As more organizations adopt modern authentication protocols, legacy authentication poses a growing risk to those who lag behind. The problem is, making a business-wide transition to modern authentication is no easy feat, as Microsoft employees learned when they tackled it.
"About half of a percent of the enterprise accounts in our system will be compromised every month," Alex Weinert, director of identity strategy at Microsoft, said of its customer accounts. "Which is a really, really, really high number, if you think about it." In a business of 10,000 users, for example, 50 of them will be compromised in a month if the business is average and doesn't do anything additional, Weinart said in an RSA Conference talk on the topic last month.
More than 1.2 million Microsoft customer accounts were compromised in January 2020, Weinert said. Of those, more than 99% did not have MFA enabled. "Multi-factor authentication would have prevented the vast majority of those one million compromised accounts last month," he explained.
About 40% of those January compromises, or 480,000 accounts, were due to password spray attacks and nearly all (99% of) password sprays leveraged legacy authentication protocols. The second most-common attack method was brute-forcing credentials across platforms. Nearly all (97% of) these "replay" attacks also use legacy authentication protocols, Weinert noted, and the probability of compromise jumped for users who relied on SMTP, IMAP, POP, and others.
"We know about 60% of users [overall] will reuse passwords; it's super common," he continued, adding that "people do reuse their enterprise accounts in non-enterprise environments."
"Legacy," or "basic" authentication refers to older protocols like POP, SMTP, IMAP, and XML-Auth, which don't allow for user interaction or MFA challenges, Weinert said. It is the predominant problem with deploying MFA and the preferred mechanism for attacking accounts. Attack tools are built on it; it works, and it's easy, he said. But disabling basic authentication protocols can make a significant difference: controlling for other variables, Microsoft found a 67% reduction in compromise for tenants that turned off legacy protocols.
To help defend its own employees against attacks targeting these protocols, Microsoft has rolled out modern MFA options compatible for phone, cloud, and on-prem environments over the years. Still, while it invested in these tools, it "really didn't pay attention to legacy authentication," said Lee Walker, identity architect on Microsoft's internal IT team. "We thought it would naturally go away." Still, many internal Microsoft employees continued to use legacy protocols. In 2018, company executives called for legacy authentication to be shut down across the organization.
Trial and (A Big) Error
Taking a broader look at Microsoft's environment, the team saw a few instances of legacy authentication but assumed the project wouldn't be intensive. It was primarily used in Azure Active Directory, in small tools people used to directly talk with Microsoft Graph and do basic information gathering in Azure, as well as in SharePoint, Skype for Business, and Exchange.
The team thought most of the upgrades would be for old Office 2010 or 2013 clients. "We knew those were using legacy authentication, but we knew the vast majority of people had been upgraded," said Walker. They expected these Office clients to be people with older personal machines at home, and they'd simply need to help the users upgrade.
There are several tools available to block legacy protocols; Lee and Walker demonstrated their process using one built into Azure Active Directory. It started out smoothly, they said. The IT and operations teams deployed legacy authentication disablement to 2,000 users in the organization and experienced minimal problems. "This gave us a lot of confidence that our deployment for legacy authentication blocking was going to proceed very quickly across Microsoft internally," said Walker, noting they expected the process to take two months.
"It didn't quite work out that way," he added.
The team deployed this disablement policy across its 60,000-person sales force. They left their desks that day in October 2018 and soon started getting calls in the middle of the night: the TeleSales app, used to contact customers and take orders, wasn't working among Australian users. "It's a critical app for our sales force, and when we looked into this, we discovered there's one account that was used to run the back end of all our TeleSales applications," said Walker. This account, hidden in the data, was being blocked by the legacy authentication policy.
This policy caused the app to break, which took down the sales force for effectively a whole day, considering the time difference and the time it takes to escalate issues. "They could not make money for a day, and that was a big deal," Walker noted.
Taking a New Approach
The team was told they couldn't move forward with the policy until they were sure the incident wouldn't happen again. "The reality is, we didn't really know what we were doing," said Weinert. They didn't have the data they needed to show where legacy authentication was being used in their environment; more importantly, they didn't have the insight to know what that data really meant. If they had, they would have seen the connection between the TeleSales app, the account behind it, and the hundreds of thousands of people who relied on it.
"We knew we needed more data, so we decided to keep a lot more data," said Weinert. The team logged 90 days of sign-in history to identify specific apps using legacy authentication. This timeframe was large enough to give them visibility into apps used on a daily basis and weekly basis; they could also see financial apps only used once per quarter.
They also decided to simulate the legacy authentication policy instead of enforcing it outright. "Report-only" mode gave the ability to deploy a simulated policy without blocking anything. As a result, users would see "we would have blocked this" instead of losing app functionality.
Then came the tedious part: the team had to track down individual owners of the apps relying on legacy authentication protocols, work with them to find the API that was prompting them for passwords, and find the modern equivalent of that API to fix it. By March 2019 the policy was enabled for 94% of users, but they still faced several exception requests per week.
"This was probably the biggest driver of work for our team," said Walker. Turning off legacy authentication didn't take much time; neither did collecting or analyzing data. Talking to app owners also wasn't time-consuming, but individual requests for rarely used apps "took a lot of time." It took about a year to run through exceptions and secure legacy authentication users.
"Human processes here are super important," said Walker. He advised IT and security teams to start testing with a small group, preferably their own, to learn the response process before rolling out a policy across the organization. He also encouraged RSAC attendees to start the process of eliminating legacy authentication as soon as possible: Microsoft has seen a ~3,000% increase in attack rate on Microsoft products and services in the past three years. Adopting modern authentication protocols can help defend against password sprays, credential reuse, and other common attack techniques.
"Organizations moving to a more secure protocol are getting out of harm's way and letting attackers harvest from those who haven't," he said.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Out at Sea, With No Way to Navigate: Admiral James Stavridis Talks Cybersecurity."