Google is rolling out a significant change to how third-party email clients access Gmail accounts for users of its enterprise productivity suite, G Suite.
The company has warned G Suite admins that it will be cutting off "less secure apps" or LSAs from June 2020, and will completely switch off access in February 2021. LSAs include email clients, such as older versions of Microsoft Outlook, which have in the past had access to Gmail data even though they only required a username and password.
Google is tightening up security to prevent phishing attacks on email client users, which can then be used to gain unauthorized access to Gmail data, particularly where people have used the same password across multiple sites.
SEE: How to build a successful developer career (free PDF)
The shift applies to email clients that only rely on a username and password, which Google argues makes Gmail accounts more vulnerable to account hijacking.
Instead, Google wants application developers to support OAuth, the authentication standard used by Google, Facebook, Microsoft, and Twitter to allow apps to share information between apps.
The OAuth protocol was abused by cybercriminals in 2017 to spread malware via Google services, prompting the company to boost OAuth verification processes. These days, OAuth authentication is pitched as a good solution to prevent phishing attacks.
Google in April banned logins from certain browsers to block MitM-based phishing attacks. In October it also removed the option for G Suite admins to selection the option "Enforce access to less secure apps for all users".
Google warns that in June "legacy email, calendar, and contacts apps" could be affected by its new restrictions. The company will roll out the new policy in two phases, starting on June 15, 2020, which targets newly connected accounts.
"Users who try to connect to an LSA for the first time will no longer be able to do so," Google said on its G Suites updates blog.
This measure will affect third-party apps that allow "password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV, IMAP, and Exchange ActiveSync (Google Sync)."
This state of affairs will remain in place for eight months until February 15, 2021. Until this date, users who have previously connected to password-only apps will still be able to use them until usage of all LSAs is turned off.
"If a bad actor got access to your username and password (for example, if you re-use the password on another site that is subject to a data breach), they could access your account data with just that username and password information through an LSA," it explains.
"However, when account access is provided through OAuth, we get more details about the login and can validate it the same way we would with any other login to your account. This means we can better identify and prevent suspicious login attempts, preventing hijackers from accessing the account data even if they have your username and password."