Google has decided that starting from September 30, 2024, you can no longer sign in to third-party apps with just a password. Instead, Google wants everyone to use a safer method called OAuth. This change is important for keeping your account safe from hackers and bad actors.
What is OAuth?
OAuth is a secure way to connect apps to your Google account. Instead of entering just your username and password, OAuth lets you log in using a special code. This code does not share your password. You connect your account securely without giving away your login details. Many popular apps already use this method.
Why is This Change Happening?
Google is making this change to protect users. Using just a password can be risky. Hackers can steal passwords and access your account easily. By switching to OAuth, Google hopes to reduce the chances of unauthorized access. This change is part of Google’s wider effort to increase online security for everyone.
Timeline for the Change
The change will happen in two main stages:
- June 15, 2024:
- The option to allow Less Secure Apps (LSAs) will disappear from the Admin console.
- This means that no new settings for password-only access can be enabled after this date.
- Users who have LSAs allowed can continue using them until September 30, 2024.
- September 30, 2024:
- Access to all LSAs will be completely turned off.
- Any app that relies on just a password for connection will stop working.
- Users must switch to OAuth for their apps to connect.
Impact on Users
This change affects all Google Workspace customers. If you access your Google account through third-party apps, like email applications or calendars, you must adapt to the new sign-in method. Apps like Outlook 2016 and older versions will need upgrades.
To continue using email, calendar, or contacts:
- For Outlook 2016 or older:
- Users should switch to a newer version of Outlook, like Microsoft 365.
- Alternatively, you can use Google Workspace Sync for Microsoft Outlook.
- For Thunderbird or similar email clients:
- Remove your Google account.
- Re-add it using the IMAP setup with OAuth.
- For MacOS and iOS apps:
- Remove your Google account and then add it back using the “Sign in with Google” option.
Calendar Access
For calendar apps using password-based access, switching to OAuth is essential. Google recommends using the Google Calendar app for the best experience.
If you use the calendar on iOS or MacOS:
- Remove your existing account.
- Re-add it by selecting “Sign in with Google.”
Contacts Access
If your contacts app uses password-based CardDAV, you need to switch to OAuth. For affected platforms, remove your account. Then, re-add it using “Sign in with Google” for the OAuth process.
What If You Use Other Apps?
For any other third-party applications:
- Find out if they support OAuth.
- If they do not, switch to apps that do support this method.
- You may also create an app password to use with these unsupported apps.
MDM Providers
Organizations using Mobile Device Management (MDM) should pay attention too. By June 15, 2024, the MDM push for services that rely on password-only access will not work. This includes IMAP, CalDAV, CardDAV, and Google Sync. Admins will need to set up accounts using OAuth instead.
Developers
Developers also need to update their applications. To keep their apps working with Google accounts, they must use OAuth 2.0. This change allows apps to stay connected securely.
For developers, Google provides a guide on how to use OAuth 2.0 effectively. This includes following detailed instructions on connectivity for mobile and desktop apps.
Conclusion
Google’s upcoming changes to third-party app access may seem disruptive, but they are necessary for better security. By moving away from password-based access to OAuth, users will gain additional protection against unauthorized access to their accounts. Every app that connects to Google accounts must adapt to this system.
