Allow or disallow less secure apps to access accounts

We have added a feature that allows you to block sign-in attempts at the domain or organizational unit level from some apps or devices that do not use modern security standards.

See the Frequently asked questions section below for examples of apps that do not support the latest security standards.

Since these apps and devices are easier to break in to, blocking them helps keep your users' accounts safer.

Disable access to less secure apps for all users

Use this setting when you want to ensure that access by a less secure app is unavailable to all.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenBasic settings.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Under Less secure apps, select Go to settings for less secure apps.

  4. In the subwindow, select the Disable access to less secure apps for all users radio button.

Once you've set Disable access to less secure apps for all users to on, affected users within the selected group or Organizational Unit will not be able to toggle access for less secure apps on or off themselves. You will have to set the setting back to Allow users to manage their access to less secure apps to allow them to toggle access for less secure apps on or off themselves. 

Enabling less secure apps to access accounts

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Click Security > Basic settings.
    Where is it?
  3. Under Less secure apps, select Go to settings for less secure apps.
  4. In the subwindow, select the Allow users to manage their access to less secure apps radio button.

Once you've set Allow users to manage their access to less secure apps to on, affected users within the selected group or Organizational Unit will be able to toggle access for less secure apps on or off themselves.

Enforcing access to less secure apps for all users

Use this setting when you want to ensure that access by a less secure app is available to all for a limited time, such as for upgrades.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Click Security > Basic settings.
    Where is it?
  3. Under Less secure apps, select Go to settings for less secure apps.
  4. In the subwindow, select the Enforce access to less secure apps for all users radio button.

Once you've set Enforce access to less secure apps for all users to on, affected users within the selected group or Organizational Unit will not be able to toggle access for less secure apps off themselves. You will have to set the setting back to Allow users to manage their access to less secure apps to allow them to toggle access for less secure apps on or off themselves.

Frequently asked questions

How can administrators prevent less secure applications from accessing their users accounts?

Administrators can block access to less secure applications by ensuring the Disable access to less secure apps for all users radio button located in Admin console Security > Basic settings > Less secure apps is selected.

Are end-users able to configure less secure app access for their own accounts?

End-users can navigate to Allow Less Secure Apps to configure less secure app access for their own accounts. However, if the admin has selected the Disable access to less secure apps for all users radio button located in Admin console Security > Basic settings > Less secure apps, the end-user setting will be disabled and the user will be unable to allow access to less secure applications.

When the Allow users to manage their access to less secure apps setting is disabled, what will happen if a hijacker attempts to use a less secure app to access a user’s account?

The less secure application will be blocked. If an admin has selected the Disable access to less secure apps for all users radio button located in Admin console Security > Basic settings > Less secure apps, end-users will receive a maximum of one e-mail notification per day informing them that someone has attempted to access their account with an application that does not meet modern security standards.

How can an administrator monitor which user accounts allow access to less secure apps?

The Admin console Account Activity Reports section includes a Less Secure Apps Access filter that indicates whether or not each user is allowing or denying access to less secure applications.

When the Allow users to manage their access to less secure apps setting is disabled inside the Admin console, will end-users still have an option to allow less secure apps to access their accounts?

No. When an administrator has disabled the Allow users to manage their access to less secure apps setting inside the Admin console, end-users within the Organizational Unit where the setting has been disabled will be unable to override what the admin has configured.

What criteria is used to identify an application as being “less secure”?

Applications that rely on plain username/password authentication to access an account programmatically are considered less secure than those using modern day security standards such as OAuth 2.0.

What happens if a less secure application has an open connection with a user’s account at the time of disabling access to less secure apps?

If a less secure application already has an established connection with an end-user’s account when an admin disables the Allow users to manage their access to less secure apps setting inside the Admin console, the connection with the application will timeout and be closed (timeout thresholds vary by application, but will usually timeout within 60 minutes) and future access requests made by the insecure application will be blocked.

What applications can I expect will be blocked by this feature?

Some examples of applications that do not support modern security standards include:

  • Native mail, contacts, and calendar sync applications on older versions of iOS and OSX
  • The mail application on Windows phones preceding OS version 8.1
  • Some desktop mail clients like Microsoft Outlook and Mozilla Thunderbird

If you choose to block access to less secure apps ASPs (Application-Specific Passwords) will stop working for 2-SV users.

What will the default settings be for both Admin console and end-user Allow Less Secure Apps settings?

G Suite domains created prior to this feature being released will have the Allow users to manage their access to less secure apps setting inside the Admin console enabled by default.

G Suite domains created after the release of this feature will have the Allow users to manage their access to less secure apps setting inside the Admin console disabled by default.

  • Allow Less Secure Apps setting for accounts created before September 2015:
    • If a less secure application had accessed the account in the past 90 days when the feature was released, access to less secure applications was set to allowed by default.
    • If a non-secure application has not accessed the account in the past 90 days when the feature was released, access to less secure applications was set to denied by default.
  • Allow Less Secure Apps setting for accounts created after September 2015:
    • Access to less secure applications is allowed for first 24 hours after a new user is created even if either the admin-level or user-level setting has been set to disallowed.
    • Access to less secure applications remains allowed if a non-secure application accesses the account within 24 hours after you've created the user.
    • Access to less secure applications reverts to denied if a non-secure application does not access the account within 24 hours after you've created the user.
Was this article helpful?
How can we improve it?