Control access to less secure apps

This article is for administrators. For actions users can take, go to Less secure apps & your Google Account.

You can block sign-in attempts from some apps or devices that are less secure. Apps that are less secure don't use modern security standards, such as OAuth. Using apps and devices that don’t use modern security standards increases the risk of accounts being compromised. Blocking these apps and devices helps keep your users and data safe.

Examples of apps that don’t support modern security standards include:

Native mail, contacts, and calendar sync applications on older versions of iOS and OSX
Some computer mail clients, such as older versions of Microsoft Outlook

Examples of apps that do support modern security standards are Gmail, Windows Mail, Office 365, Outlook for Mac, Instagram, PayPal, Amazon, Facebook, and Basecamp.

Transitioning to more secure app access to Google Accounts

Less secure apps can make it easier for hijackers to break into user accounts and devices. Blocking sign-ins from these apps helps keep accounts safe. For these reasons, Google is limiting password-based programmatic sign-ins to Google Accounts.

If you don't allow sign-ins from less secure apps

You won’t be able to turn on the less secure apps enforcement setting (it’s no longer available in the Admin console). You can still allow users to turn on or off access to less secure apps on their individual accounts. Google will turn off the less secure apps setting on individual accounts for users who stop using it.

If you allow sign-ins from less secure apps

Because Google is beginning to shut off Google Account access to less secure apps, the enforcement option is no longer available. We recommend turning off less secure apps access now. You should start using alternatives to less secure apps.

As Google gradually moves away from allowing less secure apps to access Google Accounts, you’ll receive email notifications about changes that affect you.

Notice of setting removal

Google will automatically turn off the Less secure apps setting on individual accounts for users who stop using it. Users can turn it back on until the setting is removed.

The Less secure apps setting will be removed from the Admin console in Feb, 2021. If you haven’t already transitioned to more secure apps, do so by this date.

Use alternatives to less secure apps

To promote better security for user accounts, you should start using alternatives to less secure apps as soon as possible.

Use apps in your company that use OAuth 2.0 authentication. Deploy new applications or update your existing apps to support OAuth 2.0 for authentication.
If some users can’t migrate to a more secure platform, they can use alternatives.

Less secure app	Alternative
Apple Mail configured with POP3	Re-add your Google Account to Apple Mail and configure it to use IMAP with OAuth. This automatically initiates the connection with OAuth.
iOS Mail	Continue using iOS Mail as long as you have iOS 6.0 or later. OAuth support is automatically included in iOS 6.0 and later when you add an account using the Google option.
Outlook for Windows via password-based POP or IMAP	G Suite Sync for Microsoft Outlook (GSSMO). Web-based or latest version of Outlook. Set up G Suite for Outlook for your users G Suite Sync for Microsoft Outlook download
Thunderbird	Re-add your Google Account to Thunderbird and configure it to use IMAP with OAuth. This automatically initiates the connection with OAuth.
Legacy office devices Examples: scanners and multifunctional printers that send email	Continue using legacy office devices with SMTP. Other protocols (such as POP3 and IMAP) will be blocked unless they use OAuth.
Any other app	Request that the app developer update the app to use OAuth 2.0.

Manage access to less secure apps

You can allow users to turn on or off access by less secure apps or disable their ability to allow less secure apps.

Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
Go to the settings for Less secure apps:

From the Admin console Home page, go to SecurityLess secure apps.
To see Security on the Home page, you might have to click More controls at the bottom.

OR, if the "Less secure apps" option isn't visible:

From the Admin console Home page, go to SecurityBasic settings.
To see Security on the Home page, you might have to click More controls at the bottom.

Then, under Less secure apps, click Go to settings for less secure apps.
Select the setting for less secure apps:
- Disable access to less secure apps (Recommended)
  Users can’t turn on access to less secure apps.
  When you disable access to less secure apps while a less secure app has an open connection with a user account, the app will time out when it tries to refresh the connection. Timeout periods vary per app.
- Allow users to manage their access to less secure apps
  Users can turn on or turn off access to less secure apps.

Apply settings for organizational units or your domain. You can also customize permissions for groups of users.

To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit.

To apply settings to a group of users, check which group settings are on the left of your Admin console.

Go to group setup steps		Go to group setup steps

Click Save.

Monitor accounts that allow less secure apps

Use Account Activity Reports to see whether users can allow less secure apps to access their accounts. On the toolbar, click Select columns to add less secure apps status to the report.

Was this helpful?

How can we improve it?