Deadline looms: Google Workspace mandates OAuth by September 30
27 days to get your users' third-party apps on Google’s sign-in
Google Workspace administrators, consider yourselves on notice: In less than a month, many third-party apps (mail, calendar, etc.) will stop connecting to Workspace accounts.
The change, effective September 30, will see Google disable access to "less secure apps," or LSAs, for all Google Workspace accounts. Those who haven't checked their Workspace Admin consoles recently will notice that LSA settings have already been removed, so there's no avoiding this change.
LSAs, as far as Google is concerned, are anything that doesn't use OAuth by way of Sign-In with Google, the Chocolate Factory's authentication-as-a-service offering. In other words, no more signing into Google Workspace with just a password, so get ready to apologize to some executives.
Hi, Helpdesk - yes, we know it's not working
This isn't a surprise announcement - Google's Workspace team published a blog post about it last year to announce the transition away from LSAs. Sign-In with Google isn't exactly a new product either, so consider the next few weeks an opportunity to prevent a sudden surge in tickets at the end of the month.
Thunderbird, iOS/macOS Mail, and Outlook for Mac users can all simply re-add their Google accounts using the Google account option in setup, and the same goes for users of modern Outlook products. Anyone still sticking to Outlook 2016 will be out of luck, though, so this is your chance to finally force an upgrade.
- Google gamed into advertising a malicious version of Authenticator
- Microsoft gives Windows admins a break and MFA a hard push
- Google will make you use two-step verification to login
- Multi-factor auth fatigue is real – and it's why you may be in the headlines next
The same goes for calendar and contacts applications that connect to Google Workspace accounts, so be prepared to get those updated as well. Personal Google accounts won't be affected by the change.
Mobile Device Management platforms that configure IMAP, CalDAV, CardDAV, POP or Exchange ActiveSync (Google Sync) are being phased out as well. Support for most of those protocols already phased out in June, and ActiveSync will be disabled at the end of September.
"Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth," Google noted.
Finally, the tech giant said that Workspace-account connected scanners and other devices that use email to send documents will have to be reconfigured to use OAuth or some other alternative method as well, because they won't connect after the end of September, either.
The countdown is on: 27 days. Of course, we're just yelling into the void, here: El Reg readers definitely know better than to allow users to sign in without any additional authentication factors, right? ®