Third Party Apps & LSA

Important Update: Enhancing the Security of Your Google Workspace Access

Dear Valued Customers,

We’re writing to inform you about an important update regarding the security of your Google Workspace accounts. Google is enhancing security measures to protect your data by phasing out less secure app access (LSA) and moving towards OAuth, a more robust authentication method.

What’s Changing?

Starting March 14, 2025, Google Workspace accounts will only allow access to apps using OAuth. This means password-based access (with the exception of App Passwords for specific devices) will no longer be supported. This change applies to various services, including access to Gmail, Google Calendar, and Contacts via protocols like CalDAV, CardDAV, IMAP, SMTP, and POP.

Why the Change?

Basic authentication (using only a username and password) makes accounts more vulnerable to security breaches. OAuth provides a more secure way for apps to access your Google Workspace account by using a digital key, eliminating the need to share your actual password. This significantly reduces the risk of unauthorized access and hijacking attempts.

What You Need to Do:

To ensure uninterrupted access to your Google Workspace services, you need to switch to apps that support OAuth. Here’s what you should do:

1. Identify Affected Apps: Review the list of apps you use that connect to your Google Workspace account. Determine which of these rely on basic authentication (password-only access).

2. Update to OAuth: Contact the developers of any apps that use basic authentication and ask them to update their apps to support OAuth. Most reputable app developers have already made this transition or are in the process of doing so.

3. User Instructions: We’ve prepared detailed user instructions (in this PDF file) to guide your team through the necessary changes. Please share these instructions with your colleagues.

4. MDM Configuration (If Applicable): If your organization uses Mobile Device Management (MDM) to configure IMAP, CalDAV, CardDAV, or POP profiles, you’ll need to update your MDM settings to use OAuth. Google has provided specific guidance for MDM configurations (more details about the settings here).

5. Scanners and Other Devices: For scanners or other devices using SMTP or LSAs to send emails, you have a few options:

   • Configure the device to use OAuth.
   • Use an alternative method for sending emails.
   • Configure an App Password specifically for the device (this is a temporary solution for specific devices).
   • When replacing devices, choose ones that support email sending via OAuth.
     
     

Timeline:

• Already Completed: The LSA settings have been removed from the Google Admin console.
• March 14, 2025: Access to LSAs will be completely turned off. All apps must use OAuth to connect to Google Workspace accounts.
  
  

We’re Here to Help!

Thank you for your understanding and cooperation as we work to enhance the security of your Google Workspace experience. We are committed to providing you with a safe and reliable platform for your business needs.

Google Workspace Blog