In this article we explore what Modern Authentication is and why is it recommended you turn it on.

The End of Basic Authentication

After Google activated two-factor authentication for Google accounts in December 2021, Microsoft will now follow suit on October 1, 2022 and finally discontinue Basic Authentication. Access to Exchange Online for Microsoft 365 customers will then only be possible with Modern Authentication.

The switch to Modern Authentication ensures that user accounts and the data they contain are far better protected than with Basic Authentication. In addition, Modern Authentication can improve the user experience. Below, we explain the difference between Basic Authentication and Modern Authentication, why Basic Authentication does not provide sufficient protection, and the benefits to be had from Modern Authentication.

What Is Basic Authentication Actually?

To understand how Basic Authentication actually works, here is an analogy. Imagine the following scenario: You fly abroad, leave the plane and are heading for the border control. And now let’s pretend that the process works a bit different than you are used to. Instead of showing your passport, you tell the security officer: “Hi, my name is John Doe, my password is XYZ and I’m originally from Germany”. With this information, the security officer gives the national authorities in Germany a call and explains the following: “There’s a guy at my desk who wants to enter our country. He says he’s from Germany, his name is John Doe and his password is XYZ. Is that correct?”. The authorities check the information and confirm it. So, the security officer is happy to tell you that your information is correct and you’re allowed to enter the country. Such a procedure at the border control wouldn’t feel quite right, would it? So, what’s wrong with this approach? First, there are no additional checks like a passport with additional information like a photo, etc. How would the security officer know you are the person you are claiming to be? Anyone who knows your name and your password could pretend to be you. Second, you have to disclose information that is supposed to be confidential to another person and you have to trust the security officer. This is basically how Basic Authentication in the digital world works.

What Is Modern Authentication?

Modern Authentication is an umbrella term originally defined by Microsoft, but many other companies also use it to describe a set of the following:

  • Authentication methods (authentication = how something/somebody logs in to a system)
  • Authorization methods (authorization = mechanisms that make sure you do not have full access to something by default)
  • Conditional access policies (policies which define the conditions under which certain additional steps have to be taken in order to log into a system)

Authorization and authentication methods are standardized in the digital world. The industry standard for authorization is OAuth2. For authentication there is no industry standard, but the standard which is most widely used is OpenID Connect. Although they serve different purposes, these standards are very much related from a technology standpoint. The OpenID Connect protocol suite extends the OAuth protocol and they are based on the same technologies. OAuth was never designed to authenticate users or persons, but only services. That is why OpenID Connect was created.

How would Modern Authentication look like in our airport analogy? With Modern Authentication, the procedure seems quite familiar: You fly abroad, leave the plane and go to the security officer at the border control. The officer asks to see your passport on which he can find all the important information needed to identify who you are and where you are from. This information is protected by anti-forgery mechanisms. In the digital word, the passport is what we call an ID token. This token contains important information: who you are, who created the token, how long it is valid, etc.

Where Does Multi-Factor Authentication (MFA) Fit Into the Mold?

Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) are a part of the authentication process. The process is as follows: You as a user connect to your identity provider who needs to validate that it is really you trying to connect. Depending on the conditional access policies which are defined by the administrator, your identity provider might ask you for further information. If he believes that just entering your credentials is not enough to authenticate you, for example when you are connecting from an unknown network, he may ask you for additional information, for instance a code which is sent to your mobile phone. Microsoft has implemented this in a very dynamic way. Their systems continuously learn and decide what is a secure system and what is not. There is also the possibility to define a device as secure, for example your business laptop. If a device is defined as secure, you will be asked for your credentials just once and then a cookie is stored in your browser, so, the next time you log in, you are immediately logged in without asking for your credentials or further details again. These are additional policies an administrator can define, and this is especially relevant at times like these where many people are working from home (for example when using an insecure network instead of a corporate VPN at home).

What’s the Advantage of Modern Authentication

One of the biggest benefits for administrators is that all these policies are just configured at one central location which is at the identity provider. This means that the more applications are connected to the identity provider, for example the Microsoft Azure Active Directory and the identity services provided by Microsoft, the more convenient it is to configure conditional access policies for all these applications. This way, the administrator does not have to configure individual login policies and security settings for each application. There is just one location where the administrator can define the login policies for all the applications that are integrated with the identity provider. In the long run, the more applications that support this kind of authentication, the more user-friendly and easier it is for the administrator. And of course, Modern Authentication is much more secure than Basic Authentication.

Conclusion

Don’t delay any longer. Switch to Modern Authentication right now. Modern Authentication is not only far more secure than Basic Authentication but also more user-friendly and makes the life of the user and administrator easier.