Update, Sept. 04, 2024: This story, originally published Sept. 03, includes an explainer regarding OAuth and passkey technology.
Hot on the heels of a warning about a dramatic rise in the number of attacks targeting Gmail users, comes a timely reminder that Google is about to force Google Workspace users into taking security more seriously. Starting September 30, access to your Gmail account from “less secure apps, third-party apps, or devices that only require a username and password to sign in” will no longer be supported. This latest move is part of an effort to stamp out what Google refers to as an “antiquated sign-in method,” one that puts Gmail users at greater risk of compromise from those who seek unauthorized access to your Google account as it involves sharing your credentials with third-party apps and devices. This forthcoming change impacts all Google Workspace customers, Google said.
Gmail Support For Less Secure Apps Dropped And Google Sync To Be Discontinued
Google made it clear that support for what it calls less secure apps, along with Google Sync, would be dropped in a Google Workspace update posted almost exactly a year ago. The decision to tighten up authentication security in this way was first suggested in December 2019 but, with the impact of Covid taken into account, was suspended in March the following year. Now the deadline for getting your Gmail, plus Calendar and Contact accounts, in order is fast approaching.
Although it might appear that Google is making your life harder, in fact, it’s taking a common-sense approach to the problem of account authentication, which will effectively shrink the threat landscape as it applies to your Gmail account. I cannot emphasize enough how much of a good thing this is and how we should be applauding Google for finally stepping up and addressing the less secure apps issue. Indeed, this follows on from the April 1 implementation of stricter authentication requirements for bulk senders of email to Gmail accounts so as to reduce the volume of malicious spam traffic for users.
Access to all such less secure apps will be discontinued from September 30 unless more secure access is used, Google said: “You will need to login with a more secure type of access called OAuth.” This applies to all Google Workspace accounts, with CalDAV, CardDAV, IMAP, POP and Google Sync all no longer supporting just a password-based login credential.
What Action Gmail Users Need To Take
As previously reported, the less secure apps setting has already been removed from the Google Workspace Admin Console. When it comes to end users, however, Google advises that you need to take action or you will be presented with an error message informing you that your username and password login is incorrect.
- Users of Outlook 2016 or earlier should move to Microsoft 365 or Outlook for Windows or Mac, as these support the required OAuth access.
- Users of Thunderbird or other email clients will need to re-add their Google account and ensure it is configured to use IMAP with OAuth.
- Users of Mail for iOS or MacOS, or Outlook for Mac, who aren’t already should ensure they are using “Sign in with Google” which will automatically use OAuth and will need to “need to remove and re-add your account.”
Google has confirmed that users with personal Gmail accounts will no longer be able to toggle IMAP from their settings as “IMAP access is always enabled over OAuth and your current connections will not be impacted.”
Help for using Gmail with another email client is available in this support posting.
OAuth And Passkeys Explained
OAuth, which is shorthand for Open Authorization, is simply a framework that enables a user to securely share data between applications by allowing sites and services to access resources from other sites and services. This open standard means that a user can give those sites and services access to information without giving them access to your password credentials. There are four roles that are involved in this process: a resource owner, a third-party client, an authorization server and a resource server. The resource owner is you, the user, and you tell the service, site or application, the third-party client, to share your information but not your login credentials. So how does that work then? I know I said simply earlier, but it’s actually quite complicated. The thinned-down version is that you share your login credentials with a trusted authorization server, and it is that server which issues a token to enable access for the client. It is this token that is used by the third-party client to access the data from the resource server, the site, service or app that you wish to share information from.
OK, so where do passkeys fit into this? Good question, given that passkey adoption is on the rise, with password management app developer 1Password reporting more than 700,000 passkeys created and saved by its users in the last four months of 2023 alone. According to 1Password’s chief product officer, Steve Won, “passkeys are nearly impossible for hackers to guess or intercept because the keys are randomly generated and never shared during the sign-in process.” That’s because a passkey is, in fact, compromised of two keys: a unique public key and a private key. The public key is both created and stored on the computers of the company providing the service involved, the account you are trying to access, while the private one is stored on your device, such as your smartphone or laptop. The public key is used to create, in effect, a challenge that only the private key can solve.
This doesn’t mean that passkeys make OAuth obsolete. The passkey can be thought of as a replacement for a username and password to log in to a service, whereas OAuth is required to share data with a third-party service because it securely grants the access token.