What Is Modern Authentication?

Microsoft (and others) want to change how you sign in to desktop email programs.

OAuth2, aka a "Modern authentication method", removes the burden of authentication from the email program to the email service itself, enabling a number of important security features.
Password Auth versus OAuth2
Two ways to set up how you sign in: the old way with a password, and the new way with OAuth2. (Image: askleo.com)
Question: Both Thunderbird’s and Microsoft’s instructions on Thunderbird Settings allow one to select OAuth2 as an Authentication Method for incoming mail. However, in the Outgoing Server settings, OAuth2 does not appear in the available settings for Authentication Method. How to accommodate Microsoft’s new requirement to use “Modern Authentication Methods” in Thunderbird, particularly how to get Thunderbird to show OAuth2 as one of the options for Authentication Method in the Outgoing Server Settings?

I’m not sure I can get you what you want only for outgoing (SMTP) email. However, we can certainly set up both incoming and outgoing email to use OAuth2, the so-called “modern authentication method”.

I’ll show you how to do that and explain why it’s both modern and necessary.

TL;DR:

Modern authentication: how and why

To accommodate Microsoft’s “Modern Authentication Methods” in many email programs, you need to set up the entire email account, including both incoming and outgoing mail, using OAuth2. During setup, the program hands off authentication to Microsoft, enabling enhanced security that includes two-factor, passwordless authentication, and more.

I’ll be using Thunderbird as my example throughout this article, but the concepts apply to most email programs capable of supporting OAuth2 (Open Authentication version 2, a new protocol for signing in to online services).

Outgoing Setup

As I alluded to above, I’m not aware of a way to set up only outgoing mail to use OAuth2. The only option seems to be to use the traditional username and password.

Outgoing./SMTP setup in Thunderbird.
Outgoing/SMTP setup in Thunderbird. (Screenshot: askleo.com)

As you point out, there’s nothing “modern” about the connection and security selections; OAUth2 isn’t on the list.

What we need to do is set up the account from scratch to use OAuth2 for everything, including incoming email.

Account Setup

When you set up a new email account in Thunderbird, magic kinda happens. For example, I’m about to add a Hotmail account. Note that I haven’t specified a password (though I could; it doesn’t matter).

Setting up a Hotmail account in Thunderbird.
Setting up a Hotmail account in Thunderbird. Click for larger image. (Screenshot: askleo.com)

As soon as I hit “Continue”, a new and different dialog is presented.

Mkicrosoft account sign-in.
Microsoft account sign-in. Click for larger image. (Screenshot: askleo.com)

Here’s what’s different: this is not Thunderbird. Thunderbird has handed off the process of authentication to the mail service handling the account; in this case, a webpage presented directly by Microsoft’s servers. Once you fulfill the request (password, 2FA, or something else), you’ll be asked to confirm some permissions.

Telling Microsoft Thunderbird has permission.
Telling Microsoft Thunderbird has your permission. (Screenshot: askleo.com)

You’re then returned to where you started.

Completing account configuration in Thunderbird.
Completing account configuration in Thunderbird. Click for larger image. (Screenshot: askleo.com)

Click on Done, and the account is configured…

… and so is your outgoing mail.

Outgoing email configuration.
Outgoing email configuration. Click for larger image. (Screenshot: askleo.com)

That’s it. You’re done.

Maybe someday, email programs will allow you to configure outgoing credentials using OAuth2 separately, but for now, this is it.

Why all the hoopla?

In a nutshell, increased security.

OAuth2 enables your email account to use:

Since the authentication is not being performed by Thunderbird, email services can use whatever techniques they want, now and in the future, to confirm you are who you say you are.

The process for Thunderbird was:

  1. Ask the email provider (in this case, Microsoft) to authenticate you using your email address.
  2. Once you’re authenticated, Thunderbird receives and saves a secure token.
  3. It then uses that token when connecting to the email service in the future.

With the rise of passwordless, two-factor, and other alternative authentication mechanisms, OAuth2 removes the burden of understanding from the email program and places it in the hands of the online service using or requiring it.

And Microsoft thinks that’s more “modern” than the old username/password system.

Microsoft and other email providers are rolling out modern authentication now and will eventually make it a requirement. When that happens, you’ll need to re-setup your email account in your desktop email program if it’s still using password-based “legacy” authentication.

Do this

When you’re setting up an account, use OAuth2. Even if you still choose to use username/password to authenticate, OAuth2 gives you other options in the future.

Once you’ve got your email configured, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

4 comments on “What Is Modern Authentication?”

  1. Leo,

    This explains a lot of my email client battles recently trying to access the ISP’s email using MS Outlook 2010 as my email client. While their support was totally unhelpful, they did manage to mention that Microsoft had made some changes which they had adopted. Now, 2with your article, the pieces are finally starting to fall into place.

    My question for you is what versions of MS Outlook client support the new OAuth2 security? I had tried upgrading to Microsoft 365 to get the latest version of Outlook, but authentication still didn’t work. And I did rebuild the email account from scratch but never saw anything that referenced a new authentication option. Any clues as to what I may have done wrong?

    Thanks.

    Reply
  2. A very helpful article, Leo: I am also having a battle accessing my messages via Basic Authentication and have only discovered the reason for the problem through extensive searches.
    As I understand it, only Office Outlook from 2021 natively supports Modern Authentication, but versions from 2013 can be updated.
    For those needing a client which will work on older versions of Windows, the makers of OE Classic state that their program functions on all from 2000 to 11; furthermore, it is fully up-to-date and has supported Modern Authentication for the last two years.
    For my part, I wish MS were providing some alternative which would enable me to keep using my present program: they can surely afford an alternative server for those who need one.

    Reply
  3. I have two applications that require SMTP access only. These are the two backup programs I use (Macrium Reflect and Acronis True Image). They use email to send notifications with the result each time a backup is run (successful, failed, etc.).

    For many years I had used my email address provided by my ISP (username, password) without problem, but they have closed down their email servers, forcing me to use my Gmail address to send notiifications. Gmail considered my backup programs to be insecure, forcing me to jump through the hoops to implement “app passwords” for each program. I didn’t see any reference or option regarding Oauth2.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.