Beginning September 30, 2024: third-party apps that use only a password to access Google Accounts and Google Sync will no longer be supported

What’s changing 

As part of our commitment to user safety, Google Workspace will no longer support the sign-in method for third-party apps or devices that require users to share their Google username and password. This antiquated sign-in method, known as Less Secure Apps (LSAs), puts users at an additional risk since it requires sharing Google Account credentials with third-party apps and devices that can make it easier for bad actors to gain unauthorized access to your account. 

Instead, you’ll need to use the option to Sign-In with Google, which is a safer and more secure way to sync your email to other apps. Sign-in with Google leverages industry standard and more secure OAuth method of authentication already used by the vast majority of third-party apps and devices. 

We previously announced this change in 2019, and are now ready to share an updated timeline regarding this change:

Access to Less Secure Apps (LSA) will be turned off in two stages: 

1. Beginning June 15, 2024:
• The LSA settings will be removed from the Admin console and can no longer be changed. Enabled users can connect during this time, but disabled users will no longer be able to access LSAs. This includes all third-party apps that require password-only access to Gmail, Google Calendar, Contacts via protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP. 
  
  
• The IMAP enable/disable settings will be removed from users’ Gmail settings.
  
  
• If you’ve been using LSAs prior to this date, you can continue using them until September 30, 2024.
  
  
2. Beginning September 30, 2024:
• Access to LSAs will be turned off for all Google Workspace accounts. CalDAV, CardDAV, IMAP, POP and Google Sync will no longer work when signing in with just a password — you will need to login with a more secure type of access called OAuth.

As part of this change, Google Sync will also be sunsetted: 

• Beginning June 15, 2024: New users will not be able to connect to Google Workspace via Google Sync.

• September 30, 2024: Existing Google Sync users will not be able to connect to Google Workspace. Here is how you can transition your organization off Google Sync. To find Google Sync usage in your organization, please go to the Admin Console, navigate to Devices > Mobile & Endpoints > Devices, and filter by Type: Google Sync.

See below for more specific guidance for admins, end users, and developers regarding this change.

Who’s impacted

Admins and end users

Getting Started

Admins

Preparing your end users

In order for your end users to continue using these types of apps with their Google Workspace accounts, they must switch to a more secure type of access called OAuth. You’ll receive more information via email with affected users in your organization in the coming months. We recommend that you share the user instructions (included below) to help them make the necessary changes. 

Mobile Device Management (MDM) Impact

If your organization uses a mobile device management (MDM) provider to configure IMAP, CalDAV CardDAV, POP or Exchange ActiveSync (Google Sync) profiles, these services will be phased out according to the timeline below:

 

June 15, 2024

MDM push of password based IMAP, CalDAV, CardDAV, STMP, POP and Exchange ActiveSync (Google Sync) will no longer work for customers who try to connect to an LSA for the first time. If you use Google Endpoint Management, you will not be able to turn on "Custom Push Configuration" settings for CalDAV and CardDAV.

September 30, 2024

MDM push of password based IMAP, CalDAV, CardDAV, SMTP and POP will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth.  MDM push of password based Exchange ActiveSync (Google Sync)  will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth. If you use Google Endpoint Management, “Custom push configuration-CalDAV” and “Customer push configuration-CardDAV” (more details about the settings here) will stop being effective.

Scanners and other devices

If you have scanners or other devices using simple mail transfer protocol (SMTP) or LSAs to send emails, you’ll need to either: configure them to use OAuth, use an alternative method, or configure an App Password for use with the device. 

End users

If you are using an app that accesses your Google Account with only a username and password, take one of the following actions to continue to access your email, calendar, or contacts. If you do not take one of the following actions by September 30, 2024, you will begin receiving an error message that your username-password combination is incorrect and you will not be able to log in. 

Email Applications

Outlook 2016 or Earlier	Move to Microsoft 365 (formerly known as Office 365, a web-based version of Outlook) or Outlook for Windows or Mac, both of which support OAuth access. Alternatively you can use Google Workspace Sync for Microsoft Outlook.
Thunderbird or another email client	Re-add your Google Account and configure it to use IMAP with OAuth.
The mail app on iOS or MacOS, or Outlook for Mac and use only a password to login	You’ll need to remove and re-add your account. When you add it back, select “Sign in with Google” to automatically use OAuth. MacOS: iOS:

Calendar Applications

• If you use an app that uses password based CalDAV to give access to your calendar, switch to a method that supports OAuth. We recommend the Google Calendar app [Web/iOS/Android] as the most secure app to use with your Google Workspace account.

• If your Google Workspace account is linked to the calendar app in iOS or MacOS and uses only a password to login, you’ll need to remove and re-add your account to your device. When you add it back, select “sign in with Google” to automatically use OAuth. Read more.

Contacts Applications

• If your Google Workspace account is syncing contacts to iOS or MacOS via CardDAV and uses only a password to login, you’ll need to remove your account. When you add it back, select “sign in with Google” to automatically use OAuth. Read More.
  
  
• If your Google Workspace account is syncing contacts to any other platform or app via CardDAV and uses only a password to login, switch to a method that supports OAuth.

All Other Applications

If the app you are using does not support OAuth, you will need to switch to an app that offers OAuth or create an app password to access these apps.

Developers

To maintain compatibility with Google Workspace accounts, update your app to use OAuth 2.0 as a connection method. To get started, follow our developer guide on using OAuth 2.0 to access Google APIs. You can also refer to our guide on OAuth 2.0 for mobile & desktop apps. 

Users with personal Google accounts: In the coming weeks we will be removing the IMAP enable/disable toggle from your Gmail settings. IMAP access is always enabled over OAuth and your current connections will not be impacted. No action is required of users. 

Availability

• This change impacts all Google Workspace customers.

Resources

• Google Help: Check Gmail through other email platforms