Friday, January 19, 2024

Google Removing Support for “Less Secure Apps”

Google (September 2023, via Hacker News):

Google Workspace will no longer support the sign-in method for third-party apps or devices that require users to share their Google username and password. This antiquated sign-in method, known as Less Secure Apps (LSAs), puts users at an additional risk since it requires sharing Google Account credentials with third-party apps and devices that can make it easier for bad actors to gain unauthorized access to your account.

Instead, you’ll need to use the option to Sign-In with Google, which is a safer and more secure way to sync your email to other apps. Sign-in with Google leverages industry standard and more secure OAuth method of authentication already used by the vast majority of third-party apps and devices.


This includes all third-party apps that require password-only access to Gmail, Google Calendar, Contacts via protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP.

The change has already been made for some non-Workspace accounts. The article seems pretty clear that mail, calendar, and contacts clients that don’t support OAuth will stop working. However, commenters are saying that this is not the case and that you will still be able to use app-specific passwords. App passwords are a bit of a misnomer in that they provide access to the entire Google account, but the passwords are 16 characters and generated by Google.

Benny Kjær Nielsen (2015):

The main problem is that OAuth2 requires me to register MailMate with the service provider (Google/Microsoft). If the provider stops supporting other authentication schemes (which is almost true for Google) then the provider has the power to decide which email clients are allowed to access Gmail. I’m probably too old to trust big companies, but it also reminds me of what happened to third party Twitter and (more recently) Instagram clients.


Google continues to push for the adoption of OAuth2 via the XOAUTH2 protocol. In my opinion, they do that using a lot of FUD as seen in this support article, but that does not mean that OAuth2 is necessarily a bad thing to use. Especially not for something like Google for which a single password provides access to all kinds of services.

And I don’t really have a choice here. When using other authentication methods then Gmail users are often rejected. The exact behavior appears to depend on how long the Google account has existed and whether it has been accessed via IMAP in the past. In particular, I believe new Gmail accounts are rejected by default if not using OAuth2. The best user experience is simply with OAuth2 enabled.

1 Comment RSS · Twitter · Mastodon

Turn on 2FA and use app-specific passwords in your applications and scripts and other places that want to e.g. send mail. This looks bad but it's really just Workspace catching up to consumer Gmail.

Leave a Comment