How G Suite Security Changes Will Affect Access
It does not take the start of a new year to bring changes in tech. Technology is often changing faster than most people are ready for, yet it is often what people love about technology. There are going to be some major changes coming to Google's G Suite applications in the next 13 months.
This post covers the exact dates of implementation for the changes and what you need to know about them.
How G Suite Security Changes Will Affect Access
Most companies use either Google's G Suite or Microsoft's Office 365 (O365) suite of business productivity applications which includes hosting their domain-based business emails. Both suites provide similar applications and have similar features though there are differences. One major difference is that G Suite applications are mostly web-based while O365 can be installed locally, or web-based. Both include the following applications:
- Word processing
- Spreadsheets
- Presentation software
- Cloud storage / file sharing
- Live chat
- Video streaming
- And more
While G Suite applications are mostly accessed using a web browser, email is often accessed using third-party software. Some users connect Gmail to an email application like Outlook because they have been using Outlook for years and are more comfortable with the software interface. Others like the built-in features of a third-party email application.
However, most email applications, including Outlook, Thunderbird, and email apps on smartphones, use a combination of user id's and passwords to authenticate. Applications using passwords to authenticate are considered "less secure applications" by Google.
If you have set up an Outlook profile connecting to a Gmail account in the last few years, you would have had to configure settings within the G Suite account to allow less secure applications and disable two-factor authentication. This was the only way for a Gmail account to authenticate with the Microsoft Outlook application but changes are coming.
Over the next 13 months, the authentication process between third-party applications and G Suite email, calendar and contacts is going to change dramatically. The first set of changes will occur on June 15, 2020 and the second set of changes will take place on February 15, 2021.
Change #1 - June 15, 2020
Per Google, "Users who try to connect to an LSA for the first time will no longer be able to do so. This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off."
Also, if your organization uses MDM, or Mobile Device Management, the following changes may affect you: "MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for new users."
What this means: Existing profiles configured in third-party applications like Outlook that are connected to G Suite email will continue to function. However, new profiles will no longer be able to authenticate with passwords and will require using OAuth, or Open Authentication. OAuth is an open-source authentication protocol that is becoming the new standard required by G Suite.
What you need to do: No action is needed for existing accounts. However, this will change on February 15, 2021, so it is a good idea to update applications to using OAuth prior to the February deadline to prevent downtime. To set up a new account, be sure you connect with an application that supports OAuth, or when possible, use the "sign in using Google" option which will automatically use OAuth.
Change #2 - February 15, 2021
Per Google, "Access to LSAs will be turned off for all G Suite accounts."
Also, if your organization uses MDM, the following changes may affect you: "MDM push of IMAP, CalDAV, CardDAV, and Exchange ActiveSync (Google Sync) will no longer work for existing users. Admins will need to push a Google Account using their MDM provider, which will re-add their Google accounts to iOS devices using OAuth."
What this means: Existing applications with profiles authenticated with passwords will stop being able to authenticate. Accounts will now need to be connected using OAuth for authentication to work with G Suite email and other applications.
What you need to do: Anyone using an application that used only a password to authenticate will be forced to choose one of the following solutions:
- Switch to accessing their email and other affected applications using a web browser.
- Reconfigure their accounts using software that supports OAuth.
- Or, if their current software does not support OAuth, transition to an application that supports OAuth.
NOTE: This change affects Calendar and Contacts, not just email, though this post focuses heavily on its affects on email and how to transition to the new requirements. For support with email, calendar or contacts affected by these changes, contact Google Support.
For Outlook users: If you are using Outlook 2016 or earlier you will need to upgrade to Outlook 2019 or O365, both of which support OAuth. If you are already using one of those versions and the profile stops working, try re-adding the profile making sure to select an authentication method using OAuth.
For Thunderbird and other email client users: Re-add your profile account using IMAP with the OAuth configuration chosen.
For iOS, MacOS and Outlook for Mac users: Remove and re-add your account. When recreating your account, be sure to select the option to "sign in with Google" which will use the OAuth protocol automatically.
G Suite applications are implementing OAuth for authentication and moving away from user id's and passwords over the next 13 months. Two main deadlines occur during this time. The first deadline, on June 15, 2020, stops the creation of any new profiles connecting to G Suite applications, like email, unless they use OAuth to authenticate. The second deadline, on February 15, 2021, stops existing profiles within third-party software applications from authenticating with G Suite email and other applications unless they use OAuth. Moving forward, these profiles will need to be reconfigured using OAuth to be able to authenticate.
As always, technology and the security of your data will continue to change and the more you know the easier it is to keep up!