skip to Main Content
Welcome to Gimasys!
Hotline: +84 974 417 099 (HCM) | +84 987 682 505 (HN)

Limiting access to less secure apps to protect G Suite accounts

What’s changing 

On October 30, 2019, we’ll begin removing the setting to “Enforce access to less secure apps for all users” from the Google Admin console. This setting should disappear from your Admin console by the end of year.



If the “Enforce access to less secure apps for all users” setting is selected for your domain when this change takes place, we’ll automatically select “Allow users to manage their access to less secure apps” instead. You’ll no longer have the option to enforce access to LSAs at the domain level.


Following this change, if you “Allow users to manage their access to less secure apps,” users will still have the option to access LSAs, provided the “Less secure app access” setting is enabled at the individual user account level. To minimize disruption in domains where we’ve automatically changed the setting from “Enforce access” to “Allow users to manage their access,” this account-level setting will be on by default at the time of the change for all active users of LSAs.


Giới hạn quyền truy cập vào các ứng dụng kém an toàn hơn để bảo vệ tài khoản G Suite


If a user has previously opted to let LSAs access their account, but no LSAs have connected to their account in some time, we’ll turn this account-level setting off for them. They can manually reenable this setting at any time at (provided their admin allows them to do so).


Who’s impacted

Admins and end users


Why it’s important

We’re making this change to protect your users. LSAs connect to Google accounts using only a username and password, which makes them vulnerable to hijacking. Whenever possible, users should connect to their accounts via OAuth, a more secure method. OAuth allows third-party apps to use Google account information without seeing a user’s password, and it gives admins security controls like the ability to whitelist certain apps and offer scope-based account access.


Visit the Help Center to learn more about managing OAuth-based access to connected apps.


How to get started


  • Admins: No action is required, but we recommend the following:
    • If you currently enforce access to LSAs in your domain, change your setting to disable access or allow users to manage their access as soon as possible, as LSAs can make Google accounts vulnerable to hijackers.
    • Encourage your users to use OAuth-based protocols (like OAuth-based IMAP) to give non-Google apps access to their Google accounts, including their email, calendar, and contacts.
    • Review our list of alternatives to less secure apps.
    • Prepare your users and internal help desks for the change.
    • Update any user guides you’ve previously published to recommend the use of OAuth or to instruct users on how to turn on LSAs.

End users: Visit the Help Center to learn more about LSAs and your account


Additional details


See below for FAQs.


What is a less secure app (LSA)?

A less secure app (LSA) is an app that connects to Google accounts using only username and password verification for access and not OAuth. Generally, you should only allow your users to use external apps that connect to Google accounts via OAuth, as LSAs make user accounts more vulnerable to hijacking. 


I have an app that cannot use OAuth; what do I do? 

Choose the “Allow users to manage their access to less secure apps” option in the Admin console, and ensure that users who need to use the app enable the “Less secure app access” setting at We also recommend contacting the app’s developer and asking them to provide support for OAuth, as this is the more secure option.



Back To Top
0974 417 099