Google Workspace Announced New Password Policies, What is Changing

Google Workspace has announced new password policies that will impact how users and third-party apps access Google services.

The changes, aimed at eliminating less secure sign-in methods, will be implemented in stages throughout 2024.

Here’s what you need to know about the upcoming changes and how they will affect users and administrators.

Phasing Out Less Secure Apps

Google Workspace will no longer support the sign-in method for third-party apps or devices that require users to share their Google username and password.

This method, known as Less Secure Apps (LSAs), poses a security risk by requiring users to share their credentials with third-party apps, potentially allowing unauthorized access.

Instead, Google is encouraging the use of “Sign-In with Google,” which utilizes the more secure OAuth authentication method. The transition away from LSAs will occur in two stages:

• June 15, 2024: LSA settings will be removed from the Admin console, and disabled users will no longer be able to access LSAs. Enabled users can continue using LSAs until September 30, 2024.
• September 30, 2024: Access to LSAs will be completely turned off for all Google Workspace accounts. Protocols like CalDAV, CardDAV, IMAP, POP, and Google Sync will require OAuth for access.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free

Impact on Mobile Device Management

Organizations using Mobile Device Management (MDM) systems will also see changes. Starting June 15, 2024, MDM push configurations for password-based protocols like IMAP and CalDAV will no longer work for new connections.

By September 30, 2024, these configurations will cease functioning for existing users as well.

Administrators will need to push Google Accounts using OAuth through their MDM providers to ensure continued access on iOS devices. 

Google Endpoint Management users should note that custom push configurations for CalDAV and CardDAV will become ineffective after these dates.

Transitioning Away from Google Sync

As part of this security overhaul, Google Sync is also being sunsetted:

• June 15, 2024: New users will not be able to connect via Google Sync.
• September 30, 2024: Existing Google Sync connections will be disabled. Organizations are advised to transition off Google Sync by using OAuth-based methods.

Administrators can identify current Google Sync usage within their organization by navigating to Devices > Mobile & Endpoints > Devices in the Admin Console and filtering by Type: Google Sync.

Guidance for Users and Developers

For end-users relying on apps that access Google Accounts with only a username and password, action is required before September 30, 2024.

Users should switch to apps that support OAuth or configure app passwords where necessary. For example:

• Email Applications: Users of Outlook 2016 or earlier should move to Microsoft 365 or reconfigure their accounts using OAuth.
• Calendar Applications: Switching to the Google Calendar app or reconfiguring existing apps with OAuth is recommended.
• Contacts Applications: Users syncing contacts via CardDAV should re-add their accounts using OAuth.

Developers must update their applications to use OAuth 2.0 to maintain compatibility with Google Workspace accounts. Detailed guides are available from Google to assist in this transition.

Google’s updated password policies represent a significant shift towards enhancing user security across its platform.

By phasing out less secure authentication methods and promoting the use of OAuth, Google aims to protect user data from potential breaches.

Administrators and end-users are encouraged to prepare for these changes well in advance of the deadlines to ensure a smooth transition.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration