Office365 – MFA and Legacy Protocol Changes and Enforcement

 

 

Peter Kline • Entre Computer Services • 2/22/2021

About the Changes

Microsoft has made several announcements regarding their Office365 service and the depreciation of single-factor (password-only) authentication and the protocols that require it. Many of these announcements have been pushed back or temporarily delayed due to the COVID-19 pandemic and the requirements of change in a pandemic-driven world, but they are coming. We hope this entry informs you as to what the changes are, why they are happening and what they mean to your business.

Firstly, some chilling information from Microsoft’s security blog, collected from industry studies and internal data:

  • The average compromised account lives for 100 days before detection and correction
  • A claimed 80% of hacking-related data breaches are the result of a compromised account
  • Microsoft claims that enforced MFA reduces the potential of an account compromise by as much as 99.9% over simple passwords.
  • A claimed 91% of IT Executives plan to implement MFA in the ‘coming year’ (2020)

At this point, these numbers are frankly aged, and likely worse. One may conclude that MFA is, simply put, a requirement for modern security practices, alongside and possibly surpassing password requirements to better secure your accounts.

Microsoft agrees. And that is why they are ramping up mandatory enforcement of MFA (and discontinuing legacy protocol support). For some businesses, this will happen transparently while for others it will involve significant changes to their network to support a better security posture.

At present, Microsoft plans to begin phasing in these changes in ‘Late 2021’, with some changes already having been implemented. The most recent information can be reviewed here from their Exchange team blog or via the MS365 Roadmap site.

Welcome to the modern era of Information Technology. Let us bring you up to speed.

What will this impact?

Firstly, let’s assess what this is likely to break and what’s likely to be just fine. Microsoft (being the single vendor for Office365 and Microsoft Office applications) has silently built support for these changes into the latest version of Outlook, along with other applications that authenticate against Office365 such as OneDrive. These have been included for several years at this point and will not require any updates.

In these situations, the only changes that will be necessary are for users to set up and configure their account for MFA, essentially automated through the UI in applications like Outlook. When enabled, their Outlook client will prompt them to configure MFA settings on next authentication. Users of Outlook for Web (OWA) will see a prompt on next login. How these prompts appear and what they offer are dictated by your organization’s MFA settings – do they want to allow SMS messages, an authentication application, etc?

For devices using legacy protocols such as SMTP, POP3 or IMAP – they will require updated software or the deployment of application passwords. These become specialized use cases that will require planning. The trusty old stead of a copier in your mail room that once scanned documents to your inbox will require some reconfiguration or updating to continue to work.

 

What is MFA?

MFA is an acronym for Multi-Factor Authentication. As the name implies, it uses multiple factors to validate that you are the owner of the account. Typically, these factors (for a given username) include passwords and a one-time code delivered through a variety of means.

It might not be immediately apparent, but passwords have an Achilles heel – they must be stored on the server to compare login attempts against. They also must be transmitted to the server over a variety of paths to submit for comparison, and they do not change frequently enough that, should a malicious actor obtain a password through hacking a company’s servers or intercepting it over your internet connection, it would likely stay valid for weeks or months (or longer).

Security is a constantly moving target. What was true in 1985 was no longer true by the 1990s. What was true in 2005 is no longer true today. We have reached a point in time where – despite significant advances in at-rest and in-transit encryption – passwords simply aren’t enough to confirm rightful access to an account. It needed to be combined with something temporary enough that it might not be recorded and used later, while also being delivered outside the system you are accessing to prevent the secret you are attempting to use from being intercepted.

Today, the most effective way to do this is by combining passwords with a one-time code sent via SMS text message or generated through an authenticator application, which uses a mathematical formula to generate predictable numbers on a device such as a phone, whose numbers are also predictable via a third-party service. Authenticating to your work email via one of these applications means the code you enter is sent to the authentication service and the matching formula on their servers decides if the code is valid for the given date and time. Likewise, with SMS services, a one-time code is triggered to your phone outside of the application you are using and the application checks with the service to see if the code is valid.

What are Legacy Protocols?

Legacy Protocols refer to protocols that were built before MFA existed. Imagine if two spies were to speak in a pre-determined clandestine way. They recognized each other, but had to say a special password in the sentence to confirm they were indeed the other spy and that they were not compromised. Now imagine adding a second piece of information to your exchange – the pre-determined manner that you’ve agreed to chat never included that second bit of information, so you simply don’t know how to ask the other spy about it without re-writing all of the spy books and trainings to include that second bit of information.

Many protocols in-use today existed in the 1980s and made no attempt to include additional authentication data like an MFA code. Indeed, most protocols that are wrapped in a layer of encryption do so not just for privacy and protection, but because they exchanged data in very insecure ways prior to being encrypted. Technology makes every effort to change as little as possible and while encrypting something insecure to secure it transparently reduces code change and maintains compatibility, many protocols simply aren’t built to take a username and password, and then interact with a third-party system behind the scenes while waiting in something of a security purgatory. New protocols have been written that natively allow a user to authenticate in two stages, starting with a password and then waiting for validation via one-time codes after the fact.

What are Application Passwords?

Despite the need for MFA (and protocols that are designed to support it), some applications simply cannot work with them. Unlike humans, applications don’t carry a phone around with them and simply aren’t able to provide a second one-time-use code each time they want to interact with, say, your email system. In this case, we use Application Passwords.

Application passwords are username and password combinations – that do not require an MFA code to work and thus are compatible with legacy protocols – that are limited in what they can do and where they can do it from. Typically, these are used for something like a phone system that must be able to send email through Office365 to deliver voicemails, or a copier or on-site monitoring system that must do the same.

Putting IT Together

In short, Microsoft has been planning for (and building around the need to) implementation of MFA for a long while, and support is included in all their products. However, third party devices or older clients and configurations will require some additional planning before the cutover date.  Initially, this will only impact new customers or customers without logged usage of some protocols discussed, but it will only be a matter of time before this extends to your account and products.

Let Entre assist you in determining when this might be an issue for you and how you can work around it today, both for better security and to be ready for what's coming down the road. 

 

Interested in learning more about MFAs? Use our contact information below to get in touch.