This article is for administrators. For actions users can take, go to Less secure apps & your Google Account.
You can block sign-in attempts from some apps or devices that are less secure. Apps that are less secure don't use modern security standards, such as OAuth. Using apps and devices that don’t use modern security standards increases the risk of accounts being compromised. Blocking these apps and devices helps keep your users and data safe.
Examples of apps that don’t support modern security standards include:
- Native mail, contacts, and calendar sync applications on older versions of iOS and OSX
- Some computer mail clients, such as older versions of Microsoft Outlook
Examples of apps that do support modern security standards are Gmail, Windows Mail, Office 365, Outlook for Mac, Instagram, PayPal, Amazon, Facebook, and Basecamp.
Transitioning to more secure app access to Google Accounts
Less secure apps can make it easier for hijackers to break into user accounts and devices. Blocking sign-ins from these apps helps keep accounts safe. For these reasons, Google is limiting password-based programmatic sign-ins to Google Accounts.
If you don't allow sign-ins from less secure apps
If you allow sign-ins from less secure apps
As Google gradually moves away from allowing less secure apps to access Google Accounts, you’ll receive email notifications about changes that affect you.
Notice of setting removal
To promote better security for user accounts, you should start using alternatives to less secure apps as soon as possible.
- Use apps in your company that use OAuth 2.0 authentication. Deploy new applications or update your existing apps to support OAuth 2.0 for authentication.
- If some users can’t migrate to a more secure platform, they can use alternatives.
| Less secure app | Alternative |
|---|---|
| Apple Mail configured with POP3 |
Re-add your Google Account to Apple Mail and configure it to use IMAP with OAuth. This automatically initiates the connection with OAuth. |
| iOS Mail |
Continue using iOS Mail as long as you have iOS 6.0 or later. OAuth support is automatically included in iOS 6.0 and later when you add an account using the Google option. |
|
Outlook for Windows via |
G Suite Sync for Microsoft Outlook (GSSMO). |
| Thunderbird |
Re-add your Google Account to Thunderbird and configure it to use IMAP with OAuth. This automatically initiates the connection with OAuth. |
|
Legacy office devices Examples: scanners and multifunctional printers that send email |
Continue using legacy office devices with SMTP. Other protocols (such as POP3 and IMAP) will be blocked unless they use OAuth. |
| Any other app | Request that the app developer update the app to use OAuth 2.0. |
Manage access to less secure apps
You can allow users to turn on or off access to less secure apps or disable their ability to allow less secure apps.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
From the Admin console Home page, go to Security
Less secure apps.
- To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit or a configuration group.
- Select the setting for less secure apps:
-
Disable access to less secure apps (Recommended)
Users can’t turn on access to less secure apps.
When you disable access to less secure apps while a less secure app has an open connection with a user account, the app will time out when it tries to refresh the connection. Timeout periods vary per app. - Allow users to manage their access to less secure apps
Users can turn on or turn off access to less secure apps.
-
- Click Save.
Monitor accounts that allow less secure apps
Use Account Activity Reports to see whether users can allow less secure apps to access their accounts. On the toolbar, click Select columns to add less secure apps status to the report.
