What are the risks of legacy authentication?
Although legacy authentication is still commonly (and legitimately) used in many organisations it offers a major security weakness to hackers, providing them with ‘back door’ access to your corporate data. The reason for this is simple – unlike modern authentication protocols, legacy authentication methods neither understand nor respect multi-factor authentication (MFA). Here are some rather stark facts from Microsoft about legacy authentication:
- More than 99 percent of password spray attacks use legacy authentication protocols
- More than 97 percent of credential stuffing attacks use legacy authentication
- Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled
Let’s run through an example of why legacy authentication represents such a security risk. Through various nefarious means, a hacker has managed to obtain a list of compromised username and password combinations for your organisation – including some C-level executives. No doubt the information contained in the mailboxes of these users could be useful for any number of further hacking activities. “No problem though,” I hear you say, “all our users are protected by MFA, and MFA can block almost all account compromise attacks.” Whilst that statement is certainly true (over 99.9% true according to Microsoft), what is commonly overlooked is that MFA can only block account compromise attacks where modern authentication is being used. MFA is not effective against legacy authentication protocols.
Let’s return then to our example – your users are all protected by MFA but you haven’t blocked legacy authentication protocols in your tenant. Your hacker can simply use a valid username/password combination they have stolen with an older mail client that does not use modern authentication (such as Outlook 2010 and below). At that point, any per-user MFA or conditional access rules you have implemented to enforce MFA are completely bypassed. The hacker connects to the mailbox using password only and immediately synchronises the entire mailbox contents to their local device using a legacy authentication protocol such as SMTP, POP3, or IMAP. At that point you have effectively lost control of the data. Even if the compromised user changed their password or you block legacy authentication at tenant level (both of which would break the mail synchronisation), the hacker still has a full offline copy of the mailbox up to that point. All of which they could peruse at their leisure for whatever purpose they choose. Perhaps some data and identity theft or discovering sensitive information that could lead to blackmail and extortion attempts.
To summarise then – for MFA to be effective, you also need to block legacy authentication. Let’s look now at what Microsoft’s response is to legacy authentication and how you can identify and block the same in your own environment, before Microsoft does it for you!