/mail/community?hl=en
This content is likely not relevant anymore. Try searching or browse recent questions.
POP access to Gmail without LSA 3 Recommended Answers 13 Replies 19 Upvotes
1 Update
$0 Updates
1 Recommended Answer
$0 Recommended Answers
1 Relevant Answer
$0 Relevant Answers
3
For accounts protected by 2-factor authentication, which stand-alone Windows email clients are able to access Gmail via POP3 using OAuth, without taking the risk of enabling Less-Secure Apps access and enabling app-specific passwords?

In other words, which email clients are able to connect to pop.gmail.com using OAuth authentication?  Outlook 2016 for Windows is able to connect to imap.gmail.com using OAuth with 2FA, but not to pop.gmail.com. What about Outlook 2019? Thunderbird? Others?

(I know the official way of accessing Gmail accounts protected by 2FA from Outlook and other, older clients via POP3 is to enable LSA access and to set up an app-specific password. but app-specific passwords raise potential security risks. With that option slated to be turned off in the not-too-distant future for some Gmail accounts anyway, are there other clients that can access Gmail via POP3 with full OAuth/2FA authentication? IMAP is not an attractive option here.)
Relevant Answer Relevant Answers (0)
All Replies (13)
Relevant Answer
Hi Jon, there has been no announcement that App Specific Passwords are to be ceased.  In fact that is the current solution offered for use when Less Secure Apps access is turned off.  These two are not available together.

I do not know of any support for POP with 2FA for Gmail.
marked this as an answer
Relevant Answer
@KeithR, here is the announcement, below.

@bkennelly, thank you for the definitive response. I'm confused about your "one other clarification," though. I'm confused about the distinction between 2FA, LSA, OAuth, and password-based accounts. Can you please reconcile your response with Google's announcement? If I turn off 2FA, will I still be able to use Outlook to access my gmail account via POP? If the whole point of Google enforcing OAuth is to increase security, then how can giving users no choice besides turning off 2FA increase security?



marked this as an answer
Relevant Answer
Google have not clarified what will happen with POP access.  They may discontinue POP3 support, they may add OAuth2 authentication or they may continue to support App Passwords.  The only thing that is certain is that access for "less secure apps" will be turned off. 
 
The announcement states that OAuth will be required and that plain password authentication will be disabled, but only goes into detail about disabling LSA. That leaves the 2SV/App Password solution unexplained.  2SV with an App Password is almost as secure as OAuth2 (An App Password is a sort of "poor man's" OAuth token, because it is pseudo-random and requires higher authentication to generate.)
 
There appear to be three possibilities for the future:
  • POP3 access will gain OAuth2
  • POP3 access will be allowed with App Passwords
  • POP3 access will be discontinued.
 
marked this as an answer
Relevant Answer
Jon 9999 wrote: "@KeithR, here is the announcement, below."

Hi Jon, yes, I have read that announcement as I am the administrator of a G Suite system.  As @bkennelly explained, it does not say anywhere that Application Specific Passwords will be discontinued.  It only refers to access for less secure apps.

Using my administrator account, I have sent a specific query to Support asking if ASP will still be available.  Hopefully this might trigger a more specific explanation.
marked this as an answer
Relevant Answer
Thanks, @bkennelly and @KeithR. Your insights are very helpful, although I wish Google had done (or would do) a better job at explaining the implications of the LSA EOL. I'm still a bit confused about OAuth vs 2FA vs LSA vs ASP vs POP and what's in play here. If I'm using an app-specific password in Outlook to connect to pop.gmail.com without providing a 2FA code, then aren't I not using OAuth and isn't that the definition of an LSA? Or is there a distinction that I'm missing? The settings page shown below seems to suggest that the whole point of app-specific passwords is to provide access for LSAs:

@KeithR, it would be greatly appreciated if you can specifically ask Support whether it will still be possible after LSA is discontinued to access G Suite Gmail through Outlook 2019 (or Outlook 2016 with "Simplified Account Creation" enabled, thus using OAuth) over POP -- either with or without 2-factor authentication on the account -- and then report back the answer back here. I'm sure I'm not the only G Suite freeloader who is in the dark about the upcoming LSA change, and about whether this signals the end of pop.gmail.com for G Suite accounts (or at least for G Suite accounts that have 2FA enabled, or at least for G Suite users who use Outlook or Thunderbird). Thanks!

(I'm also still a bit confused about whether Outlook 2019 will do OAuth at all, with or without 2FA, when using POP. Thunderbird, for example, appears to allow OAuth only with IMAP but not with POP. Outlook 2016 with "Simplified Account Creation" enabled likewise will connect to imap.gmail.com and request the 2FA code for a successful connection, but it gives a password error without even asking for a 2FA code when trying to connect to pop.gmail.com. I don't have Outlook 2019 yet, so I cannot give a first-hand report of whether it will connect via POP with 2FA, but a superuser on the Outlook user forum said she tried it and it didn't work for her.)
marked this as an answer
Relevant Answer
Hi Jon, there's a lot of questions there.  LSA refers to the option in Gmail accounts to enable "Access for Less Secure Apps".  Simply put, this is standard password access.  It is less secure only because it requires the external app (Outlook, Thunderbird, etc) to store the user's password.

2FA (or 2SV as Google names it), increases security by requiring the second factor to sign in (something you know [password] and something you have [your phone to get a code by SMS]).  When this is enabled, LSA is disabled, but for apps that can't check the second factor you can generate an ASP, a random 16 digit password.  This still has to be stored in the external app, but is more secure by virtue of being unguessable and you can revoke it from the account without disturbing other means of access in case of device loss.  You can also create any number of these so that they can be isolated to single apps or devices.

Any email software (including Outlook 2010) will currently connect using an ASP i.e.when 2SV is enabled.  Your Outlook superuser must have done it wrong.

Outlook 2016 and later will connect via OAuth for IMAP.  Thunderbird's current version includes the option to use OAuth with POP, but I have no way of testing it.
marked this as an answer
Relevant Answer
Thanks, KeithR. I still really don't understand what's changing, then, if app-specific passwords are not going away, but I'm glad that I don't have to do anything different to continue to access G Suite Gmail via POP from Outlook 2016 after LSA access is turned off.
marked this as an answer
Relevant Answer
Hi Nate, if you had read the whole topic, you would have seen that this was a misunderstanding.  Administrators of G Suite accounts have been advised that Access for Less Secure Apps will be removed from settings from August 2020 and disabled completely from February 2021.  App Specific Passwords will continue to be available.

There has not been any announcement about gmail.com accounts.
marked this as an answer
This question is locked and replying has been disabled.
Discard post? You will lose what you have written so far.
Write a reply
10 characters required
Failed to attach file, click here to try again.
Discard post?
You will lose what you have written so far.
Personal information found

We found the following personal information in your message:

This information will be visible to anyone who visits or subscribes to notifications for this post. Are you sure you want to continue?

A problem occurred. Please try again.
Create Reply
Edit Reply
Delete post?
This will remove the reply from the Answers section.
Notifications are off
Your notifications are currently off and you won't receive subscription updates. To turn them on, go to Notifications preferences on your Profile page.
Report abuse
Google takes abuse of its services very seriously. We're committed to dealing with such abuse according to the laws in your country of residence. When you submit a report, we'll investigate it and take the appropriate action. We'll get back to you only if we require additional details or have more information to share.

Go to the Legal Help page to request content changes for legal reasons.

Reported post for abuse
Unable to send report.
Report post
What type of post are you reporting?
Google takes abuse of its services very seriously. We're committed to dealing with such abuse according to the laws in your country of residence. When you submit a report, we'll investigate it and take the appropriate action. We'll get back to you only if we require additional details or have more information to share.

Go to the Legal Help page to request content changes for legal reasons.

Reported post for abuse
Unable to send report.
This reply is no longer available.
/mail/threads
//accounts.google.com/ServiceLogin
You'll receive email notifications for new posts at
Unable to delete question.
Unable to update vote.
Unable to update subscription.
You have been unsubscribed
Deleted
Unable to delete reply.
Removed from Answers
Removed from Updates
Marked as Recommended Answer
Marked as Update
Removed recommendation
Undo
Unable to update reply.
Unable to update vote.
Thank you. Your response was recorded.
Unable to undo vote.
Thank you. This reply will now display in the answers section.
Link copied
Locked
Unlocked
Unable to lock
Unable to unlock
Pinned
Unpinned
Unable to pin
Unable to unpin
Marked
Unmarked
Unable to mark
Reported as off topic
Known Issue
Fixed
Marked Fixed
Unmarked Fixed
Unable to mark fixed
Unable to unmark fixed
/mail/profile/0