The clock is ticking for businesses using what Google defines as a "less secure app" (LSA) to access services like its G Suite mail, calendar and contacts. New accounts will be blocked from using LSAs from June 15 2020, and all access will be disabled on February 15 2021.
Google's latest announcement is specific to G Suite, the business version of these productivity services. The company is also keen that users of the free consumer service avoid LSAs, but the new deadlines do not necessarily apply.
What is an LSA? The company says "non-Google apps that can access your Google account with only a username and password." In practice, it seems to mean any app that does not support OAuth.
Using OAuth means that applications request access to the API and, after user login and consent, receive a unique token for authentication. This means that the client application does not have to store the user's password, but only the token. Users can also revoke access to that specific application.
The difficulty for some users is that there are still plenty of applications that do not support OAuth. Microsoft Outlook only gained this capability with the latest version, Outlook 2019, or an up-to-date Outlook 365 for Office 365 users. Users with older versions of Outlook can use an Outlook sync client to synchronize email between G Suite and Outlook.
Another scenario is where users have a mail client that was originally set up to use username and password, and this setting has persisted through upgrades, even though the latest version does support OAuth. In these cases, the account will give errors after the deadline passes, but this can be fixed by removing and re-adding the account using OAuth. In iOS Mail, for example, this means choosing the Google account type for your mail, calendar or contacts.
Curiously, Google's guidance states that: "No change is required for scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails."
The guidance for this recommends using the G Suite SMTP relay service using either a configured static IP address or: "Your full G Suite email address ([email protected]) and password when relaying through ports 587 and 465."
In the latter case this looks like a weakness in the G Suite security plans, particularly as scanners are in general not noted for secure password storage. A dedicated, limited access scanner account would make sense here. The guidance does say, "If you replace your device, look for one that sends email using OAuth."
That, or the static IP idea, look like better solutions.
Is Google pushing better security practice, or steering users towards its own browser-based client applications and away from alternatives? Probably more the former, though changes like this do put pressure on users. Note that adopting two-factor authentication is also substantially more secure, and in this case access from LSAs is automatically disabled for both G Suite and consumer accounts. ®
Sponsored: Ransomware has gone nuclear