Google will limit the ability of legacy non-Google applications to access G Suite accounts starting in June, to protect users from account hijacking attempts.
Less Secure Apps refer to non-Google apps which have access to Google accounts, but rely only on the username and password combination for login. While this makes it easy for users, it means anyone with the username and password would be able to access G Suite account data through the LSA, even if the account in question has two-factor authentication enabled. OAuth, in contrast, provides that same level of ease for users while also allowing Google to detect and block hijacking attempts.
“If a bad actor got access to your username and password (for example, if you re-use the password on another site that is subject to a data breach), they could access your account data with just that username and password information through an LSA,” Google said in the announcement posted on the G Suite Updates blog.
With OAuth, G Suite admins can apply other security controls, such as application whitelisting, scope-based account access, and security keys. Google can use the login details provided through OAuth to detect and block hijacking attempts, even if the attacker has the correct credentials.
“When account access is provided through OAuth, we get more details about the login and can validate it the same way we would with any other login to your account,” Google said in the post. Many modern apps already use OAuth, so the overall impact to users should be pretty low.
Legacy Apps Affected
Preventing LSA from accessing G Suite account data will primarily affect users of legacy email, calendar, and contacts apps that rely on CalDAV, CardDAV, and IMAP protocols to allow password-only access to G Suite account data. For example, users who link their iOS mail application to access their G Suite email will have to remove and re-add their accounts using the Google account type to automatically use OAuth. Users using stand-alone Outlook 2016 or earlier should use G Suite Sync for Microsoft Outlook, or move to Office 365 or Outlook 2019 as they both support OAuth. Thunderbird users should re-add the Google Account to the email client and configure it to use IMAP with OAuth.
Any LSA linked to the G Suite account would be listed under the Less Secure Apps section in Google Account. Users should switch to equivalent apps that support OAuth.
Developers should update their apps to use OAuth 2.0 if they want to maintain compatibility with G Suite.
The change may also impact some mobile device management (MDM) configurations. G Suite administrators will have to "push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth."
Starting in June
Google announced a two-step approach to turning off LSA-access to give developers time to adapt to the changes and users to move to alternatives. Users who are trying to connect their Google accounts to an LSA for the first time will no longer be able to do so starting June 15, 2020. This change will impact third-party apps that use CalDAV, CardDAV, and IMAP to allow password-only access to Google calendars, contacts, and email. LSAs that are already connected to Google accounts will continue to work at this time.
All access to LSAs will be turned off for all G Suite accounts on February 15, 2021. Google sent notifications to G Suite administrators informing them of the two deadlines. The messages also include a list of users who connected their accounts to LSA and would be affected.
This isn’t Google’s first salvo to limit the LSA. In October, Google eliminated the "enforce access to less secure apps for all users" control from the Google Admin console.