Starting September 30, 2024, Google Workspace accounts will only allow access to apps using OAuth. Password-based access (with the exception of App Passwords) will no longer be supported and Google Sync will sunset.
We have already seen this change affect Workspace users in multiple ways, including: failing “scan to email” from company printers, failed outbound invoices from accounting systems, and “Send As” configurations losing functionality. Here’s what you need to know about this change, and how to prepare before you lose functionality you rely on..
Google’s Timeline for the Transition
As of June 15th:
- If you (or your users) try to connect to a less secure app for the first time, you will not be able to. This restriction includes third-party apps that still use basic authentication, such as CalDAV, CardDAV, IMAP, SMTP, and POP, to access Gmail, Google Calendar, and Contacts. If you’re not trying to connect for the first time, you will be able to continue using the apps until they’re turned off.
- In the Google Admin console, you will not be able to access the turn on and off setting for less secure apps.
- Users will not be able to turn IMAP on or off in their Gmail settings.
Beginning September 30th:
- Access to less secure apps will be turned off for all Google Accounts.
- CalDAV, CardDAV, IMAP, SMTP, and POP will no longer work with legacy passwords (basic authentication). This is a legacy configuration that used to be popular on iPhones, but has been out of favor for at least 5 years.
- Existing customers will not be able to connect to Google Workspace via Google Sync. Google Sync was Google’s implementation of Microsoft’s ActiveSync. It is another very old technology to connect mobile devices to Workspace.
What are Less Secure Apps?
Less Secure Apps (LSA) are applications that connect to your Google account via the user’s account password. Exposing the username and password to these older systems increases the risk of security breaches. Examples of LSA include:
- Native mail, contacts, and calendar sync applications on older versions of iOS and OSX
- Some computer mail clients, such as older versions of Microsoft Outlook
- Scan to email in copiers
- Accounting systems that use a username and password to send through Google.
OAuth
OAuth is a more modern version of signing in to connected apps that doesn’t require the input of an account’s username and password to authorize access. OAuth uses tokens to issue authorization from the user’s core account (in this case, their Google Workspace account) to the requesting 3rd party service (the user’s apps). By using this system of tokens, the user’s passwords are protected.
What You Need to Do
Modern systems provide an OAuth path to connect to Google services. Ideally, your systems have been updated with this functionality. To reconfigure apps to use OAuth for your end users, you can check out this Google Blog post for instructions on many popular applications. To transition from Google Sync, this Google Support article will have the information needed for administrators.
To maintain older systems that do not support OAuth like printers, fax machines, send-as configurations, etc, you can create and use App Passwords. App Passwords operate similarly to OAuth, but give specific tokens (the app password) to each individual app instead of the account password. It is important to note that to create an App Password, the account must have 2-step verification enabled.