Google Workspace has recently announced a series of new password policies that will have a significant impact on how users and third-party apps access Google services. These changes are aimed at eliminating less secure sign-in methods and will be rolled out gradually over the course of the next few years.
One of the key changes being implemented by Google Workspace is the phasing out of Less Secure Apps (LSAs). These are third-party apps or devices that require users to share their Google username and password, posing a security risk by potentially allowing unauthorized access. Google is encouraging the use of “Sign-In with Google,” which utilizes a more secure OAuth authentication method.
The transition away from LSAs will occur in two stages. By June 15, 2024, LSA settings will be removed from the Admin console, and disabled users will no longer be able to access LSAs. Enabled users will have until September 30, 2024, to continue using LSAs. By September 30, 2024, access to LSAs will be completely turned off for all Google Workspace accounts, and protocols like CalDAV, CardDAV, IMAP, POP, and Google Sync will require OAuth for access.
In addition to the changes related to Less Secure Apps, organizations using Mobile Device Management (MDM) systems will also be impacted. Starting on June 15, 2024, MDM push configurations for password-based protocols like IMAP and CalDAV will no longer work for new connections. By September 30, 2024, these configurations will cease functioning for existing users as well. Administrators will need to push Google Accounts using OAuth through their MDM providers to ensure continued access on iOS devices.
Google Sync is also being sunsetted as part of this security overhaul. By June 15, 2024, new users will no longer be able to connect via Google Sync, and by September 30, 2024, existing Google Sync connections will be disabled. Organizations are advised to transition off Google Sync by using OAuth-based methods.
For end-users relying on apps that access Google Accounts with only a username and password, action is required before September 30, 2024. Users should switch to apps that support OAuth or configure app passwords where necessary. Developers must also update their applications to use OAuth 2.0 to maintain compatibility with Google Workspace accounts.
Overall, Google’s updated password policies represent a significant shift towards enhancing user security across its platform. By phasing out less secure authentication methods and promoting the use of OAuth, Google aims to protect user data from potential breaches. Administrators and end-users are encouraged to prepare for these changes well in advance of the deadlines to ensure a smooth transition.