Authentication?

People often use the same password for personal and work accounts.  This means that if a third-party site is compromised, there is a high likelihood that the same password is used with Office 365 and Exchange mailbox.

There are several factors, the driving factors are malicious attacks using Password Spray and Password Reply attacks to compromise an existing mailbox, then laterally use that mailbox to introduce malware and other tools to gain broader access.

At a recent RSA Conference, Microsoft revealed that 480K of the accounts were compromised by password spray accounts, and 99% of password spray accounts use basic authentication with IMAP4 and SMTP.

What does this mean to Riva customers?

Riva customers can rest easy because Riva already includes support for "Modern Authentication".

The recommended authentication for Office 365 and Exchange Online has been OAuth 2.0 since support was introduced.

If you are unsure how to transition or would like our team to work through this process with you, contact the Riva Success Team.

Was this article helpful?

/

Comments

0 comments

Article is closed for comments.