G Suite will be removing the setting to “Enforce access to less secure apps for all users” from the Google Admin console starting October 30, 2019. This setting will disappear from your Admin console by the end of year. Removing this setting will help keep your users’ accounts secure, as access to less secure apps (LSAs) can inadvertently make Google accounts vulnerable to hijackers.

What does this mean for my organization?

If the “Enforce access to less secure apps for all users” setting is selected for your domain when this change takes place, we’ll automatically select “Allow users to manage their access to less secure apps” instead. You’ll no longer have the option to enforce access to LSAs at the domain level.

Following this change, if you “Allow users to manage their access to less secure apps,” users will still have the option to access LSAs, provided the “Less secure app access” setting is enabled at the individual user account level. To minimize disruption in domains where we’ve automatically changed the setting from “Enforce access” to “Allow users to manage their access,” this account-level setting will be on by default at the time of the change for all active users of LSAs.

If a user has previously opted to let LSAs access their account, but no LSAs have connected to their account in some time, we’ll turn this account-level setting off for them. They can manually reenable this setting at any time at myaccount.google.com/lesssecureapps (provided their admin allows them to do so).

Whenever possible, users should connect to their account via OAuth. Visit the Help Center to learn more about managing OAuth-based access to connected apps.

What do I need to do?

No action is required on your part, but we recommend the following:

• If you currently enforce access to LSAs in your domain, change your setting to disable access or allow users to manage their access as soon as possible, as LSAs can make Google accounts vulnerable to hijackers.
• Encourage your users to use OAuth-based protocols (like OAuth-based IMAP) to give non-Google apps access to their Google accounts, including their email, calendar, and contacts.
• Review our list of alternatives to less secure apps.
• Prepare your users and internal help desks for the change.
• Update any user guides you’ve previously published to recommend the use of OAuth or to instruct users on how to turn on LSAs.

Get help

If you have additional questions or need assistance, please contact Google support.