Control access to less secure apps

This article is for administrators. For actions users can take, see Less secure apps & your Google Account.

You can block sign-in attempts from some apps or devices that are less secure. Apps that are less secure don't use modern security standards, such as OAuth. Using apps and devices that don’t use modern security standards increases the risk of accounts being compromised. Blocking these apps and devices helps keep your users and data safe.

Examples of apps that don’t support modern security standards include:

  • ​Native mail, contacts, and calendar sync applications on older versions of iOS and OSX​
  • ​Some computer mail clients, such as older versions of Microsoft Outlook

Examples of apps that do support modern security standards are Gmail, Windows Mail, Office 365, Outlook for Mac, Instagram, PayPal, Amazon, Facebook, and Basecamp.

Transitioning to more secure app access to Google Accounts

Less secure apps can make it easier for hackers to break into user accounts and devices. Blocking sign-ins from these apps helps keep accounts safe.

If you allow sign-ins from less secure apps

If you currently allow sign-ins from less secure apps, we recommend turning off less secure apps access. Use alternative apps that support modern security standards.
 
Use alternatives to less secure apps

To promote better security for user accounts, you should start using alternatives to less secure apps as soon as possible.

  • Use apps in your company that use OAuth 2.0 authentication. Deploy new applications or update your existing apps to support OAuth 2.0 for authentication.
  • If some users can’t migrate to a more secure platform, they can use alternatives.
Less secure app Alternative

Outlook for Windows via
password-based POP or IMAP

G Suite Sync for Microsoft Outlook (GSSMO).
Web-based or latest version of Outlook.

Set up G Suite for Outlook for your users
G Suite Sync for Microsoft Outlook download

Thunderbird Thunderbird IMAP automatically initiates a connection through OAuth when adding a Google Account. If users leave the password field empty in Thunderbird, they get a Google sign-in page to authorize access through OAuth.
Apple Mail configured with POP3 Configuring Apple Mail using the Google Account option automatically initiates the connection with OAuth.
Opera Mail IMAP with OAuth.
Legacy office devices such as scanners and multifunctional printers that send email SMTP-only access is unaffected.
iOS Mail OAuth support is automatically included in iOS 6.0 and later when you add an account using the Google option.
Any other app Tell the app developer to update the app so it uses OAuth 2.0.

 

Manage access to less secure apps

You can allow users to turn on or off access by less secure apps, disable their ability to allow less secure apps, or force users to always allow less secure apps.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Securityand thenBasic settings.

    To see Security on the Home page, you might have to click More controls at the bottom.

  3. Under Less secure apps, select Go to settings for less secure apps.

  4. On the left, select an organizational unit where you want to manage access to less secure apps.
    • If you don’t select an organizational unit, your setting applies to your entire top-level organization.
    • If you want an organizational unit to use the same setting as its parent organization, click Use Inherited on the top right.
  5. Select an option:
    • Disable access to less secure apps for all users (Recommended)
      Access to less secure apps is disabled for everyone. Users can’t turn on access to less secure apps.
      When you disable access to less secure apps while a less secure app has an open connection with a user account, the app will time out when it tries to refresh the connection. Timeout periods vary per app.
    • Allow users to manage their access to less secure apps
      Users can turn on or turn off access to less secure apps.
    • Enforce access to less secure apps for all users (Not recommended)
      Access to less secure apps is required for everyone. Users can’t turn off access to less secure apps.
      This option isn't recommended, because it potentially increases the exposure of user accounts to hijacking. Use this option only when you want to ensure that access by a less secure app is available to all users for a limited time, such as for an upgrade.
  6. On the bottom right, click Save.

Monitor accounts that allow less secure apps

Use Account Activity Reports to see whether users can allow less secure apps to access their accounts. On the toolbar, click Select columns Select columns to add less secure apps status to the report.

 

Was this helpful?
How can we improve it?