Limiting access to less secure apps to protect G Suite accounts
On October 30, 2019, we’ll begin removing the setting to “Enforce access to less secure apps for all users” from the Google Admin console. This setting should disappear from your Admin console by the end of year.
If the “Enforce access to less secure apps for all users” setting is selected for your domain when this change takes place, we’ll automatically select “Allow users to manage their access to less secure apps” instead. You’ll no longer have the option to enforce access to LSAs at the domain level.
Following this change, if you “Allow users to manage their access to less secure apps,” users will still have the option to access LSAs, provided the “Less secure app access” setting is enabled at the individual user account level. To minimize disruption in domains where we’ve automatically changed the setting from “Enforce access” to “Allow users to manage their access,” this account-level setting will be on by default at the time of the change for all active users of LSAs.
If a user has previously opted to let LSAs access their account, but no LSAs have connected to their account in some time, we’ll turn this account-level setting off for them. They can manually reenable this setting at any time at myaccount.google.com/lesssecureapps (provided their admin allows them to do so).
Admins and end users
Why it’s important
We’re making this change to protect your users. LSAs connect to Google accounts using only a username and password, which makes them vulnerable to hijacking. Whenever possible, users should connect to their accounts via OAuth, a more secure method. OAuth allows third-party apps to use Google account information without seeing a user’s password, and it gives admins security controls like the ability to whitelist certain apps and offer scope-based account access.
Visit the Help Center to learn more about managing OAuth-based access to connected apps.
How to get started
- Admins: No action is required, but we recommend the following:
- If you currently enforce access to LSAs in your domain, change your setting to disable access or allow users to manage their access as soon as possible, as LSAs can make Google accounts vulnerable to hijackers.
- Encourage your users to use OAuth-based protocols (like OAuth-based IMAP) to give non-Google apps access to their Google accounts, including their email, calendar, and contacts.
- Review our list of alternatives to less secure apps.
- Prepare your users and internal help desks for the change.
- Update any user guides you’ve previously published to recommend the use of OAuth or to instruct users on how to turn on LSAs.
End users: Visit the Help Center to learn more about LSAs and your account.
See below for FAQs.
What is a less secure app (LSA)?
A less secure app (LSA) is an app that connects to Google accounts using only username and password verification for access and not OAuth. Generally, you should only allow your users to use external apps that connect to Google accounts via OAuth, as LSAs make user accounts more vulnerable to hijacking.
I have an app that cannot use OAuth; what do I do?
Choose the “Allow users to manage their access to less secure apps” option in the Admin console, and ensure that users who need to use the app enable the “Less secure app access” setting at myaccount.google.com/lesssecureapps. We also recommend contacting the app’s developer and asking them to provide support for OAuth, as this is the more secure option.