Legacy Authentication is a term Microsoft sometimes uses to describe basic authentication when used with its cloud-based services. This is in contrast with the term “modern authentication” which provides more security and capabilities.
FDU will block legacy authentication for users on September 19, 2022.
Legacy Authentication Topics
Legacy (or basic) authentication is characterized by:
- A client or network protocol that is incapable or not configured to do modern authentication
- A client which sends both the username and password to the application
- An application using the username and password to get a logon token on behalf of the user
Modern authentication is characterized by:
- a client and service capable and configured to use OpenID Connect, SAML, and/or OAuth 2.0 for authentication AND
- a client and service which can accept redirects to the identity provider for all authentication interactions and can work with authentication tokens of the protocols above
All Microsoft cloud services are modern authentication capable.
Whether legacy or modern authentication is used is dependent on the client capabilities. To use modern authentication, you can, in many cases, update your client application or change to an alternative client application.
A list of known clients using legacy authentication is available. Transitioning from legacy authentication usually requires the individual user to change the client software they are using, which may require assistance from the Fairleigh Dickinson University Technical Assistance Center (UTAC).
Protection with two-factor authentication (2FA)
Legacy authentication can not be protected by 2FA. Because the password is known to the application accessed via legacy authentication, it is less secure than modern authentication. If legacy authentication is not blocked for your account, 3rd party applications can ask for your credentials and have your password without you being aware they do.
Transition from legacy authentication
For the typical user, the complexity of determining whether you are using legacy authentication is significant. If you are using one of the client applications that does not use modern authentication protocols (see section below for a list of known clients using legacy authentication), you should replace them. If you don’t have one of these client applications but still suspect you have legacy authentication, contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) for assistance.
In most cases, users will need to do one or more of the following:
- Update their application to a version that supports modern authentication protocols
- Upgrade to the latest version of their phone operating system
- Remove and re-add their FDU account in the configuration of their iOS or macOS application so it will use modern authentication protocols
All three of these actions are informed by the list of known insecure client apps. FDU IT doesn’t know your devices like you do, nor do we manage which client applications you use, so only you can identify where action needs to be taken.
If you don’t seem to have one of the insecure client applications but still suspect you have legacy authentication, For the typical user, the complexity of determining whether you are using legacy authentication is significant. If you are using one of the client applications that does not use modern authentication protocols (see section below for a list of known clients using legacy authentication), you should replace them. If you don’t have one of these client applications but still suspect you have legacy authentication, contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) for assistance.
- Open “Settings“
- Choose “Calendar” or “Mail“
- Choose “Accounts“
- Choose “Exchange” or “Google” – make sure you are choosing an account in the format email@example.com
- Choose “Delete account“
- Confirm the deletion by choosing “Delete from my iPhone“
- Open the “Gmail App“
- Tap the Account icon in the top right to view all existing accounts
- Tap “Manage Accounts on this device“
- Select your @fdu.edu mail account from the list
- Tap “Remove account“
To add your FDU Email account to an iOS device’s native “Mail” app follow the instructions on the link below:
This list is not intended to be comprehensive; it is only a list of known client applications. If you have one which should be added, please let us know.
|Client App||FDU IT Recommendation||Notes|
|Outlook 2010 or earlier||Replace with one of the supported email clients|
|Outlook 2013 without special settings enabled||Replace with one of the supported email clients||Alternate resolution (not supported by FDU-IT): Enable Modern authentication for Office 2013 on Windows devices – Microsoft 365 admin | Microsoft Docs|
|Mail or Calendar on iOS11 or newer||Replace with one of the supported email clients||Alternate resolution (not supported by FDU-IT): Remove FDU account on device, then re-add FDU account.|
These apps now support modern authentication, but that support was only recently added and any account setup previously is “stuck” in legacy authentication. You’ll need to delete the account and set it back up fresh to get modern authentication. Apple plans to release an update which automatically fixes this.
|Mail or Calendar on iOS 10 or lower||Replace with one of the supported email clients||Alternate resolution: upgrade to iOS 11 or newer, then follow resolutions for that scenario|
|Any client application on iPhone 5 and lower||Use OWA or replace this device|
|Any client application on iPad 4th generation and lower||Use OWA or replace this device|
|Eudora||Replace with one of the supported email clients|
|Pine||Replace with one of the supported email clients|
|Thunderbird||Replace with one of the supported email clients|
|Mac Mail on Mac OS 10.13 or earlier||Replace with one of the supported email clients||Alternate resolution (not supported by FDU-IT): Upgrade macOS, remove FDU account on device, then re-add FDU account|
|Any client application on Chromebooks||Use OWA or replace this device|
|Sharepoint Designer 2013||Retire use of this discontinued tool.||Contact FDU IT for more information|
You may see an email in your FDU inbox like this:
While the email message says it was sent by your IT department, it was not. This email message wasn’t actually sent–it only exists on your mobile device and was created to alert you to the fact that your client application can’t sign into your account. Your email access has not been blocked–it is only that this client application is broken. You can verify for yourself that your email access was not blocked by going to Outlook on the Web. And the reason the client application is broken is because it can only do legacy authentication OR it only has cached credentials which are based on legacy authentication.
There are several ways to determine if you’re using Basic authentication or Modern authentication. If you’re using Basic authentication, you can determine where it’s coming from and what to do about it.
A simple way to tell if a client app (for example, Outlook) is using Basic authentication or Modern authentication is to observe the dialog that’s presented when the user logs in.
Modern authentication displays a web-based login page:
Basic authentication presents a dialog credential modal box:
On a mobile device, you’ll see a similar web-based page when you authenticate if the device is trying to connect using Modern authentication.
You can also check the connection status dialog box, by “CTRL + right-clicking” the Outlook icon in the system tray, and choosing Connection Status.
When using Basic authentication, the “Authn” column in the “Outlook Connection Status” dialog shows the value of “Clear“.
Once you switch to Modern authentication, the “Authn” column in the Outlook Connection Status dialog shows the value of “Bearer“.