Google warns on Less Secure Applications (LSAs)
Table of Contents
- 1 Less Secure Applications (LSAs)
- 2 Managing Access to less Secure Apps
- 3 Google’s Warning to Administrators
- 4 What do you need to do as an Admin?
Less Secure Applications (LSAs)
Apps that are less secure don’t use modern security standards, such as OAuth. Using apps and devices that don’t use modern security standards increases the risk of accounts being compromised. Blocking these apps and devices helps keep your users and data safe.
Less secure apps (LSAs) can make it easier for hackers to break into user accounts and devices. Blocking sign-ins from these apps helps keep accounts safe.
Google considers outside apps (even their own applications, like Gmail) to be “less secure” if they require knowing your password. If your security settings block “less secure apps”, Google will, therefore, block its own application from sending the email. Learn more on email security here
Some examples of apps that do not support the latest security standards include:
- The Mail app on your iPhone or iPad with iOS 6 or below
- The Mail app on your Windows phone preceding the 8.1 release
- Some Desktop mail clients like Microsoft Outlook and Mozilla Thunderbird
Managing Access to less Secure Apps
You can allow users to turn on or off access by less secure apps, disable their ability to allow less secure apps or force users to always allow less secure apps.
- In your Google Admin console (at here)…Go to Security > Basic settings. Under Less secure apps, select Go to settings for less secure apps.
- On the left, select an organizational unit where you want to manage access to less secure apps.
- If you don’t select an organizational unit, your setting applies to your entire top-level organization.
- If you want an organizational unit to use the same setting as its parent organization, click Use Inherited on the top right.
There are three options to be selected from:
- Disable access to less secure apps for all users (Recommended)
- Users can turn on access to less secure apps.
- Access to less secure apps is enable for everyone.
Disable Access to less secure Apps
While a less secure app has an open connection with a user account, the app will time out when it tries to refresh the connection. Timeout periods vary per app.
Allow users to manage their access to less secure apps
Users can turn on or turn off access to less secure apps.
Enforce access to less secure apps for all users (Not recommended)
Access to less secure apps is required for everyone. Users can’t turn off access to less secure apps. This option isn’t recommended, because it potentially increases the exposure of user accounts to hijacking. Use this option only when you want to ensure that access by a less secure app is available to all users for a limited time, such as for an upgrade. On the bottom right, click Save.
Google’s Warning to Administrators
This article is for the administrator that manages G Suite in their various organizations to make the changes as recommended by the G Suite Team. The removal of the setting to “Enforce access to less secure apps for all users” from the Google Admin console will commence on 30th October 2019. This setting will disappear from your Admin console by the end of the year. Removing this setting will help keep your users’ accounts secure, as access to less secure apps (LSAs) can inadvertently make Google accounts vulnerable to hijackers.
What do you need to do as an Admin?
G Suite Team recommend the following for the administrator:
- If you currently enforce access to LSAs in your domain, change your setting to disable access or allow users to manage their access as soon as possible, as LSAs can make Google accounts vulnerable to hijackers.
- Encourage your users to use OAuth-based protocols (like OAuth-based IMAP) to give non-Google apps access to their Google accounts, including their email, calendar, and contacts.
- Review our list of alternatives to less secure apps.
- Prepare your users and internal help desks for the change.
- Update any user guides you’ve previously published to recommend the use of OAuth or to instruct users on how to turn on LSAs.