Along the lines of what happened in the past for private users or in any case for holders of free Google accounts, the Mountain View company is continuing on the path of abandoning older and less secure authentication mechanisms. Starting September 30, 2024, users Google Workspace they will no longer be able to use the username and password-based login mechanism to access their account data using third-party applications.
Google decides to “turn off the taps” to what it calls “Less secure apps” or all those applications manually authorized by users to access their account data. They are calls Less secure apps not because, for example, they use unreliable or risky protocols. Rather because access is granted by entering the username (email) and password of theaccount Google directly into those same applications.
Google is pushing the OAuth protocol
OAuth 2.0 is a widely used protocol primarily focused on authorization: it allows a user to grant limited access to their resources to another application, without exposing the actual credentials. Provides a framework for based authorization tokenallowing a client to access user resources stored server-side.
The protocol, among other things, also serves as the basis for OpenID Connect. The latter adds a layer on top of OAuth 2.0 authentication and allows clients to verify the user’s digital identity. Interoperable and internationally supported, OpenID Connect forms the foundation of the new European Digital Identity Wallet.
From the end of next September, therefore, Google will primarily push the use of OAuth by business users. To access the contents of a Google Workspace account, third-party applications will no longer be able to use the name user and password but they will in turn have to support the management of the authorization procedure using OAuth.
App Passwords: Sign in will continue to work
As Google also confirmed in September 2023, as an alternative to accessing Workspace via OAuth, it is possible to set the mechanism Passwords for apps. After activating two-step verification on your Google account, by accessing the App passwords section of the settings, you can create an “ad hoc” access password for each third-party application that you want to continue using and which, for example , use protocols like IMAP, POP e SMTP to access Google servers.
Il 16 character code generated by Google, must be copied and entered on the client side, in the password field of the program you wish to continue using.
At the moment this access method continues to be supported and it is not known whether Google intends to eliminate it in the future. The company led by Sundar Pichai writes: “App passwords are less secure than using updated applications and services that use modern security standards“.
Use an OAuth proxy to update applications that use usernames and passwords
While all major email clients have long since been updated to support OAuth, some third-party applications may not be compatible with this authorization system. This happens if these same applications only supported login via username and password.
Email OAuth 2.0 Proxy is an open source tool that adds OAuth support to all those applications that do not provide it. And it does it with a simple trick: the script acts as proxy coming between the incompatible OAuth client and Google’s servers.
The management of the tokens is the responsibility of the script which, once logged in, transfers to the client all the requested information as returned by Google.
Opening image credit: iStock.com – tsingha25