Office 365 – Disabling Basic Authentication

E-mail applications can utilize towards Office 365 either basic authentication (Basic Authentication or Legacy Authentication) or Modern Authentication. Basic authentication is less secure (see below), the most used mail clients currently support modern authentication over basic.

On August 27, we disabled basic authentication for all users except of the accounts that had used them in the last two months. However, even for these users there is a plan of switching to modern authentication. We plan to gradually address these users with instructions for the adjustment. In most cases the adjustment means removing the university account in the e-mail application and adding it back again.

Basic authentication vs modern authentication

E-mail applications can utilize various protocols to access Office 365, such as IMAP, Active Sync, SMTP, or Offline Address Book. There exist two options when using user authentication:

  1. basic authentication – the password is stored in the application, every login the application sends the password to Office 365 and the servers verify it against our university servers (against adfsgw.vse.cz in particular),
  2. modern authentication which is based on the OAuth / OAuth2 protocol. When setting up the account, the university login page will be displayed and the user will enter the login details. The mail client then obtains a token (a long random string) that it uses to log in. The token has a limited validity, before the end of validity (or at each login) the client can request an extension of the token’s validity without bothering the user to enter login details. If the application does not log in for a long time, the user must re-enter the password.

Modern authentication has the following security benefits:

  • there is no saved password in the mail client that could be used to log in to other services, e.g. to log in to MS Teams. The specific token is tied to the specific service;
  • the password does not pass through Office 365 servers therefore it cannot be stolen, e.g. by an error in the server code;
  • if the mail client does not log in for a longer period of time, the token expires and the user must re-enter the login data;
  • login can also include multifactor authentication.

When using modern authentication you enter the password in the university login page to Office 365. Illustrated as follows.

When using basic authentication you enter the password in the application directly. Illustrated as follows.