G Suite accounts will soon lose the ability to log into apps deemed “less secure” by Google. Less secure apps (LSAs) are those that let you authenticate by entering your username and password, rather than by granting a revocable OAuth access token. G Suite is the enterprise version of Google’s productivity app suite.
With OAuth, account holders can specify which types of data an app can access. G Suite also enables businesses to whitelist specific OAuth apps that employees are allowed to use. By simply providing a username and password, apps gain essentially unfettered access to an account. And if you’ve used the same password elsewhere, Google says bad actors could access your G Suite account data by signing into through an LSA.
The path of least resistance — Logging in with just a username and password is easy, and we know most people will do what’s easiest despite the risks. But G Suite manages sensitive business communications and so Google needs to provide clients peace of mind that it’s providing top-tier security. Slip-ups, even if they’re a result of user error, will rub off on Google. By cutting off LSAs altogether, it heads off some risk altogether.
Beginning on June 15, 2020, G Suite accounts will no longer be able to sign into an LSA they haven’t used before. Following that, starting February 15, 2021, G Suite accounts will no longer be able to sign into these apps at all. That timeframe gives developers sufficient time to update their apps if they haven’t already. Google says it’s mostly legacy apps that haven’t been updated with OAuth login yet.