Environment
Google, Less Secure Apps, Google Sync
Issue
Google will turn off access to Less Secure Apps starting June 15, 2024, and fully retire the option on September 30, 2024. To continue using these types of apps with your U-M Google accounts, you must switch to a more secure type of access called OAuth 2.0.
Additionally, Google is retiring the Google Sync service on the same timeline.
- How do I know if I'm using Less Secure Apps?
- How do I know if I'm using Google Sync?
- What are common applications that I may be using that use Less Secure Apps to access my U-M Google account?
- How do I switch to OAuth 2.0?
Resolution
Less Secure Apps
- Less Secure Apps are non-Google apps that can access your U-M Google account using your @umich.edu email address and U-M password (also known as "basic authentication").
- Less Secure Apps is an outdated authentication method that puts accounts at additional risk since it requires sharing account credentials with third-party applications and can make it easier for malicious actors to gain access to your account.
- The industry has adopted a more secure method of authenticating third-party applications called OAuth 2.0, which most modern apps use today.
- In most cases, you have already connected your U-M Google account to an app using OAuth.
- ITS does not support the use of third-party, non-Google applications with U-M Google accounts or provide direct support for connecting to OAuth with them. Instead, we provide a detailed guide below to help you determine if you are using less secure apps to access your U-M Google account and how you can switch to OAuth access.
Determine if the Less Secure Apps setting is enabled
- If you have the Less Secure Apps setting enabled on your U-M Google account, you should have received an email from ITS.
- This message was also sent to owners of Shared Accounts that have the setting enabled. You will need to log in as the Shared Account in Google to check its settings.
- To check if you have the setting enabled, go to your Google Account page, click Security from the left navigation, and scroll down to "Less secure app access." (Ensure you're logged in as your U-M Google account before checking.)
- If it's set to Off, you're good to go! If it's set to On, click on it and toggle the setting to Off.
- Turning off the setting will help you determine if an app you've connected to uses basic authentication. If it does, the app will sign you out and/or present you with an error the next time you use it because it can no longer connect to your U-M Google account.
Common apps using basic authentication
Below is a list of common apps that use basic authentication with recommendations on what to use instead.
- Outlook 2016 and older
- Mozilla Thunderbird
- Apple Mail app on iOS or Mac and Outlook for Mac app
- If you connected to these apps using only your password, you’ll need to remove your account from the app and re-add it using OAuth. When you add it back, select the “Sign in with Google” option to use OAuth automatically.
- Alternatively, use the Gmail mobile app or Gmail on the web.
- Any application or device set up using password-only access to Gmail, Google Calendar, and Contacts via protocols such as CalDAV (calendars), CardDAV (contacts), IMAP, and SMTP (email)
- Remove your account from the app or device and re-add it using OAuth. (Look for the "Sign in with Google" option.)
- Alternatively, use a Google-support mobile app or web version.
- IMAP settings will be removed from Gmail on June 15. IMAP is integrated with OAuth. (IMAP settings already configured with less secure apps will continue to work until September 30.)
- The U-M Authenticated SMTP service is not impacted.
Overall, if you don't use U-M Weblogin to log in to your U-M Google account in an app, then it is most likely using the basic authentication method and needs to be added through OAuth.
Google Sync
- Google Sync is a legacy service that Google ended support for in 2013. However, Google Workspace accounts could continue to use the service if they were already connected to it with their iOS device(s).
- To check if you are connected via Google Sync on your iOS device:
- Open Settings on your iOS device.
- Depending on your iOS version, do one of the following actions:
- Tap Mail and then Accounts.
- Tap Passwords & Accounts.
- Click on your U-M Google account name.
- If your U-M Google account says “EXCHANGE” above Account and your email address, you are impacted.
- Disconnect your U-M Google account from your settings. You can then either click "Sign in with Google" to use OAuth or download and use the Gmail mobile app.
Retirement timeline
Access to Less Secure Apps and Google Sync will be turned off in two stages:
On June 15, 2024:
- The Less Secure Apps setting will be removed for new users who have never enabled the setting and have the setting turned off.
- Users who have the setting enabled and had been using it prior to this date can continue to use these apps until September 30.
- This includes all third-party apps that require password-only access to Gmail, Google Calendar, and Contacts via protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP.
- The IMAP settings will be removed from your Gmail settings. (IMAP is integrated with OAuth when you connect using that method.)
- Users with IMAP enabled over Less Secure Apps will continue to have access until September 30, even though the settings will be removed from Gmail settings.
- New users will not be able to connect to U-M Google via Google Sync. Users currently using Google Sync can continue to do so until September 30.
On September 30, 2024:
- Access to Less Secure Apps will be turned off, and the setting will be removed for all U-M Google accounts.
- CalDAV, CardDAV, IMAP, POP, and Google Sync will no longer work when signed in with just a password. You must use OAuth.
- Access to Google Sync will be removed for all U-M Google accounts.
Additional Information
Need additional information or assistance? Contact the ITS Service Center.