Less Secure Apps being killed off by Google in February - Help?

entelechy

Active member
What's next if Google is killing off Less Secure Apps. My emails are routed through gmail, do I have to use a different SMTP or is there a better way around this?
 
It just means if you use a third-party app that asks for your Google login info (email and password), they won't be allowed any longer. And honestly third-party apps that ask for them shouldn't be used because well... they ask for your password. Google has long had a better authentication system for third-party apps (OAuth2) that makes it so you can give permissions for an app to use your Google account without giving them your password.

Third party apps will still be allowed, they just need to be better about their security practices.
 
I have to use less secure apps for my XF email sending though. My concern is that in February my email for the forum will stop being able to work
 
Do you have a source for this? I remember reading about them removing the less secure option as a default in Gsuite, but haven't heard they are removing the user option altogether.

If they are removing it, that seems problematic for XF since it relies on user/pass to access email. No option to connect to Gmail via the Oauth method i.e. for bounce email handling.

I just got an email from them. Appears that if you already enabled less secure apps they will continue to function at least until Feb 2021. That gives some time, at least. Thought it was Feb next year. Also this was a G Suite email, I don't know if the same applies to regular Gmail accounts.

Access to LSAs will be turned off in two stages:
  1. June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off.
  2. February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts.
 
Last edited:
If you only use G Suite to send emails via SMTP it shouldn't have an impact.

"No change is required for scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails. "​

SMTP should still work - you're not logging into your account when you send via SMTP, just authenticating against their mail gateway.

However, if you're using a G Suite mailbox and IMAP for your Automated bounce email handler or Automated unsubscribe email handler, then these will likely stop working by June 2020.

As an alternative to sending forum mails via Google, I am almost ready (hopefully by the end of this week) to release a free addon which allows you to send email via SparkPost and includes full bounced email and unsubscribe support - no mailbox required. SparkPost accounts start at US$20 per month.
 
I haven't looked too much into it, but Google has an option where you can generate an app-specific password. It yields the same end results (not giving out your Google account password), so maybe they aren't going to be turning it off and you can just use that:


For them to disable access to email via POP3 and IMAP protocols and only allow access via Gmail API... they would essentially be removing the ability to access email via those protocols completely. And even then if they did do that, it's also not terribly difficult to utilize the Gmail API for sending and receiving instead of SMTP/POP3/IMAP. In fact, I have a XenForo addon that does exactly that (the "Link Gmail Account" button is for OAuth2 setup)...

1576527276682.webp
 
Do you have a source for this?

Yep sure, sorry to everyone for bombing this thread but it's an email I received from GSuite so have to copy-paste:


Starting February 15, 2021, G Suite accounts will only allow access to apps using OAuth. Password-based access will no longer be supported.
Dear Administrator,

We’re constantly working to improve the security of your organization’s Google accounts. As part of this effort, and in consideration of the current threat landscape, we’ll be turning off access to less secure apps (LSA) — non-Google apps that can access your Google account with only a username and password, without requiring any additional verification steps. Access through only a username and password makes your account more vulnerable to hijacking attempts. Moving forward, only apps that support a more modern and secure access method called OAuth will be able to access your G Suite account.

Access to LSAs will be turned off in two stages:

  1. June 15, 2020 - Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off.
  2. February 15, 2021 - Access to LSAs will be turned off for all G Suite accounts.
What do I need to do?
To continue using a specific app with your G Suite accounts, users in your organization must switch to a more secure type of access called OAuth. This connection method allows apps to access accounts with a digital key instead of requiring a user to reveal their username and password. We recommend that you share the user instructions (included below) with individuals in your organization to help them make the necessary changes. Alternatively, if your organization is using custom tools, you can ask the developer of the tool to update it to use OAuth. Developer instructions are also included below.

MDM configuration
If your organization uses a mobile device management (MDM) provider to configure CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:

  1. June 15, 2020 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for new users.
  2. February 15, 2021 - MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth.
Other less secure apps
  • For any other LSA, ask the developer of the app you are using to start supporting OAuth.
  • If you use other apps on iOS or MacOS that access your G Suite account information through only a password, most access issues can be resolved by removing then re-adding your account. When you add it back, make sure to select Google as the account type to automatically use OAuth.
Scanners and other devices
No change is required for scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails. If you replace your device, look for one that sends email using OAuth.

User instructions
If you are using an app that accesses your Google account with only a username and password, take one of the following actions to switch to a more secure method and continue to access your email, calendar, or contacts. If you do not take one of the following actions, when LSA access is discontinued after February 15, 2021, you will begin receiving an error message that your username-password combination is incorrect.

Email
  • If you are using stand-alone Outlook 2016 or earlier, move to Office 365 (a web-based version of Outlook) or Outlook 2019, both of which support OAuth access. Alternatively you can use G Suite Sync for Microsoft Outlook.
  • If you are using Thunderbird or another email client, re-add your Google Account and configure it to use IMAP with OAuth.
  • If you are using the mail app on iOS or MacOS, or Outlook for Mac, and use only a password to login, you’ll need to remove and re-add your account. When you add it back, select “sign in with Google” to automatically use OAuth.
Mac OSiOS
mail app view Mac OS
mail app view iOS

Calendar
  • If you use CalDAV to give an app or device access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web/iOS/Android] as the most secure app to use with your G Suite account.
  • If your G Suite account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more
Contacts
  • If your G Suite account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More
  • If your G Suite account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth.
Note: If the app you are using does not support OAuth, you will need to switch to an app that offers OAuth, or ask your admin to contact the supplier of your app and request that they add OAuth as a way of connecting your Google account.

Developer instructions
To maintain compatibility with G Suite accounts, update your app to use OAuth 2.0 as a connection method. To get started, follow our developer guide on using OAuth 2.0 to access Google APIs. You can also refer to our guide on OAuth 2.0 for mobile & desktop apps.

How can I get help?
If you have additional questions or need assistance, please contact G Suite support. When you call or submit your support case, reference issue number 145694552.

Thanks for choosing G Suite.

—The G Suite Team
 
Is there an update regarding this issue? What is recommended for forums using gsuite as a bounced email handler?
 
Back
Top Bottom