Home  /   News  /   Google will turn off less secure app access to G Suite accounts

Google will turn off less secure app access to G Suite accounts

Google will turn off less secure app access to G Suite accounts

Google will limit less secure apps (LSAs) accessing G Suite accounts

LSAs are non-Google apps that can access your Google account with the username and password. This makes accounts much more vulnerable to hijacking attempts. Instead of LSAs, apps that support OAuth— a modern and secure access method, should be used.

The securest way to protect against others hacking your accounts is to use a Multi Factor Authentication (MFA), which requires you to enter an additional code or a verification from another device to access your account. By implementing an authentication protocol users are 99.9% less likely to be compromised (source).

Using an authentication protocol will help to identify and prevent suspicious login attempts, preventing hijackers from accessing the account data even if they have the username and password. Such details are possible to find, as seen through Phishing and Credential Stuffing. By using an authentication protocol users can be verified with an extra level of protection. Authentication also helps Google enforce G Suite admin defined login policies, for example security controls such as whitelisting apps and offering scope-based account access.

Deadlines:

After June 15, 2020 –

  • Users will not be allowed to connect to an LSA for the first time. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV, IMAP, and Exchange ActiveSync (Google Sync).

    • Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off.

After February 15, 2021 –

  • Access to LSAs will be turned off for all G Suite accounts.
  • MDM configuration of CalDAV and CardDAV will no longer work for existing users. All existing users will be required to re-add their Google accounts if they wish to sync contacts, calendar, or email.

What to do:

Admins

If your organization uses a mobile device management (MDM) provider to configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles, admins will need to push the Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. See here for more information.

Devices

No change is required for scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails.

Email

  • Outlook 2016 or earlier, use G Suite Sync for Microsoft Outlook. Alternatively, move to Office 365 (or Outlook 2019), which supports OAuth access.
  • Thunderbird or another email client, re-add your Google Account and configure it to use IMAP with OAuth.
  • Mail app on iOS or MacOS, or Outlook for Mac, and uses only a password to login, need to be removed and re-added. When adding it back, be sure to choose Google as the account type to automatically use OAuth.

Calendar

  • If CalDAV is used to give an app or device access to a calendar, switch to a method that supports OAuth. The Google Calendar app is recommended by Google.
  • If the G Suite account is linked to the calendar app in iOS or MacOS and uses only a password to login, the account will need to be removed and re-added. When adding it back, be sure to select “sign in with Google” to automatically use OAuth.

Contacts

  • If the G Suite account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, the account will need to be removed and re-added. When adding it back, be sure to select “sign in with Google” to automatically use OAuth.
  • If the G Suite account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth.

Please contact us if you require further information or advice in catering for this change, and moving to secure applications and apps to use with G Suite.