Microsoft and Google delay online authentication change

COVID-19 has put reality on hold for everyone for the time being, and that includes security teams. Both Microsoft and Google have postponed a change that would have forced better application security by shutting down an insecure access protocol called Basic Authentication.

Specified in RFC 2617, Basic Authentication is a method of logging applications into online services using a simple username and password combination sent in an HTTP header. You’d use it if you wanted your computer’s productivity software to synchronise with your cloud-based calendar or email service, for example, rather than accessing a web app manually via the browser.

Basic Authentication is convenient because it doesn’t need developers to code cookies or handle login pages. Instead, it just resubmits the credentials with each HTTP request. But it’s insecure because it doesn’t encrypt the login credentials.

Instead, it uses Base64 encoding, which just translates binary content into text. You can overcome that issue using a TLS-protected HTTPS connection, but it still makes it more difficult to implement multi-factor authentication (MFA).

Companies are gradually replacing this method with more modern protocols. Microsoft and Google are both shifting to OAuth 2.0, which uses tokens to authenticate applications with online services, and gives them an expiry date. That way, an application stays authorised for a predefined period, minimising the need to exchange credentials. This also makes it easier to implement multi-factor authentication (MFA).

Microsoft announced that it would switch off Basic Authentication in its Exchange Web Services (EWS) API for Office 365 back in July 2018. It planned to turn off support for the feature entirely on 13 October 2021.

At the same time, it also advised developers to begin moving away from this API, instead using Microsoft Graph, which is its newer API for accessing back-end cloud services such as Exchange Online. It also expanded those plans in September 2019, announcing that it would turn off Basic Authentication in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP and Remote PowerShell.

Google also committed to turning off Basic Authentication. In December 2019, it warned that it would deny what it called ‘less secure apps’ access to its back end services, favouring OAuth 2.0 instead. That was meant to happen on 15 June 2020.

Now, both companies have changed their plans slightly to give their online users more leeway as they cope wth the COVID-19 chaos. Microsoft said on 3 April that it would postpone Basic Authentication for Exchange Online for those tenants using it, and now won’t turn it off until the second half of 2021.

The company won’t change some of its other plans, though. It will still disable Basic Authentication for new accounts, and it will continue rolling out OAuth support for POP, IMAP, SMTP AUTH, and Remote PowerShell.

Google also announced at the end of March that it will postpone its Basic Authentication switch-off until further notice.

This doesn’t mean that companies shouldn’t move to more secure methods, though. Google said:

Despite these timing adjustments, Google does not recommend the use of any application that does not support OAuth. We recommend that you switch to using OAuth authentication whenever possible for your organization.

Both companies have taken other measures in response to the health crisis. They postponed the end of support for TLS 1.0 in their respective browsers, with Microsoft specifically citing COVID-19 as a factor in its decision.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.