Limiting Access to Less Secure Apps for Protecting G Suite Accounts
Google is updating the settings of Less Secure Apps by end of October 2019 for the security purpose of end users. They are disabling the option Enforce LSA’s from admin panel.
From October 30, 2019, Google will be removing the setting to “Enforce access to less secure apps for all users” from the Google Admin console. This setting will disappear from your Admin console by the end of the year.
If the “Enforce access to less secure apps for all users” setting is selected for your domain when this change takes place, It will be automatically selected as “Allow users to manage less secure apps” instead. You’ll no longer have the option to enforce access to less secure apps at the domain level.
Following this settings update, if you “Allow users to manage less secure apps” users will still have the option to access less secure apps, provided that “Less secure app access” setting can be enabled at the individual user account level. To minimize service disruption in domains where you’ve automatically changed the setting from “Enforce access” to “Allow users to manage less secure apps”, this account-level setting will be ON by default at the time of the change for all active users of less secure apps.
If a user has previously selected to let less secure apps access the account, but no less secure apps have connected to the account in that time, this account-level setting will be OFF for the user. These users can manually enable this setting at any time by going to myaccount.google.com/lesssecureapps.
Why it’s important
Google is making this change to protect the users. The less secure apps connected to Google accounts using username and password, make those accounts vulnerable for hacking user data whenever possible, users should connect to their accounts via OAuth, a more secure method. OAuth is the setting which allows third-party apps to use Google account information without seeing a user’s password managing OAuth-based access to connected apps and it gives admins security controls like the ability to whitelist certain apps.
How to get started
Admins: No action is required, but Google recommends the following:
Encourage all users to use OAuth-based protocols (like OAuth-based IMAP) to give non-Google apps access to their Google accounts, including their email, calendar and contacts.
End users: Users can manually enable the access to less secure apps from their user account.
