It’s all about protecting your Google account.
What was once optional and something you could bypass with a setting in your Google account is about to become mandatory.
So called “less secure apps” will no longer be able to access your Gmail.
That might be a problem if you’re not prepared.
Become a Patron of Ask Leo! and go ad-free!
Less secure app access
Signing in to your Google account from an email program with just a username and password will soon stop working. Your alternatives are:
- Move to a new authentication approach, either handled automatically by your email program or by re-creating your email account in that program.
- Set up two-factor authentication and use an app password.
- Switch to using Gmail’s web interface.
Less secure apps
A “less secure app” is an app or program that accesses your Google Mail account using your email address (or a username) and your account password.
They are less secure not only because they offer no opportunity for additional security, like two-factor authentication, but also because Google has to implicitly rely on the security of the app itself. Are they handling your credentials securely? There’s no way to know. And if they’re not, your entire Google account is at risk.
So if you had to provide your email address and password to your email program when you configured it to access your Gmail account, that will stop working once less secure apps are denied after May 30.
The preferred solution
Fortunately, most modern email applications already support the preferred alternative. Using this alternative authentication method, the email program itself never sees your username or password (though of course they see the email address). Instead, when it comes time to authenticate, they ask the service being used to authenticate directly.
In the example above, I’m adding a Google Mail account to the Mail program in Windows 11. The Mail program hands off the job of authenticating to Google. While the Mail program is pictured in the background, the “Sign in with Google” dialog box on top of it is being managed by Google. When I sign in to the account, only Google sees my credentials.
Once I’ve signed in successfully, Google gives the Mail program a secure token that says in effect, “Yup, this account has been authorized.” The Mail program saves that token and uses it in all future requests.
Besides not requiring the program to know or store your password, this approach also allows you to use two-factor authentication, if required, when you set up the account.
Of course, your email program must support this type of authentication.
An alternate solution
If your email program is incapable of using this new approach to authentication, there is a possible workaround.
- Enable two-factor authentication.
- Use an app password.
App passwords are passwords created by Google that you can use in place of your normal password when configuring your email program. They’re available only when two-factor authentication is enabled for your account.
After enabling two-factor, you can have Google create app passwords here: myaccount.google.com/apppasswords. These passwords will not work for interactive logins, such as when you log in to Gmail.com to check your email, but they do work for POP3, IMAP, and SMTP access as used by your email program.
Once the change is made, your email program will no longer be able to fetch or send email. The question is what you do about it.
- The email program may provide you with Google’s new preferred authentication dialog, and after signing in, you’ll simply be able to carry on.
- The email program may prompt you for your password over and over again. Your account password will not work, but if you have two-factor turned on, an app password should.
- You may need to re-create or re-setup the account in the email program from scratch.
The app password approach is probably the easiest, but it’ll require you to set up two-factor authentication.
If you don’t want to use two-factor authentication and your current email program doesn’t support the new approach to authentication, then you’ll have to upgrade to an email program that does…
…or switch to managing your Google Mail via the web interface. Even this isn’t really a solution, however, since you still want an use an email program to downloading your email as a backup.
If you currently use Google Mail in an email program like Thunderbird, Microsoft Office Outlook, the Mail program included in Windows, or other third-party email programs, or if you have another email service like Yahoo or Outlook.com “fetch” your Google email using POP3, you’ll need to make a change for that to continue to work. Exactly what your options are depends on your email program.
But if that program suddenly starts failing to access your Gmail account or begins repeatedly asking you for a password, you now know what to do.
Subscribe to Confident Computing to stay on top of other changes as well. Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Download (right-click, Save-As) (Duration: 8:48 — 8.7MB)
Subscribe: Apple Podcasts | RSS
45 comments on “What Are “Less Secure Apps” and Why is My Gmail Not Working?”
I use POP Peeper to handle several email addresses (Outlook, Hotmail, Yahoo) and I was wondering why every one of them were starting to throw errors at me, GMail being the latest.
Thank you for the detailed info.
“less secure apps”. That’s a judgement call from the perspective of Google or whatever other service. One entity is calling another entity “less secure”. That does well with Google’s new push to collect all your passwords into their database under your Google account. Maybe it’s more secure, or maybe not.
One interesting aspect about the authentication method described in this article is that after the login authentication is done the job isn’t done. The job is to connect your email application to the Google server to download your emails. That connection happens after the login authentication. If there is any hacking to be done to your Google account it’ll happen after the login and once the connection is established. Don’t get me wrong, I’m not saying these changes are bad, but you need to put them into perspective and keep in mind that they’ll change again because someone will break it.
Although I received a couple of emails from Google about this change, I agree that Google could have given it a bit more attention. After being “told” in a number of places that older versions (I’m still using M$ Outlook 2007) will not work, I found and successfully used the following guide:
I just encourage folks to be sure to WRITE down the App Password!
As always, thank you for all you do (and have done over the years!)!
I do not have a cell phone or any Apps? Seem very expensive with little benefit to me.
I do not have a google account. I looked at Google.com. I did not see anything worth signing up for.
I am fed up with companies telling me to give them my mobile number for two factor authentication. Implying that I have to have one. I looked at the cost. Over a thousand dollars per year for the phone and monthly fees. For that I get a screen smaller than the eight monitors on my PC. And I doubt I could type 60 words a minute like I do on my PC. And I would have to lug the thing around with me everywhere. And remember not to set it down anywhere.
Maybe yakking 23 hours a day is more enjoyable than I realize?
Oh Boy Cecil! Somebody finally said it! How do you and I ever survive without all the BS? I couldn’t relate to any of this, I suppose because I never felt any of it was worth signing up for. Give me simplicity. Please!
Referring to “I did not see anything worth signing up for” on Google. There are still plenty of service on Google without having to sign up. But what’s interesting is that you might actually get LESS when do have a Google account and log in to look at News or YouTube. If you’re logged in, Google believes it knows more about you than you do and knows what’s best for you. It tailors, limits, filters (I would say censors) the full range of content that it shows you. Heaven forbid if you ever looked at a video of a baseball game – that’s all you’re good for!
Since I have 2FA enabled on my Google account, it seems that I am not affected by the Google ‘security’ change mentioned in this item :)
I have had a ‘free’ (as in paid for by the U.S. Government) LifeLine mobile phone/service for some time (I qualify based on my income). I’m a senior citizen, and if anything happens, the mobile phone can act as a backup during power failures, in emergencies, or when I’m away from home. Last year I used a bit of the Stimulus money provided by the U.S. Government to get a fairly nice/inexpensive Samsung phone that is compatible with my cellular provider’s service (GSM, I think?). I wanted a smart phone that works better than the phones provided free with my LifeLine service (they were slow and had minimal storage/RAM). Now, I have the Microsoft Authenticator App installed on my Samsung phone, and it works very well for me. I have ‘upgraded’ my Microsoft account to make it ‘password-less’. I use a fingerprint scanner (in emergencies a PIN number) to sign into Windows on my PCs. I have 2FA enabled on all my Internet accounts (including email) that support it (I hope my fingerprint scanner becomes supported by these Internet accounts someday – wouldn’t it be nice to simply swipe my finger on the scanner to log into Facebook, Twitter, et-al?). I chose the Microsoft Authenticator app because I use Microsoft’s OS. My logic is that since Microsoft already has access to everything I do (I use their OS), if I use their Authenticator app too, they won’t be getting any information they did not already have access to, and neither will anyone else.
I’m very confused about all this. Starting several weeks ago, I began experiencing a problem which I think is related to this Gmail change.
I have several email accounts, at Gmail and elsewhere. I retrieve my mail through Microsoft Outlook 2003, using POP 3. At some point, instead of downloading my email every 5 minutes, like I programmed it for, Outlook started downloading something like every other day — or even less often. All the other downloads failed, with an error message.
This happened with Gmail and a few other email providers, but at least another provider (my ISP) was unchanged, and kept working normally.
My guess is that Gmail started blocking downloads temporarily, in advance of the cutoff date, in order to make people react (but I haven’t found any annoucement to that effect). Also, I supposed that other email providers imitated Gmail.
Now the puzzling part is, I have set up an app password in Outlook and Gmail long ago, together with activating 2FA. This worked perfectly for years, until the recent block. It does not seem I can do anything further with Outlook, and yes, I’m aware that a 2003 program is antique by current standards. Google considers my Outlook as a “less secure app”.
Does anyone have any explanation for my problem ? Is there any way I can go on using Outlook 2003 ?
I would have expected 2003 to keep working. One thing I would check is the configuration of the account — given that it’s been there so long, is it using Google’s recommended configuration for server names and ports?
Thank you, I will check that. The problem is, sometimes it works, sometimes it doesn’t (in fact, it doesn’t work most of the time). Without me doing anything in between. So I thought that if my ports and server names were wrong, it would not work, at all.
Just set up your accounts again in Outlook (as long as they are set up as IMAP, not POP accounts, you will not lose anything, as client will just sync all mail with server again – and if POP, old mails are not gone, you just have to reconnect the PST file to get access to them).
There is really no reason Outlook 2003 should not work. Pay attention to your security settings (SSL etc) and ports used by your mail provider. 99% of the time, problems arise from when a user gets those wrong.
Thank you. If my settings were wrong, I suppose download should never happen. But it sometimes does. Weird.
What do you mean by old mails are not gone with POP ? How does one reconnect the PST file ? I use POP, and I have set up my email accounts so that downloaded emails are deleted from the server.
You might want to refer to this (as I posted earlier):
I am using M$ Outlook 2007 and have both IMAP and POP accounts and all are working just fine.
Also Works on M$ Outlook 2003 (POP3).
Try this: When you log into Google, under the security settings there is a place for “less secure app access”, https://myaccount.google.com/lesssecureapps… There is a switch there to turn that off and on and the switch must be ON to connect to your Outlook 2003. By default the switch OFF and there is a note that says “On May 30, 2022, this setting will no longer be available”. Today is May 31 and I can still turn that switch to ON and if I can connect to my Gmail account and download my emails. But your gmail account settings in Outlook must be correct (these tend to change).
UNCHECK “Log on using Secure Password Authentication”
Under More Settings Button:
Outgoing Server tab: Check My outgoing server requires authentication
Advanced tab: IMAP port 993, SMTP port 465, check SSL for both
It is now 23:48 on 31st May 2022 and this is the first I have heard about this change. I use gmail on my PC via Outlook 2010 and am now expecting severe problems in the morning!
I hope that I will be able to work through the solution given in the link provided by Carl.
I also have a very old Android phone and a Fire tablet using FireOS, which is based on Android, so it looks as if I am in for a very long day.
The steps in the article worked just fine. Please be aware that the “copy-and-paste” for the App password did NOT work (because there are NO spaces in the actual password). Also, WRITE them down as they will be needed if you have other devices (I have email accounts on multiple machines). Our Android phones automatically opened to the window where the password needed to be changed when I tried to access the email accounts.
It was pretty straight-forward Good luck anyway!
The intent is that if you have other devices you generate a new app password for each.
I haven’t done anything yet, but Outlook 2010 and my phone and tablet are still working OK with Gmail
It was the same for me. I looked at the settings and I noticed that I had specified OAuth2 authentication when I set up Thunderbird. It was the safest option, so I opted for it. It’s possible you had set it up that way, or your devices defaulted to OAuth authentication or something similar.
There really is no excuse for a service NOT to force 2FA to be used.
Many think ‘Well, it’s only an e-mail address, it got hacked and I lost it. I just open up a new one’, but these days that ‘simple’ mail address is so much more and for of us most intertwined in a large web of digital identities. Hence, even if a free mail account, it is valuable and should be duly protected.
I also see some comments hat Google will get access to more of our passwords after this change. That’s incorrect. Only way Google has any passwords (albeit encrypted) is if using Chrome and allowing Chrome to collect/manage password for online services.
This does not seem to affect stuff like firefox Gmail plugins, only desktop apps I presume.
From a GHacks article several weeks ago, re Thunderbird: “Thunderbird 91.8.0 includes security updates and makes an important change to Google Mail account authentications. … The biggest change in the point release changes the authentication method for Google mail accounts. It is an automatic conversion that should work without issues for most users. The conversion to oAuth 2.0 is required as Google plans to drop username and password authentication options for third-party apps and devices on May 30, 2022.” I can verify that as of May 31st Thunderbird (91.10.0 – latest update on the release update channel) works just fine with GMail.
Also in the GHacks article: “Thunderbird users who have disabled cookies in the email client will notice that the new authentication method does not work without them. It is required to enable cookies as the OAuth token requires it. Cookies may be disabled after the successful authentication, but since cookies will expire eventually, it would be necessary to re-enable them whenever a new cookie needs to be set.
You may check the cookies setting in Thunderbird in the following way:
Select Tools > Preferences. If you don’t see the menu, tap on the Alt-key to display it.
Select Privacy & Security from the sidebar.
The setting “Accept cookies from sites” determines if cookies are allowed in Thunderbird. Check the box to enable cookies if it is not checked.
You may want to disable accepting third-party cookies while you are at it. There is also a “show cookies” button that lists all stored cookies. You may remove some of them using the interface.”
I didn’t make any changes to my Thunderbird and it still works. I checked my Gmail server settings, and it turns out I’d specified OAuth2 as my authentication method when I set Thunderbird up years ago.
I understand that while desktop versions of Microsoft Office Outlook is included in the list of less secure apps, Microsoft Office 365 Outlook is considered to be safe.
Microsoft Office Outlook is the same program in Office 365 and the version without a subscription. As long as it allows OAuth verification, it’s secure
I am using the subscription Microsoft Office 365 Outlook to access Gmail via POP. Until this morning everything was fine. Now I’ve run into the problem where it will not connect. You seem to imply that this should not have happened or is there something I have to do to ensure it allows OAuth verification?
Additionally, in reading the article I do not see how to apply Leo’s “The preferred solution” to my existing POP account. Does it only apply when setting up a new account? I don’t want to do something that risks losing all the information I currently have.
Interestingly, I recently added another Gmail account and Outlook automatically used IMAP vice POP. In fact POP wasn’t even an option. It still connects ok.
I’m sympathetic to Cecil and George (some of the first commenters on this thread) as I’m a senior citizen also without a cell phone.
The prefered solution is to set up the account again in Outlook. I was hopeful Outlook would automatically notice and do the right thing, but that’s not the case.
The pragmatic solution is to set up two factor authentication in your Gmail account, then get an App Password, and replace the password used to connect the account in Outlook with the new app password.
Perhaps Outlook has noticed and done the right thing. My POP account resumed downloading properly again this afternoon. Hope that’s the case.
Looks like I spoke too soon. Once again exactly as reported on 6/2.
You think you’ve explained something, but you haven’t. It’s all just jargon nattering with no real world usefulness.
If you’re happy with your email, then none of this applies to you. Be happy.
I’ll make sure to add “nattering” to my list of skills.
Spiro T. Agnew would have listed it as “Nattering Nabob of Networking”
Hi there. I have the reverse problem to the article (I think). I use Gmail (in a browser on my mac) to pull emails from my work email account and to send email through Gmail “as if” from my work account, using an Alias. I’ve had this setup working just fine for years, but my work email has recently changed from “basic authentication” to “modern authentication” and this change has stopped the authentication from being successful (error message includes “Authentication unsuccessful, basic authentication is disabled.”). How do I make Gmail use “modern authentication”, or is it using that already?
I don’t know that you can. Check with your work email folks to see if they support something like app passwords.
it looks like I can no longer use Eudora with gmail. what email programs can I use?
Thunderbird is a great email program and it handles Gmail’s new security requirements.
You should be able to use Eudora with an app password. You’ll need to turn on two-factor authentication for your account to enable that.
for Eudora itself or for each personal account Leo? currently everyone in the family has personality account with Eudora.
For each GMail account as configured within Eudora.
I’m still confused, is there anyone who is still using Eudora with gmail currently?
It’s ostensibly about protecting your email account. But the fact that it requires Google to collect your phone number (and link it with all your accounts), as well as forcing your email client to accept cookies, makes me think it’s just Google’s way of collecting yet more data on each of us. I’m not a conspiracy theorist, but we can be justifiably suspicious of Google’s motives.
So thank you for the workarounds, I’m sure they do the job. However I’m still searching for a way to continue to use my Outlook 2010 with Gmail without providing a phone number. It might be a futile endeavor.
I have done this.
Enable two-factor authentication.
Use an app password.
Using a key for 2-factor and an app password so that it it possible to use Eudora. It’s been working fine for however long . . . since the change was made.
However, today, could not access with Eudora
Signed into account, and it is asking do I want to keep my “app password” – of course without
any way to respond “yes” – only a “delete” choice.
How to get around the problem? Anyone else having the same problem?
It is Google’s way of demanding the app password be changed?
Why not simply send an e-mail saying so?