Google to Force OAuth in G Suite to Increase Security

Google to Force OAuth in G Suite to Increase Security

Google announced that it will block less secure apps (LSAs) from accessing G Suite account data starting February 2021, following an initial stage of limiting their access during June 2020.

This announcement follows the removal of the “Enforce access to less secure apps for all users” setting from the Google Admin console on October 30, 2019.

LSAs are non-Google apps that access Google accounts using only a username and password pair and thus exposing users who use them to account hijacking attacks.

The process through which apps are sending username/password pairs with every authentication request made when connecting to a server, an endpoint, or an online service is also known as basic authentication or proxy authentication.

While this simplifies the authentication process, it also makes it a lot easier for potential attackers to steal the user’s credentials when connections are not secured using Transport Layer Security (TLS) or to obtain them via credential dumps following a data breach.

Moving to OAuth-based authentication

By switching to software with OAuth support, users will immediately benefit from increased security by allowing Google to block attackers from logging into their accounts even if they somehow steal their credentials.

“Users who try to connect to an LSA for the first time will no longer be able to do so” starting June 15, 2020, Google says in a post published today.

“This includes third-party apps that allow password-only access to Google calendars, contacts, and email via protocols such as CalDAV, CardDAV and IMAP. Users who have connected to LSAs prior to this date will be able to continue using them until usage of all LSAs is turned off.”

After February 15, 2021, access to LSAs will be shut down completely for all G Suite accounts according to Google.

Google advises developers to update their apps to use OAuth 2.0 as a connection method to maintain G Suite account compatibility and provides help on how to use OAuth 2.0 to access Google APIs.

The company also provides information and advice on how to get started to move to secure OAuth access to continue accessing their email, calendar, or contacts.

Microsoft also moving to modern auth

Microsoft also announced in September that basic authentication will be turned off in Exchange Online for Exchange ActiveSync (EAS), POP, IMAP, and Remote PowerShell starting October 13, 2020.

That followed a previous announcement made last year about plans to stop supporting and fully remove Basic Authentication support in Exchange Web Services (EWS) API for Office 365.

“Customers are encouraged to move to apps that support Modern Authentication prior to the Basic Authentication removal in October 2020,” Microsoft said at the time.

“After October 2020 apps will not be able to use Basic Authentication when connecting to Exchange Online. This change only affects commercial M365 at this time, not our consumer service Outlook.com users.”

To disable Exchange Online basic auth before its decommission time, you have to create and assign auth policies to individual users by following the procedure detailed on Microsoft’s Exchange Online support website.

Read the original article over at BleepingComputer.com.