Executive Summary
From 13th October 2020 Microsoft will discontinue support for Basic Authentication for EWS, EAS, IMAP, POP and RPS. This does not (currently) impact SMTP AUTH. Only applications which use secure authentication technologies, such as OAuth 2.0, will continue to work.
Details
In just over one year’s time Microsoft will end support for Basic Authentication. This method of logging in is very simple, and widely supported, but makes it far too simple for someone malicious to intercept your credentials. Quite simply it’s no longer good enough. Microsoft want all users of their service – which includes all Oxford University staff and students – to switch to ‘Modern Authentication’ technologies before October 2020. These use OAuth 2.0 token-based authentication which are more secure because they are application-specific and time-limited, and can’t therefore be re-used.
For message sending you can continue to use Basic Authentication in SMTP AUTH, for the foreseeable future, but we would urge you to seek a more secure alternative if possible.
Impact
It is likely that many POP/IMAP clients will be affected. Microsoft will be adding support for OAth to both POP3 and IMAP4 services over the next few months so you should update to a client that supports Modern Authentication as soon as possible.
Most mobile devices will be connecting via the ActiveSync protocol. Microsoft’s advice is to switch to Outlook Mobile, although there are other applications which also support Modern Authentication if you prefer a non-Microsoft client.