Farrsight
Original Poster
Dec 16, 2019

How can I continue to use POP based email after Oauth is required next year?

I have just received an email that Google is disabled Less Secure Apps  (a.k.a. LSA) next year.  Our entire business has Thunderbird with all Clients configured to run POP to access email. We are in a rural area and email goes up and down so we want a true client side email solution so we can still view all historical email easily if we have no internet.  As such, POP works best in this situation.   But if Google turns off non-OAUTH access, then we can't use POP anymore, right? 

Does this mean Google is turning off POP3 as a feature entirely?  My understanding is that OAUTH is not offered as an authentication method for POP3 from google.

Google has not specifically said they are killing POP3, but that sounds like what is actually happening?
Details
Reading and Receiving Messages,Other Browser,Windows
Locked
Informational notification.
This question is locked and replying has been disabled.
Community content may not be verified or up-to-date. Learn more.
Recommended Answer
bkc56
Diamond Product Expert
Jan 16, 2020
I have conformed with Google that POP3 will continue to work in the future.  Here is their actual response:
 
POP as a protocol is not being deprecated. If the user want to connect to a less secure app with a 2SV account they will need to generate an app specific password.
 
Of course the implication is that you'll have to use 2-step verification since that's the only place were an application specific password is available.
Diamond Product Expert bkc56 recommended this
Helpful?
All Replies (27)
bkc56
Diamond Product Expert
Dec 17, 2019
As suggested in the e-mail:
 
1. Switch Thunderbird to using OAuth to sign in,
2. Upgrade Thunderbird if OAuth is not available in the version you are using, or
3. Contact Thunderbird support if they don't yet support OAuth.
 
Does this mean Google is turning off POP3 as a feature entirely?
 
So, they are just reducing the ways you authenticate (no longer a simple account name/password).  POP3 is a protocol, not an authentication method.
J__9999
Jan 16, 2020
@bkc56, thanks.

When you asked your question, did you specify that you were asking about G Suite accounts? The announcement about LSA access being turned off was specifically about G Suite. Regular, individual G Mail accounts will continue to have LSA access.

The answer you received describes how a LSA can access the POP server. There's nothing new about it. That's how it works now. If LSA access is being turned off, then the answer doesn't make sense since it specifically mentions LSA access.
bkc56
Diamond Product Expert
Jan 16, 2020
When you asked your question, did you specify that you were asking about G Suite accounts?
 
Nope.  Most things like this work the same since Gmail and G Suite e-mail is basically the same thing.
 
If LSA access is being turned off, then the answer doesn't make sense since it specifically mentions LSA access.
 
What it means is you have to switch to 2SV with APP.
J__9999
Jan 16, 2020
I'm afraid you missed the point. The upcoming changes will affect G Suite only, not individual G Mail accounts. You're correct that these are "basically" the same service, but they're not entirely the same, and the thing this thread is asking about is one of those differences.

Kindly un-mark your reply as "best answer," since it's not the correct answer to the question the was asked here.

And that's the whole point. We already use 2FA and APP to permit out LSAs like Outlook to access our G Suite G Mail accounts via POP. The whole question here is how we'll be able to use POP once LSA access is blocked for all G Suite accounts later this year.

Thanks. Hopefully somebody else will provide some specific information here.
Last edited Jan 17, 2020
bkc56
Diamond Product Expert
Jan 16, 2020
Kindly un-mark your reply as "best answer," since it's not the correct answer to the question I asked.
 
It's the answer Google provided.  If someone else provides an answer with additional details, we can mark it.
J__9999
Jan 17, 2020
@bkc56

But your "best answer" is wrong. It applies to G Mail, not to G Suite. (You said you didn't ask about G Suite. The answer you got was for G Mail. The thing in the announcement that is being asked about here applies to G Suite but not to G Mail. Your response is off topic.)
Last edited Jan 17, 2020
bkc56
Diamond Product Expert
Jan 17, 2020
You said you didn't ask about G Suite. The answer you got was for G Mail. 
 
No the answer was independent of either and therefore applies to both.
Keith R (The Sweeper)
Gold Product Expert
My aim is to sweep up old unanswered questions.
Jan 17, 2020
Jon 9999, you have misinterpreted the advice.  Google are not wholesale blocking access by less secure apps.  What is happening is that they are removing the account setting that allows less secure apps to access an account via the normal password.  Access via an Application Specific Password will continue.

Why are you still discussing this here when we concluded discussion at https://support.google.com/mail/thread/23553381 on the 3rd?
Keith R (The Sweeper)
Gold Product Expert
My aim is to sweep up old unanswered questions.
Jan 17, 2020
1/3/20
Recommended Answer
Hi Jon, it's really very simple.  There will no longer be an option to allow access for less secure apps i.e software that needs to store your normal password.  Versions of Outlook before OL 2016 cannot connect with OAuth so needs to store a password.  There are currently two solutions:
  1. Enable access for less secure apps - OL 2013 can then connect in the old way using the account's normal password.
  2. Enable 2SV and generate an ASP.  Using that in OL 2013 allows it to connect without enabling the LSA access.
Option 1 will be discontinued.

Original Poster Jon 9999 marked this as an answer
Last edited Jan 17, 2020
J__9999
Jan 17, 2020
Hi KeithR.

I'll still asking because I received conflicting responses elsewhere.

Here the answer was that less-secure apps can continue to use POP by using an app-specific password.

Elsewhere the responses went something like this:
  1. OAuth will be required in any case for G Suite accounts to access GMail servers, be it with 2-factor authentication or with an app-specific password, and be it over POP or IMAP; and
  2. GMail doesn't appear to support OAuth over POP (or perhaps Outlook 2013/2016/2019 and Thunderbird don't t support OAuth over POP with G Mail -- it's unclear to me whether the limitation is imposed by the server or by the client); so therefore
  3. Outlook 2013/2016/2019 and Thunderbird won't be able to access G Suite accounts over POP after the change.
It's even more confusing because Google's announcement advised users with Outlook 2016 to upgrade to Outlook 2019, but there's no difference in OAuth support between Outlook 2016 and 2019, so that advice doesn't make any sense. If 2019 works, then 2016 should work too (as long as "Office simplified setup" is turned on, which is how OAuth is supported in Outlook 2016). Worse, Google's announcement didn't mention anything helpful about POP vs. IMAP, other than advising Thunderbird users to switch to "use IMAP with Thunderbird," which makes it sound like POP support is indeed going away, at least for those who use Thunderbird.

I want the answer provided here to be correct and the answer provided elsewhere to be wrong, but I need to be ready for the change either way. That's why I'm trying to get a definitive answer to the definitive question, and it appears that bkc56 (even with the best intentions) didn't pose the specific question about G Suite when he or she asked Google. All Google told bkc56 was that POP is not being turned off overall, which is true. The question we need answered is whether POP will continue to work for G Suite users with email clients that don't appear to support OAuth over POP with GMail, such as Outlook 2016, Outlook 2019, and Thunderbird.
Last edited Jan 17, 2020
Keith R (The Sweeper)
Gold Product Expert
My aim is to sweep up old unanswered questions.
Jan 18, 2020
I'd like to know your source for item 3. Outlook 2013/2016/2019 and Thunderbird won't be able to access G Suite accounts over POP after the change.  That is just wrong.  I acknowledge that the Google Team advice totally ignored any mention of using ASPs and I suspect that there might be consideration of future removal of these, but that won't be in 2021.

I agree with you about:
It's even more confusing because Google's announcement advised users with Outlook 2016 to upgrade to Outlook 2019, but there's no difference in OAuth support between Outlook 2016 and 2019, so that advice doesn't make any sense. 
Whoever advised Google's tech writers made a mistake, a rather serious mistake to make it out to the public.

However, there is no need for Google to define all the features that will continue to work as they have very clearly stated what feature will disappear - it is the setting to enable access by LSA.  That feature is a completely distinct feature from the App Specific Password which is part of Two Step Verification.

Quoting the response I got from Google Support [an extract with no editing other than my emphasis]:
Hello Administrator,

Thank you for contacting Google Cloud Support, I understand you are concerned about whether 2 Step Verification and App specific passwords will be available when the Less Secure Apps feature is removed for the doman kairos.org.au .

We don't seem to have any contact information for you on our system, so if you would like to respond to this email with a preferable number and time to contact you,

In regards to your question 2 Step/Factor Authentication and App Specific Passwords will continue to function after the LSA’s functionality is removed. Can you explain in a little more detail about what you aim to achieve (or what enabling LSA was being used for your domain) and I can look into this for you. In the meantime I have gathered some useful and relevant Help Center articles for further information.
Last edited Jan 18, 2020
HS Contabilidade Valmor Lay Jr
Jan 20, 2020
@KeithR
If its true that 2SV + ASP will continue why, when we disable LSA in GSuite, for the entire domain, the ASP stops working? Im concerned about this.

Here's a part o email sent by google:

"Starting February 15, 2021, G Suite accounts will only allow access to apps using OAuth. Password-based access will no longer be supported."
Last edited Jan 20, 2020
Keith R (The Sweeper)
Gold Product Expert
My aim is to sweep up old unanswered questions.
Jan 21, 2020
"@KeithR
If its true that 2SV + ASP will continue why, when we disable LSA in GSuite, for the entire domain, the ASP stops working? Im concerned about this."

That shouldn't happen.  Accounts that had access for LSA enabled will not be using ASP - these two are mutually exclusive.  You need to follow that up as a separate issue.
false
3600526874300243100
true
Search Help Center
true
true
true
true
true
17
Search
Clear search
Close search
Main menu
false
false