Tuesday, November 12, 2024
HomeCyber Security NewsGoogle Workspace Announced New Password Policies, What is Changing

Google Workspace Announced New Password Policies, What is Changing

Published on

Malware protection

Google Workspace has announced new password policies that will impact how users and third-party apps access Google services.

The changes, aimed at eliminating less secure sign-in methods, will be implemented in stages throughout 2024.

Here’s what you need to know about the upcoming changes and how they will affect users and administrators.

- Advertisement - SIEM as a Service

Phasing Out Less Secure Apps

Google Workspace will no longer support the sign-in method for third-party apps or devices that require users to share their Google username and password.

This method, known as Less Secure Apps (LSAs), poses a security risk by requiring users to share their credentials with third-party apps, potentially allowing unauthorized access.

Instead, Google is encouraging the use of “Sign-In with Google,” which utilizes the more secure OAuth authentication method. The transition away from LSAs will occur in two stages:

  • June 15, 2024: LSA settings will be removed from the Admin console, and disabled users will no longer be able to access LSAs. Enabled users can continue using LSAs until September 30, 2024.
  • September 30, 2024: Access to LSAs will be completely turned off for all Google Workspace accounts. Protocols like CalDAV, CardDAV, IMAP, POP, and Google Sync will require OAuth for access.

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free

Impact on Mobile Device Management

Organizations using Mobile Device Management (MDM) systems will also see changes. Starting June 15, 2024, MDM push configurations for password-based protocols like IMAP and CalDAV will no longer work for new connections.

By September 30, 2024, these configurations will cease functioning for existing users as well.

Administrators will need to push Google Accounts using OAuth through their MDM providers to ensure continued access on iOS devices. 

Google Endpoint Management users should note that custom push configurations for CalDAV and CardDAV will become ineffective after these dates.

Transitioning Away from Google Sync

As part of this security overhaul, Google Sync is also being sunsetted:

  • June 15, 2024: New users will not be able to connect via Google Sync.
  • September 30, 2024: Existing Google Sync connections will be disabled. Organizations are advised to transition off Google Sync by using OAuth-based methods.

Administrators can identify current Google Sync usage within their organization by navigating to Devices > Mobile & Endpoints > Devices in the Admin Console and filtering by Type: Google Sync.

Guidance for Users and Developers

For end-users relying on apps that access Google Accounts with only a username and password, action is required before September 30, 2024.

Users should switch to apps that support OAuth or configure app passwords where necessary. For example:

  • Email Applications: Users of Outlook 2016 or earlier should move to Microsoft 365 or reconfigure their accounts using OAuth.
  • Calendar Applications: Switching to the Google Calendar app or reconfiguring existing apps with OAuth is recommended.
  • Contacts Applications: Users syncing contacts via CardDAV should re-add their accounts using OAuth.

Developers must update their applications to use OAuth 2.0 to maintain compatibility with Google Workspace accounts. Detailed guides are available from Google to assist in this transition.

Google’s updated password policies represent a significant shift towards enhancing user security across its platform.

By phasing out less secure authentication methods and promoting the use of OAuth, Google aims to protect user data from potential breaches.

Administrators and end-users are encouraged to prepare for these changes well in advance of the deadlines to ensure a smooth transition.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...