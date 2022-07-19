Ads

Just in case the drumbeat to adopt Multi-Factor Authentication (MFA) hasn’t yet sunk in, a new report from Okta reveals that organizations using Microsoft 365 “Legacy Authentication” (like passwords) are much more likely to be attacked by hackers.

How much more likely? Here are some data points:

Those data points are included in Okta’s latest Businesses at Work report, the eighth annual edition from the San Francisco-based identity provider specialist. The report seeks to explore how organizations and people work today, based on data from the company’s more than 14,000 global customers and the Okta Integration Network, which includes more than 7,000 integrations with cloud, mobile and web apps, as well as IT infrastructure providers.

Specifically, the security aspects of the report rely on a year’s data collected by a homegrown ThreatInsight tool that detects potentially malicious IP addresses, which was designed to prevent credential-based attacks.

“Here’s what we found: Microsoft Legacy Authentication is simply more vulnerable to attack than modern forms of authentication. This means that organizations allowing legacy forms of auth are more frequently subject to credential-based attacks,” said Okta CEO and co-founder Todd McKinnon in a Jan. 25 blog post.

The report provided more details.

“This year we wanted to test the hypothesis that attackers are deliberately targeting Microsoft 365 accounts in organizations that allow Legacy Authentication. Microsoft calls ‘Legacy Authentication’ any method to authenticate to Microsoft 365 that doesn’t support MFA. Accounts with Legacy Authentication enabled are far more vulnerable to credential stuffing because the security of the account relies on the strength of user-defined passwords.”

Indeed, Microsoft has published guidance like “New tools to block legacy authentication in your organization” (March 2020) and “How to: Block legacy authentication to Azure AD with Conditional Access” (December 2021).

What’s more, Microsoft-centric organizations soon won’t have much of a say in the matter: The company’s guidance includes a note, “Effective October 1, 2022, we will begin to permanently disable Basic Authentication for Exchange Online in all Microsoft 365 tenants regardless of usage, except for SMTP Authentication.” Microsoft also provided some “stark” statistics of its own and published an RSA Conference 2020 graphic:

Another security mechanism figuring prominently in the report is Zero Trust, which eschews the standard security approach of walling off networks and systems behind a secure perimeter. It’s one of the latest security darlings in an industry that has seen the advent of hybrid work models, the proliferation of endpoints and bring-your-own devices, disparate and interconnected systems spanning clouds and enterprise datacenters, and just general complexity all around. Instead of trying to secure perimeters, Zero Trust assumes that such fortress security approaches are destined to fail and that systems have already been penetrated, seeking to lessen the damage that can be caused. Microsoft recently touted Zero Trust as a security model to fight ransomware.

“Beyond MFA, Okta customers have demonstrated that they are sold on the vision of Zero Trust, and are rapidly progressing their journey from unified access management to contextual-based access,” the Okta report said. “Customers are increasingly assessing the security behaviors of users and factoring in other risk signals at authentication.”

The report found an increase in the number of customers putting Zero Trust building blocks in place:

Okta provided this graphic to illustrate the progress in the adoption of Zero Trust:

The wide-ranging report also explores the most popular and fastest-growing apps, best tools for the job, the rise of multi-cloud and more. Here are some data highlights as presented by Okta:

“For many of us, 2021 felt like a continuation of the challenges of 2020 — a year stuck in limbo,” McKinnon said. “However, the most innovative companies found ways to push forward and evolve. Our data shows that organizations around the globe leaned heavily into two areas: choice and collaboration. This matches a drum we’ve beat since our inception, and we’re excited to see more organizations around the world put them at the forefront of their technology strategies.”

