Updates on Authentication for Gmail IMAP, POP, and SMTP

We’d like to highlight some recent and upcoming changes around authentication for Gmail IMAP, POP, and SMTP.

Additional Scrutiny for Password Authentication 
As previously announced, Google has begun increasing the security checks that occur when logging in with a user’s Google password. This includes access via Gmail IMAP, POP, and SMTP-MSA. It does not apply when authenticating with OAuth 2.0 via the XOAUTH2 mechanism.

If the checks detect anything suspicious about a password login attempt, our servers may deny login and return an error message requesting that the user first login to Google through a web browser. They may also require the user to explicitly enable “Less Secure Apps” on their account. Applications that perform password authentication to IMAP, POP, or SMTP are examples of "Less Secure Apps".

We strongly encourage developers to use OAuth 2.0 (via the XOAUTH2 mechanism for IMAP, POP, and SMTP) in order to better protect their users.

XOAUTH support ends May 5, 2015 
The OAuth 1.0 XOAUTH authentication mechanism for Gmail IMAP and SMTP-MSA is deprecated and will stop being supported on May 5, 2015. Developers must migrate to XOAUTH2 in order to continue authenticating to Gmail after that date. You can migrate existing users without their intervention by following the instructions in this migration guide. Instructions for developing your XOAUTH2 code are in the XOAUTH2 documentation.

Posted by Jamie Nicolson, Gmail Software Engineer