Google ends support for less secure passwords in third-party apps (workaround)
If you use an application or service that requires a Google username and password, then you may not be able to use it anymore after September 30, 2024. This may impact third-party app access to Google, e.g. in email clients or Calendar apps.
There is a Google suggested option and another that still works, so read on to find out all about the change and how to deal with it.
Google announced that it is ending support for Less Secure Apps. This authentication method may be used by apps to integrate a Google account. Basic examples include email clients that accept the Google username and password, or Calendar apps that integrate the Google Calendar after authentication.
Google planned to introduce the change in 2020 already but postponed it because of the "impact of COVID-19".
The company is dropping support for Less Secure Apps, but that does not mean that third-party apps and services can't be used anymore. Google supports OAuth for authentication. If affected apps and services do support OAuth as well, users may switch to this authentication method to continue using their Google account.
The email client Thunderbird, for instance, switched to Oauth authentication for Google Mail (Gmail) accounts back in 2022. Users were either migrated automatically or asked to complete the authentication process to regain access to their Gmail account in the email client.
One downside of using OAuth in Thunderbird is that it requires cookies to store the token on the user's device. This led to issues if cookies were not enabled in Thunderbird. Google is also ending support for Google Sync.
The advantages of OAuth
OAuth is an open standard authorization protocol. One of the main benefits of it when compared to traditional username and password access is that it may allow access without handing over the password to third-parties.
With username and password authentication, you'd have to share the password with the app or service. With Oauth, you still have to authenticate your account, but you do that with the first-party.
You tell Google, or any other company that supports OAuth, that you want to give a specific app or service access to your data. Authentication happens with Google in that case and the third-party app or service gets just an authentication token in the process.
The use of Less Secure Apps authentication makes it easier for bad actors to gain unauthorized access to user accounts.
The disabling of Less Secure Apps support at Google impacts all Google customers who still use the authentication method.
Google lists email clients, calendar and contacts applications that may still support Less Secure Apps or do not support OAuth.
This is the case for Outlook 2016 or earlier versions. Google suggests to move to Microsoft 365, a subscription-based service. It gives access to the latest Outlook version. Another suggestion is to switch to the "new" Outlook for Windows or Mac, which also support OAuth.
The new Outlook replaces Mail and Calendar on Windows. It has been criticized recently for sharing data with data collection services and, in some cases, giving Microsoft access to third-party emails and logins.
Any app that does not support OAuth won't provide access to Google account data anymore after end of support. Some apps and services support both, and it may only be a matter of switching to OAuth to regain access.
App Passwords and Timeline
Google will end support for Less Secure Apps on September 30, 2024. On this day and in the weeks that follow, impacted Google customers will notice that they can't access their accounts and data anymore in third-party apps.
Most may be able to switch to using OAuth, but some may not. It appears that app passwords continue to work.
Google customers may create app passwords for use in third-party apps. An app password is always a 16-digit password that gives an app, service or device access to a Google account. App passwords require that 2-step verification is enabled for the Google account.
You may create app passwords in the following way:
- Sign-in to the Google Account.
- Switch to Security.
- Select 2-step verification under "Signing in to Google".
- Find and select App passwords at the bottom of the page.
- Type a name to help with identification of the password.
- Select generate.
- Follow the instructions.
- Select Done.
You may now use the app passwords in third-party apps for authentication and linking of the Google account.
To sum it up: Google customers who use connect third-party apps or services to their account may either use OAuth or app passwords to do so.
Now You: do you use third-party apps with your Google account?Advertisement