Limiting access to less secure apps to protect G Suite accounts
Monday, July 29, 2019
If the “Enforce access to less secure apps for all users” setting is selected for your domain when this change takes place, we’ll automatically select “Allow users to manage their access to less secure apps” instead. You’ll no longer have the option to enforce access to LSAs at the domain level.
Following this change, if you “Allow users to manage their access to less secure apps,” users will still have the option to access LSAs, provided the “Less secure app access” setting is enabled at the individual user account level. To minimize disruption in domains where we’ve automatically changed the setting from “Enforce access” to “Allow users to manage their access,” this account-level setting will be on by default at the time of the change for all active users of LSAs.
If a user has previously opted to let LSAs access their account, but no LSAs have connected to their account in some time, we’ll turn this account-level setting off for them. They can manually reenable this setting at any time at myaccount.google.com/lesssecureapps (provided their admin allows them to do so).
Visit the Help Center to learn more about managing OAuth-based access to connected apps.
- Admins: No action is required, but we recommend the following:
- If you currently enforce access to LSAs in your domain, change your setting to disable access or allow users to manage their access as soon as possible, as LSAs can make Google accounts vulnerable to hijackers.
- Encourage your users to use OAuth-based protocols (like OAuth-based IMAP) to give non-Google apps access to their Google accounts, including their email, calendar, and contacts.
- Review our list of alternatives to less secure apps.
- Prepare your users and internal help desks for the change.
- Update any user guides you’ve previously published to recommend the use of OAuth or to instruct users on how to turn on LSAs.
- End users: Visit the Help Center to learn more about LSAs and your account.
See below for FAQs.
What is a less secure app (LSA)?
A less secure app (LSA) is an app that connects to Google accounts using only username and password verification for access and not OAuth. Generally, you should only allow your users to use external apps that connect to Google accounts via OAuth, as LSAs make user accounts more vulnerable to hijacking.
I have an app that cannot use OAuth; what do I do?
Choose the “Allow users to manage their access to less secure apps” option in the Admin console, and ensure that users who need to use the app enable the “Less secure app access” setting at myaccount.google.com/lesssecureapps. We also recommend contacting the app’s developer and asking them to provide support for OAuth, as this is the more secure option.
Admin Help Center: Whitelist connected apps
End User Help Center: Less secure apps & your Google Account
Developer Guide: Using OAuth 2.0 to Access Google APIs
- Rapid Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on October 30, 2019
- Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on October 30, 2019
G Suite editions
- Available to all G Suite editions
On/off by default?
- This setting will be removed for ALL domains by default.
- If the “Enforce access to less secure apps for all users” setting is selected for your domain when this change takes place, we’ll automatically select “Allow users to manage their access to less secure apps” instead.
- If the “Allow users to manage their access to less secure apps” setting is selected for your domain when this change takes place, it will remain selected.
- If the “Disable access to less secure apps for all users” setting is selected for your domain when this change takes place, it will remain selected.
Stay up to date with G Suite launches