What’s changing
As part of our commitment to user safety, Google Workspace will no longer support the sign-in method for third-party apps or devices that require users to share their Google username and password. This antiquated sign-in method, known as Less Secure Apps (LSAs), puts users at an additional risk since it requires sharing Google Account credentials with third-party apps and devices that can make it easier for bad actors to gain unauthorized access to your account.
Instead, you’ll need to use the option to Sign-In with Google, which is a safer and more secure way to sync your email to other apps. Sign-in with Google leverages industry standard and more secure OAuth method of authentication already used by the vast majority of third-party apps and devices.
We previously announced this change in 2019, and are now ready to share an updated timeline regarding this change:
Access to Less Secure Apps (LSA) will be turned off in two stages:
- Beginning June 15, 2024:
- The LSA settings will be removed from the Admin console and can no longer be changed. Enabled users can connect during this time, but disabled users will no longer be able to access LSAs. This includes all third-party apps that require password-only access to Gmail, Google Calendar, Contacts via protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP.
- The IMAP enable/disable settings will be removed from users’ Gmail settings.
- If you’ve been using LSAs prior to this date, you can continue using them until September 30, 2024.
- Beginning September 30, 2024:
- Access to LSAs will be turned off for all Google Workspace accounts. CalDAV, CardDAV, IMAP, POP and Google Sync will no longer work when signing in with just a password — you will need to login with a more secure type of access called OAuth.
As part of this change, Google Sync will also be sunsetted:
- Beginning June 15, 2024: New users will not be able to connect to Google Workspace via Google Sync.
- September 30, 2024: Existing Google Sync users will not be able to connect to Google Workspace. Here is how you can transition your organization off Google Sync. To find Google Sync usage in your organization, please go to the Admin Console, navigate to Devices > Mobile & Endpoints > Devices, and filter by Type: Google Sync.
See below for more specific guidance for admins, end users, and developers regarding this change.
Who’s impacted
Admins and end users
Getting Started
Admins
Preparing your end users
In order for your end users to continue using these types of apps with their Google Workspace accounts, they must switch to a more secure type of access called OAuth. You’ll receive more information via email with affected users in your organization in the coming months. We recommend that you share the user instructions (included below) to help them make the necessary changes.
Mobile Device Management (MDM) Impact
If your organization uses a mobile device management (MDM) provider to configure IMAP, CalDAV CardDAV, POP or Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:
Scanners and other devices
If you have scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails, you’ll need to either: configure them to use OAuth, use an alternative method, or configure an App Password for use with the device.
End users
If you are using an app that accesses your Google Account with only a username and password, take one of the following actions to continue to access your email, calendar, or contacts. If you do not take one of the following actions by September 30, 2024, you will begin receiving an error message that your username-password combination is incorrect and you will not be able to log in.
Email Applications
Calendar Applications
- If your Google Workspace account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more.
Contacts Applications
- If your Google Workspace account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More.
- If your Google Workspace account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth.
All Other Applications
If the app you are using does not support OAuth, you will need to switch to an app that offers OAuth or create an app password to access these apps.
Developers
To maintain compatibility with Google Workspace accounts, update your app to use OAuth 2.0 as a connection method. To get started, follow our developer guide on using OAuth 2.0 to access Google APIs. You can also refer to our guide on OAuth 2.0 for mobile & desktop apps.
Users with personal Google accounts: In the coming weeks we will be removing the IMAP enable/disable toggle from your Gmail settings. IMAP access is always enabled over OAuth and your current connections will not be impacted. No action is required of users.
Availability
- This change impacts all Google Workspace customers.