Updated September 30, 2024: This article was originally published on September 29 and includes new details about weaknesses in password security.
Millions of Gmail users will face new password rules designed to make the world’s most popular free email service more secure when they go to work on Monday, September 30th. Google will no longer support access to Gmail account data from apps that are considered less secure, third parties, and even devices whose login is only protected by a username and password. Here’s what you need to know:
Goodbye Google Sync, goodbye less secure app support (for Gmail users)
If the news that Google is undertaking a major overhaul of password security across the board comes as a surprise, you haven’t been paying attention yet. From introducing passkeys to Chrome web browser users for Windows, macOS, Linux, and Android users to post-quantum encryption to prevent attacks, Google has been hard at work on security all month. Regarding this particular Gmail password security update, Google has been actively working on it for 12 months since announcing it a year ago. To eliminate the outdated username and password login method and reduce the risk of security breaches for Gmail users, Google is requiring all Google Workspace customers to: You are requesting that you log in with a more secure type of access. . The access method is OAuth. You can learn more about OAuth in this article that warns you about upcoming changes. The new Gmail app access password rules apply to all Google Workspace accounts, and CalDAV, CardDAV, IMAP, POP, and Google Sync no longer support password-based login credentials.
Which Gmail users are affected by the new app password expiration?
New security rules about accessing Gmail data from less secure apps apply to all customers using the Google Workspace suite of tools. In fact, the settings for less secure apps have already been removed from the Google Workspace admin console to ease the transition by disabling adding new accounts using this method. Individual Gmail account holders are not affected, but as Google notes, “IMAP access is always enabled via OAuth, and current connections will be disabled.” You will no longer be able to switch between the Internet Mail Access Protocol known as IMAP. will be affected. ” However, for users (not admins) of Google Workspace Gmail accounts, Google recommends the specific There are three actions. Today’s effect.
If you’re using Outlook 2016 or earlier, you need to migrate to Microsoft 365 or Outlook for Windows or Mac. If you’re using Thunderbird or another email client, you’ll need to re-add your Google account and configure it to use IMAP with OAuth. If you use email on iOS or macOS, you must enable OAuth using the Sign in with Google option. This requires deleting and re-adding the account.
Yubico research reveals worrying lack of password security awareness
New research from hardware security key vendor Yubico not only justifies Google’s decision to take drastic steps to reduce access to Gmail accounts by less secure apps, but also explains why it’s necessary. We are shining a spotlight on what is there. The Global State of Authentication survey asked 20,000 people around the world, including in the US and UK, to understand the risk perception of the general public.
Unsurprisingly, more than half (58% personal and 54% professional) said they use a username/password combination to log into their accounts. Similarly, it’s not too surprising that 39% believe this is the most secure method of account authentication, and 37% believe the same about using SMS-based two-factor authentication. Shockingly, 40% also say they don’t think the apps and services they use are doing enough to protect them and their data. However, around a quarter (22%) had never conducted any type of personal cybersecurity audit to see if they could be doing more.
“Most cyber-attacks are due to theft of login credentials, so it’s alarming that so many people still rely on this outdated authentication method, and it’s not just a matter of change. Clearly not,” said Derek Hanson, vice president of standards and alliances at Yubico. , “It is of paramount importance to the future of the world around the Internet and online life.” The good news is that “NIST identity in the United States will influence the expanding definition of what security solutions are acceptable.” There is impactful work being done at the federal level, including revised guidelines,” Hanson concluded. I hope that Google’s efforts will further increase this global impact.