COVID-19 has put reality on hold for everyone for the time being, and that includes security teams. Both Microsoft and Google have postponed a change that would have forced better application security by shutting down an insecure access protocol called Basic Authentication.

Specified in RFC 2617, Basic Authentication is a method of logging applications into online services using a simple username and password combination sent in an HTTP header. You’d use it if you wanted your computer’s productivity software to synchronise with your cloud-based calendar or email service, for example, rather than accessing a web app manually via the browser.

Basic Authentication is convenient because it doesn’t need developers to code cookies or handle login pages. Instead, it just resubmits the credentials with each HTTP request. But it’s insecure because it doesn’t encrypt the login credentials.

Instead, it uses Base64 encoding, which just translates binary content into text. You can overcome that issue using a TLS-protected HTTPS connection, but it still makes it more difficult to implement multi-factor authentication (MFA).