Google ends support for less secure passwords in third-party apps (workaround)
If you use an application or service that requires a Google username and password, then you may not be able to use it anymore after September 30, 2024. This may impact third-party app access to Google, e.g. in email clients or Calendar apps.
There is a Google suggested option and another that still works, so read on to find out all about the change and how to deal with it.
Google announced that it is ending support for Less Secure Apps. This authentication method may be used by apps to integrate a Google account. Basic examples include email clients that accept the Google username and password, or Calendar apps that integrate the Google Calendar after authentication.
Google planned to introduce the change in 2020 already but postponed it because of the "impact of COVID-19".
The company is dropping support for Less Secure Apps, but that does not mean that third-party apps and services can't be used anymore. Google supports OAuth for authentication. If affected apps and services do support OAuth as well, users may switch to this authentication method to continue using their Google account.
The email client Thunderbird, for instance, switched to Oauth authentication for Google Mail (Gmail) accounts back in 2022. Users were either migrated automatically or asked to complete the authentication process to regain access to their Gmail account in the email client.
One downside of using OAuth in Thunderbird is that it requires cookies to store the token on the user's device. This led to issues if cookies were not enabled in Thunderbird. Google is also ending support for Google Sync.
The advantages of OAuth
OAuth is an open standard authorization protocol. One of the main benefits of it when compared to traditional username and password access is that it may allow access without handing over the password to third-parties.
With username and password authentication, you'd have to share the password with the app or service. With Oauth, you still have to authenticate your account, but you do that with the first-party.
You tell Google, or any other company that supports OAuth, that you want to give a specific app or service access to your data. Authentication happens with Google in that case and the third-party app or service gets just an authentication token in the process.
The use of Less Secure Apps authentication makes it easier for bad actors to gain unauthorized access to user accounts.
The disadvantages
The disabling of Less Secure Apps support at Google impacts all Google customers who still use the authentication method.
Google lists email clients, calendar and contacts applications that may still support Less Secure Apps or do not support OAuth.
This is the case for Outlook 2016 or earlier versions. Google suggests to move to Microsoft 365, a subscription-based service. It gives access to the latest Outlook version. Another suggestion is to switch to the "new" Outlook for Windows or Mac, which also support OAuth.
The new Outlook replaces Mail and Calendar on Windows. It has been criticized recently for sharing data with data collection services and, in some cases, giving Microsoft access to third-party emails and logins.
Any app that does not support OAuth won't provide access to Google account data anymore after end of support. Some apps and services support both, and it may only be a matter of switching to OAuth to regain access.
App Passwords and Timeline
Google will end support for Less Secure Apps on September 30, 2024. On this day and in the weeks that follow, impacted Google customers will notice that they can't access their accounts and data anymore in third-party apps.
Most may be able to switch to using OAuth, but some may not. It appears that app passwords continue to work.
Google customers may create app passwords for use in third-party apps. An app password is always a 16-digit password that gives an app, service or device access to a Google account. App passwords require that 2-step verification is enabled for the Google account.
You may create app passwords in the following way:
- Sign-in to the Google Account.
- Switch to Security.
- Select 2-step verification under "Signing in to Google".
- Find and select App passwords at the bottom of the page.
- Type a name to help with identification of the password.
- Select generate.
- Follow the instructions.
- Select Done.
You may now use the app passwords in third-party apps for authentication and linking of the Google account.
To sum it up: Google customers who use connect third-party apps or services to their account may either use OAuth or app passwords to do so.
Now You: do you use third-party apps with your Google account?
I also always stored all messages locally, and had them processed by procmail. When my institution moved from homegrown sendmail to Gsuite 5 years ago, I was able to preserve my arrangement using fetchmail for incoming messages, and occasional IMAP access from my favourite client, Alpine, for daily spam checking and purging Gmail’s Bin (deletion of fetched mail is not honoured).
Now that they moved to 2FA, fetchmail and Alpine did not immediately work. My first fallback was to forward all Gsuite messages to another provider (this way all fetchmail/procmail works), but still I have to do the daily chores (and I do not want to go via webmail). OAUTH2 would require upgrades to Alpine and fetchmail. So I set up an app password, and now both Alpine and potentially fetchmail work as they used to.
My 2 Google accounts never ask for oauth / 2FA authentication tokens. It is set up by Google with sending a prompt to my phone as primary authentication. Why do I need then Auth. apps like Google Authenticator and MS Authenticator when I never have any use for them with Google?
About a year ago I had to switch to app passwords in order to send mail on the devices where I send with Google. In that case, mail just stopped sending and it was a while before I even noticed the problem. Eventually I found some threads to explain it (it wasn’t just me), but I don’t recall now what Google changed to make it necessary or how that differs from what this article is about.
I use app passwords on my old Google account. One needs to enable 2FA anyway for security. I have enabled 2FA with authenticator app as preferred option, plus app passwords for email client. This allows me to login on new devices without having to approve login from old device as you would if one isn’t using 2FA coz Google security lol
Thanks for the heads up. Because I want/need to store most messages locally, rather than in the cloud, I use an email client. Most mail arrives via a Gmail account. I’ve been considering a switch to another provider. Now you’ve given me a shove, and I’ll be looking into it more seriously. I expect to soon find helpful comments here about Gmail alternatives.
Btw. So glad to see this site back to something like its previous state.
I would use a M$ to sign into my PC before using a google account to sign in anywhere but google.