A couple of years ago, Google starting warning users that certain third-party apps that access its business-oriented G Suite might not be secure. Now, it’s taking that to the next level by blocking any “less secure apps (LSAs)” that try to access G Suite with only a username and password. Going forward, Google will only support the much more secure OAuth system, which it first adopted for Gmail way back in 2010.
Google is phasing out less secure apps gradually so as not to upset users who currently rely on them. After June 15th, 2020, you’ll no longer be able to connect to an LSA for the first time, and after February 15th, 2021, “access to all LSAs will be turned off for all G Suite accounts,” Google said.
The Big G noted that these apps put accounts at a risk of hijacking. “If a bad actor got access to your username and password, they could access your account data with just that username and password information through an LSA,” the G Suite team wrote in a blog post. When using OAuth, by contrast, Google can “identify and prevent suspicious login attempts,” even if attackers have your username and password.
Google notes that the changes will affect many typical business network systems like IMAP, CalDAV, CardDAV, Exchange ActiveSync and more. iOS, Thunderbird and other email clients will continue to work, but you may have to remove and re-add your account. In any case, if your business relies on any third-party apps, you might want to check that you’ll be okay — if the previous warnings didn’t persuade you already.