Transition from less secure apps to OAuth

Hey there, tech-savvy readers! Big news from the Google front – come autumn 2024, there’s a shake-up in how we access our beloved Gmail, Google Calendar, and Contacts. Say goodbye to the old password routine and wave hello to OAuth, the new sheriff in town when it comes to security. This means no more fretting over potential breaches due to basic authentication vulnerabilities. It’s time to level up our security game and embrace OAuth for safer access to our Google goodies. But fear not, fellow app developers and organizational wizards, for we’ve got your back! Dive into this article for all the tips and tricks to smoothly transition away from the risky business of less secure apps. Let’s keep our digital doors locked tight, shall we?

Keys for your reference

CalDAV stands for Calendaring Extensions to WebDAV. It’s a standard that allows different devices and applications to synchronize calendar information.

Here’s a breakdown of how it works:

• WebDAV: This is the foundation that CalDAV builds upon. It’s a protocol that enables managing files on a remote server through the familiar HTTP commands (like GET, PUT, DELETE) used on the web.
• CalDAV: This extends WebDAV to specifically handle calendar data. It uses a format called iCalendar to represent events, appointments, and other calendar items.

With CalDAV, you can:

• Sync calendars: Add, edit, or delete events on one device and have those changes automatically reflected on all your other devices.
• Share calendars: Grant access to your calendar information to other people, allowing them to see your schedule or even collaborate on events.

Many calendar apps and web services support CalDAV, including:

• Apple Calendar
• Google Calendar
• Outlook

If you’re using a calendar app that supports CalDAV, you can usually find setup instructions in the app’s settings. These will typically involve providing the server address and login credentials for your calendar service.

Timeline for Transition

From June 15th 2024

If you (or your users) try to connect to a less secure app for the first time, you will not be able to.

• This restriction includes third-party apps that still use basic authentication, such as CalDAV, CardDAV, IMAP, SMTP, and POP, to access Gmail, Google Calendar, and Contacts.
• If you’re not trying to connect for the first time, you will be able to continue using the apps until they’re turned off. 
• In the Google Admin console, you will not be able to access the turn on and off setting for less secure apps. 
• Users will not be able to turn IMAP on or off in their Gmail settings.

From September 30th 2024

• Access to less secure apps will be turned off for all Google Accounts.
• CalDAV, CardDAV, IMAP, SMTP, and POP will no longer work with legacy passwords (basic authentication).
• Google Sync—As part of the transition to OAuth, Google Sync will also be deprecated because it does not use OAuth for authentication:
• From June 15th 2024:New users will not be able to connect to their Google Account using Google Sync. 
• From September 30th 2024:Existing Google Sync users will not be able to connect to their Google Account using Google Sync.

You can find the exact dates on the Google Workspace Updates blog.

What you need to do

To continue using a specific app with their Google Account, users in your organization must switch to a more secure type of access called OAuth. OAuth allows apps to access accounts with a digital key instead of requiring a user to enter their username and password. 

We recommend that you share the instructions in this article with your users to help them make the necessary changes. If your organization uses custom tools, ask the developer of the tool to update it to use OAuth. Developer instructions are also included below on this page. 

If your app does not support OAuth, you will need to switch your organization to an app that offers OAuth or contact the supplier and request that they add OAuth as a way of connecting your managed Google Accounts.

Mobile device configuration

If your organization uses mobile management to configure IMAP, CalDAV, CardDAV, POP, or Microsoft Exchange ActiveSync (Google Sync) profiles, those services will be phased out on the following timeline:

From June 15th 2024—Pushing password-based IMAP, CalDAV, CardDAV, POP, and Exchange ActiveSync (Google Sync) accounts with mobile management will not work for customers connecting for the first time. If you use Google endpoint management, you will not be able to turn on Custom push configuration for CalDAV and CardDAV.

From September 30th 2024—Pushing password-based IMAP, CalDAV, CardDAV, and POP accounts with mobile management will no longer work for existing users. You will need to push a user account using your mobile management provider, which will re-add your user accounts to iOS devices using OAuth. If you use Google endpoint management, Custom push configuration-CalDAV and Custom push configuration-CardDAV will no longer work. For more details about these settings, go to Account Configurations.

From September 30th 2024—Mobile management pushes of password-based Exchange ActiveSync (Google Sync) will no longer work for existing users. You will need to push a user account using your mobile management provider, which will re-add your user accounts to iOS devices using OAuth. For more details, go to Apply settings for iOS devices.

Note: Auto push configuration, which uses OAuth, will continue to work.

Other less secure apps

You can suggest to the developer of the application, if you can reach them, to start supporting OAuth.

Printer Scanners & other devices

For scanning devices or any other devices that use SMTP or less secure apps to send email messages, you can use either of the options below:

• Configure an app password for device use.:  https://support.google.com/accounts/answer/185833?hl=en
• Configure the device to use OAuth.
• Using alternative means to scan and send emails from the device.

Note: In case of replacement of the device, find one that supports sending emails using OAuth.

Spreading the word to your users

Any user with app(s)  that accesses their managed Google Workspace Account with only a username and password will need to follow the outline instructions to switch to a more secure method so they can access their email, calendar and contacts without any interruptions.

Please Note: Failure to take actions will lead to users being hit with the error message “Your username-password combination is incorrect” when less secure app access is discontinued.

Email:

• Users of stand-alone Microsoft Outlook 2016 or earlier- Move to Microsoft Office 365 i.e. a web-based version of Outlook or Outlook for Windows or Mac, both of which support OAuth access. Alternatively, you can just set up Google Workspace Sync for Microsoft Outlook (GWSMO) for your organization. For more details, go to Get ready & install GWSMO.
• Users of Mozilla Thunderbird or another email client– Remove your Google Workspace Account, then re-add it while configuring it to use IMAP with OAuth.
• Users of the mail app on IOS or MacOS or Outlook for Mac- If you use only a password to sign in:
  • Remove and re-add your Google Account.
  • Click Sign In with Google to automatically use OAuth.

Calendar:

• If you use an app that uses password-based CalDAV to give access to your calendar, switch to a method that supports OAuth, preferably the Google Calendar app as it is a secure app to use with your Google Workspace Account. For more information, go to Access Calendar.
• If your Google Workspace Account is linked to the calendar app in IOS or MacOS and uses only a password to sign in:
  • Remove and re-add your account to your device.
  • Click Sign In with Google to automatically use OAuth.

To access more information, go to Add Google Calendar events to Apple Calendar.

Contacts:

• If your Google Workspace Account syncs contacts to IOS or MacOS through CardDAV and uses only a password to sign in:
  • Remove and re-add your account.
  • Click Sign In with Google to automatically use OAuth.
• If your Google Workspace account syncs contacts to any other platform or app through CardDAV and uses only a password to sign in, switch to a method that supports OAuth.

How to setup an app password

• Go to your Google Account here: https://myaccount.google.com/
• Select Security and go to 2-Step Verification.

Selecting Security

Then Select 2-Step Verification

• You should then scroll down until you see App Passwords

Finding the App Password section

• You should specify the name you would like to give to your App Password

Creating an App Password

• You will get a 16-character code.

16-Character Code provided for the App Password

• You have now generated an app password.