Google Workspace and OAuth: Say Goodbye to Less Secure Apps
Google Workspace is a powerful tool, but like any valuable resource, it needs to be protected. That's why Google is taking a crucial step to enhance security by phasing out support for less secure apps (LSAs). This means starting in Fall of 2024, any app that relies solely on your username and password to access your Google Workspace data will no longer work. This standardized authorization framework safeguards user privacy and streamlines application access for Google's extensive user base, exceeding 3 billion globally, which includes 10 million Google Workspace subscribers.
But don't panic! This change is a positive move towards a more secure future. This blog post will explain why LSAs are being retired, what the impact will be, and how to smoothly transition to OAuth, a secure authentication framework that's the future of Google Workspace access.
If you are a Google Workspace Administrator, you may have seen this notice within the Google Workspace Admin console.
What are Less Secure Apps?
Imagine your Google Workspace data as your company's confidential files, and your username and password are the keys to your vault. Less secure apps, like the one depicted below, are like handing out those keys to anyone who asks. They access your data without any additional verification, making your entire vault vulnerable if the app itself has weak security measures.
Examples of Less Secure Apps:
- Legacy Email Clients: Older email clients like Outlook, Apple Mail, and Thunderbird often use protocols like IMAP or POP that rely solely on your username and password.
- Third-Party Apps: Calendar and contact management tools, project management software, and other applications might be using LSAs to access your Google Workspace data.
- Custom Integrations: Internal apps built for specific tasks within your organization could also be using outdated authentication methods.
Why are Less Secure Apps Being Retired?
Google is prioritizing the security of your data. LSAs are a significant security risk because:
- They expose your username and password: This makes your account vulnerable to breaches if the app itself has weak security practices.
- They don't provide granular access control: LSAs give apps access to all your data, even if they only need access to a specific part.
What Applications are Affected?
The LSA retirement applies to a wide range of applications that might be integrated with your Google Workspace. Here are some common examples:
- Email Clients: Many traditional email clients like Outlook, Apple Mail, and Thunderbird previously used IMAP or POP protocols to connect to your Gmail account. These protocols often relied on username and password for authentication.
- Calendar and Contact Management Tools: Third-party calendar and contact management apps might have previously accessed your Google Calendar and Contacts data through LSAs.
- Custom Integrations: Any custom in-house applications built to interact with your Google Workspace might need adjustments if they currently rely on LSAs.
Understanding the Impact: A Day in the Life Analogy
Let's use a real-world analogy to illustrate the impact of the LSA retirement. Imagine your Google Workspace data as your house, and your username and password are the keys. With LSAs, you'd be handing over your physical key to any external application that needed access. This poses a significant risk – if that application is compromised, anyone could potentially gain access to your house (data).
OAuth, on the other hand, functions more like a digital keycard system. You grant specific access rights to external applications, allowing them to enter specific areas of your house (data) without needing the master key (username and password). This significantly reduces the risk of unauthorized access and keeps your data more secure. This means:
- Increased security: OAuth tokens expire and can be revoked, reducing the risk of unauthorized access.
- Granular control: You can control exactly what data each app can access.
- Improved user experience: Users can seamlessly access applications without having to remember multiple passwords.
The Future of Secure Access your work data using OAuth
OAuth is a secure authorization framework that was founded back in 2006. It eliminates the need for applications to directly store your username and password. Instead, it uses tokens to grant access to specific data within your Google Workspace account. This significantly reduces the risk of unauthorized access and data breaches.
How Does IMAP and POP Authentication Change?
IMAP and POP are email protocols that will still be functional. However, traditional username and password authentication through these protocols for accessing Gmail will no longer work after September 30th. To continue using IMAP or POP with your email client, you'll need to enable OAuth for your Google Workspace account.
The Workaround: Enabling OAuth for IMAP and POP Access
The good news is that most popular email clients already support OAuth for secure access. Here are some resources to help you get started:
- Enabling IMAP/POP for Gmail Accounts: https://support.google.com/mail/answer/7126229?hl=en
- Configuring Email Clients with OAuth: (Refer to your specific email client's documentation)
View where you use Sign in with Google
How to check if your Google Workspace account has the Less Secure app turned ON?
As a Google Workspace user, you can access the less secure app settings using the following URL: https://myaccount.google.com/u/0/lesssecureapps
This setting is not available for accounts with 2-Step Verification enabled. Such accounts require an application-specific password for less secure app access.
What if a third-party app/device does not offer Login with Google?
As a Google Workspace user, you can sign up for 2-step verification and create and user “App password”. An app password is a 16-digit passcode that gives a less secure app or device permission to access your Google Account. App passwords can only be used with accounts that have 2-step Verification turned on.
The beauty of the App Passwords is that to help protect your account, Google revoke your app passwords when you change your Google Account password. To continue to use an app with your Google Account, create a new app password.
Suitebriar is Here to Help!
We understand that transitioning from LSAs to OAuth might seem daunting. But don't worry, Suitebriar is here to support you every step of the way. Our team of Google Workspace experts can help you with:
- Identification: We can help identify applications currently using LSAs within your organization.
- Planning: We can develop a plan for transitioning these applications to OAuth in a phased manner to minimize disruption.
- Configuration: Our team can assist with configuring your email clients and other tools to utilize OAuth for secure access.
Let's Secure Your Google Workspace Together!
The LSA retirement is a positive step towards strengthening the security of your Google Workspace environment. By embracing the switch to OAuth, you'll ensure your data remains protected while maintaining seamless functionality with your essential applications.
For further inquiries or assistance with the transition process, feel free to reach out to Suitebriar – your trusted Google Workspace partner!
Fun Fact: Every single Google employee that I have met in person during my 11-year career uses physical USB-based security keys as an alternative to two-factor authentication (2FA) for 2-step verification (2SV) to help protect their Google accounts.