Legacy Authentication

Legacy Authentication is a term Microsoft sometimes uses to describe basic authentication when used with its cloud-based services. This is in contrast with the term “modern authentication” which provides more security and capabilities.

ALERT ALERT

FDU will block legacy authentication for users on September 19, 2022.

Legacy Authentication Topics

Background

Legacy (or basic) authentication is characterized by:

  • A client or network protocol that is incapable or not configured to do modern authentication
  • A client which sends both the username and password to the application
  • An application using the username and password to get a logon token on behalf of the user

Modern authentication is characterized by:

  • a client and service capable and configured to use OpenID Connect, SAML, and/or OAuth 2.0 for authentication AND
  • a client and service which can accept redirects to the identity provider for all authentication interactions and can work with authentication tokens of the protocols above

All Microsoft cloud services are modern authentication capable.

Whether legacy or modern authentication is used is dependent on the client capabilities. To use modern authentication, you can, in many cases, update your client application or change to an alternative client application.

A list of known clients using legacy authentication is available. Transitioning from legacy authentication usually requires the individual user to change the client software they are using, which may require assistance from the Fairleigh Dickinson University Technical Assistance Center (UTAC).

Protection with two-factor authentication (2FA)

Legacy authentication can not be protected by 2FA. Because the password is known to the application accessed via legacy authentication, it is less secure than modern authentication. If legacy authentication is not blocked for your account, 3rd party applications can ask for your credentials and have your password without you being aware they do.

Transition from legacy authentication

For the typical user, the complexity of determining whether you are using legacy authentication is significant. If you are using one of the client applications that does not use modern authentication protocols (see section below for a list of known clients using legacy authentication), you should replace them. If you don’t have one of these client applications but still suspect you have legacy authentication, contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) for assistance.

close
How Do I Address My Use of Legacy Authentication

In most cases, users will need to do one or more of the following:

  • Update their application to a version that supports modern authentication protocols
  • Upgrade to the latest version of their phone operating system
  • Remove and re-add their FDU account in the configuration of their iOS or macOS application so it will use modern authentication protocols

All three of these actions are informed by the list of known insecure client apps. FDU IT doesn’t know your devices like you do, nor do we manage which client applications you use, so only you can identify where action needs to be taken.

If you don’t seem to have one of the insecure client applications but still suspect you have legacy authentication, For the typical user, the complexity of determining whether you are using legacy authentication is significant. If you are using one of the client applications that does not use modern authentication protocols (see section below for a list of known clients using legacy authentication), you should replace them. If you don’t have one of these client applications but still suspect you have legacy authentication, contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) for assistance.

close
To Remove your FDU Account on iOS
  1. Open “Settings
  2. Choose “Calendar” or “Mail
  3. Choose “Accounts
  4. Choose “Exchange” or “Google” – make sure you are choosing an account in the format fdunetid@fdu.edu
  1. Choose “Delete account
  1. Confirm the deletion by choosing “Delete from my iPhone
close
To Remove your FDU Account on Android
  1. Open the “Gmail App
  1. Tap the Account icon in the top right to view all existing accounts
  1. Tap “Manage Accounts on this device
  1. Select your @fdu.edu mail account from the list
  1. Tap “Remove account
close
To Re-add your FDU Exchange Account on iOS and Android

To add your FDU Email account to an iOS device’s native “Mail” app follow the instructions on the link below:

close
List of Known Clients Using Legacy Authentication

This list is not intended to be comprehensive; it is only a list of known client applications. If you have one which should be added, please let us know.

Client AppFDU IT RecommendationNotes
Outlook 2010 or earlierReplace with one of the supported email clients
Outlook 2013 without special settings enabledReplace with one of the supported email clientsAlternate resolution (not supported by FDU-IT): Enable Modern authentication for Office 2013 on Windows devices – Microsoft 365 admin | Microsoft Docs
Mail or Calendar on iOS11 or newerReplace with one of the supported email clientsAlternate resolution (not supported by FDU-IT): Remove FDU account on device, then re-add FDU account.

These apps now support modern authentication, but that support was only recently added and any account setup previously is “stuck” in legacy authentication. You’ll need to delete the account and set it back up fresh to get modern authentication. Apple plans to release an update which automatically fixes this.
Mail or Calendar on iOS 10 or lowerReplace with one of the supported email clientsAlternate resolution: upgrade to iOS 11 or newer, then follow resolutions for that scenario
Any client application on iPhone 5 and lowerUse OWA or replace this device
Any client application on iPad 4th generation and lowerUse OWA or replace this device
EudoraReplace with one of the supported email clients
PineReplace with one of the supported email clients
ThunderbirdReplace with one of the supported email clients
Mac Mail on Mac OS 10.13 or earlierReplace with one of the supported email clientsAlternate resolution (not supported by FDU-IT): Upgrade macOS, remove FDU account on device, then re-add FDU account
Any client application on ChromebooksUse OWA or replace this device
Sharepoint Designer 2013Retire use of this discontinued tool.Contact FDU IT for more information
close
Known Problem: Your Email Access Has Been Blocked

You may see an email in your FDU inbox like this:

While the email message says it was sent by your IT department, it was not. This email message wasn’t actually sent–it only exists on your mobile device and was created to alert you to the fact that your client application can’t sign into your account. Your email access has not been blocked–it is only that this client application is broken. You can verify for yourself that your email access was not blocked by going to Outlook on the Web. And the reason the client application is broken is because it can only do legacy authentication OR it only has cached credentials which are based on legacy authentication.

close
How Do You Know if You Will Be Impacted?

There are several ways to determine if you’re using Basic authentication or Modern authentication. If you’re using Basic authentication, you can determine where it’s coming from and what to do about it.

Authentication dialog

A simple way to tell if a client app (for example, Outlook) is using Basic authentication or Modern authentication is to observe the dialog that’s presented when the user logs in.

Modern authentication displays a web-based login page:

Basic authentication presents a dialog credential modal box:

On a mobile device, you’ll see a similar web-based page when you authenticate if the device is trying to connect using Modern authentication.

You can also check the connection status dialog box, by “CTRL + right-clicking” the Outlook icon in the system tray, and choosing Connection Status.

When using Basic authentication, the “Authn” column in the “Outlook Connection Status” dialog shows the value of “Clear“.

Once you switch to Modern authentication, the “Authn” column in the Outlook Connection Status dialog shows the value of “Bearer“.

close
Last Modified: icon icon Copy Link