Less Secure Apps: How to Enable Them in Gmail

December 30, 2020 • Devin Partida


If an app or device needs access to any part of your Google account — like your Gmail — it has two options. The first is to use an OAuth token, which allows you to log in without transferring any username or password data. The second is to log in directly to your G Suite account with username and password. Google considers this second type of app to be “less secure apps.”

Google limits the ability of “less secure apps,” or LSAs, to connect to things like Gmail. This means that with certain apps, like older versions of Outlook, some IMAP email clients and CalDV calendars, you won’t be able to log in to Gmail — at least, not with default settings. 

Right now, you can keep using these less secure apps with a quick change to your G Suite settings.

Toggling the Gmail Less Secure Apps Setting to Allow Access

To enable access to less secure apps on your Google account, follow these steps:

  1. Sign in to your Gmail account.
  2. Next, click here to navigate to the Less Secure App Access toggle in your account settings.
    1. You can also navigate to this toggle yourself by clicking on the Security tab on your Google account settings menu. Then, scroll down to the Less Secure App Access button.
  3. Beside the “Allow less secure apps: OFF” setting, click the toggle to turn it on. You should see the setting update to “Allow less secure apps: ON.”
    1. If you have two-step verification enabled, you may not see this option. See below for the steps you can take to enable less secure apps.

You should be able to log in to your Gmail account from the less secure app now. You may need to complete a display captcha before you can connect.

In some cases, however, allowing LSAs won’t be enough to log in with one of these apps.

If your account has two-step verification enabled, you’ll need to follow these steps, instead:

  1. Sign in to your Gmail account.
  2. Go to your Google account settings, and click on the Security tab.
  3. Under “Signing in to Google,” select App Passwords.
  4. At the bottom, choose Select App and pick the app you’re using. Then choose Select Device and pick the device you’re using.
  5. Next, choose Generate.
  6. Follow the instructions to enter your App Password. The password will appear as a 16-character code in a yellow bar on your device.
  7. Once you’ve entered the password, click done.

Typically, you’ll only need to enter the App Password once or twice for a device. 

If your account is managed by an administrator — which is common for work or organizational accounts — your administrator may have disabled access to less secure apps. In this case, changing the setting on your account won’t be enough to enable app access.

Google Plans to Phase Out Access for Less Secure Apps

In 2019, Google announced that the company would eventually ban less secure apps from connecting to G suite accounts altogether. Originally, Google planned to limit app access starting on June 15, then completely block less secure apps starting in February 2021.

In March 2020, however, Google announced that it would be delaying the phase-out indefinitely, primarily due to the impact of COVID-19 on app developers.

Managing Less Secure App Access to Gmail

For the moment, you can still connect less secure app access to Gmail. However, you can’t plan on that always being the case

If you use an app that is less secure, you should plan to upgrade. For some apps, like older versions of Outlook, a quick update may be enough to solve this problem. For others, you may need to wait for an update or switch to an app that is considered secure by Google.

Devices that use less secure sign-in will probably be safer than apps. Some scanners, for example, use “less secure” sign-in methods to log-in to email accounts and send finished scans. 

According to Google’s 2019 blog post, scanners that use simple mail transfer protocol (SMTP) or LSAs to send emails will continue to work, even after the phase-out. Google does, however, recommend you find a scanner that uses OAuth if you upgrade.