[ForYourInformation -55] Benefits of Modern authentication (OAuth) over Basic (Legacy) auth

[ForYourInformation -55] Benefits of Modern authentication (OAuth) over Basic (Legacy) auth


Let's see the key difference between the basic (legacy) auth and modern auth with a metaphor:

Imagine the following scenario: You fly abroad, leave the plane and head for the border control. And now let’s pretend that the process works a bit differently than you are used to. Instead of showing your passport, you tell the security officer: "Hi, my name is Shawn Adams, my password is ABC and I'm originally from the UK". With this information, the security officer gives the national authorities in the UK a call and explains the following: "There's a guy at my desk who wants to enter our country. He says he's from the UK, his name is Shawn Adams and his password is ABC. Is that correct?". The authorities check the information and confirm it. So, the security officer is happy to tell you that your information is correct and you're allowed to enter the country. Such a procedure at the border control wouldn't feel quite right, would it? So, what's wrong with this approach? First, there are no additional checks like a passport with additional information like a photo, etc. How would the security officer even know you are the person you are claiming to be? Anyone who knows your name and your password could pretend to be you. Second, you have to disclose information that is supposed to be confidential to another person and you have to trust the security officer.

In the digital world, this is essentially what Basic Authentication is, but with a username and password (a user's credentials) to authenticate. So, this means that if you want to give someone access to your mailbox, they could use the same credentials to access your Microsoft or Google suite.


What would Modern Authentication look like in our airport metaphor?

With Modern Authentication, the procedure seems quite familiar: The officer asks to see your passport on which he can find all the important information needed to identify who you are, where you are from and how long your stay is. This information is protected by anti-counterfeit mechanisms. This is similar to how Modern Authentication works.

In the digital world, the passport is what we call an ID token. This token contains important information: who you are, who created the token, how long it is valid and so on.

Modern Authentication is based on OAuth 2.0. You've most likely encountered this type of authentication before if you've ever used the "Sign in with [Account]" button to allow an application to access your account or verify your identity. What makes it different from Basic Authentication?

Modern Authentication uses tokens provided by an identity provider (for example, Microsoft), instead of the actual password of the user's account (such as their Microsoft account). Tokens are more secure than passwords as they contain specific bits of information, known as claims. These specify additional rules for accessing the account, such as

#An expiration date
#Which application can use the token

These rules provide a lot more control over what can be done with a user’s account and its information. 

Accessing Specific service:

Assume you want to give someone access to your mailbox? He'd be authorized to access only the mailbox and none others. This is possible to do with Modern Authentication by adding granular scopes.

Microsoft has begun to officially deprecate Basic Authentication for many Exchange Online protocols, including Exchange Web Services (EWS), Exchange Active Sync (EAS), IMAP4, POP3, and Remote PowerShell (RPS). Due to the Covid-19 pandemic, Microsoft has postponed the Basic Auth retirement from 2020 to the second half of 2021.  While it gives organizations much more time to prepare, it’s a good idea to get tenants ready before the actual deadline.

In ServiceDesk Plus, you can now configure the mail server with Modern Authentication (OAuth 2.0) for secure and delegated access.

                  New to ADSelfService Plus?