Late last year, we
announced a planned change to our security policy, whereby OAuth 2.0 tokens would be revoked when a user's password was changed. We later
decided not to move forward with this change for Apps customers and began working on a more admin-friendly approach, which is now ready to be rolled out.
To achieve the security benefits of this policy change with minimal admin confusion and end-user disruption, we’ve decided to initially limit the change to
mail scopes only, and to exclude
Apps Script tokens. Apps installed via the
Google Apps Marketplace are also not subject to the token revocation. Once this change is in effect, third-party mail apps like Apple Mail and Thunderbird―
as well as other applications that use multiple scopes that include at least one mail scope―will stop syncing data upon password reset until a new OAuth 2.0 token has been granted. A new token will be granted when the user re-authorizes with their Google account username and password.
Mobile mail applications are also included in this policy change. For example, people who use Apple’s mail application on iOS will now have to re-authorize with their Google account credentials when their password has been changed. This new behavior for third-party mobile mail apps aligns with the current behavior of the Gmail apps on iOS and Android, which also require re-authorization upon password reset.
Please see this
Help Center article and FAQ for more details. The policy change is scheduled to take effect on
October 5, 2016. Moving forward, any additional scopes to be added to the policy will be communicated in advance.
Please note that password changes alone should not be relied upon for account security. If you suspect an account may be compromised, use the
checklist in the Help Center to ensure that your users' accounts are secure.
Launch DetailsRelease track: Launching to both Rapid and Scheduled release on
October 5, 2016Rollout pace:Full rollout (1-3 days for feature visibility)
Impact:All end users
Action:Change management suggested/FYI
More InformationHelp Center and FAQNote: all launches are applicable to all Google Apps editions unless otherwise notedLaunch release calendarLaunch detail categoriesGet these product update alerts by emailSubscribe to the RSS feed of these updates
