On the Lambda

Programming, Technology, and Systems Administration

On the Lambda

What are “Less Secure Apps” in Google?

May 4th, 2017 · No Comments · IT News, security

If you’ve tried to use Outlook or another traditional e-mail client with GMail, you may have run into this requirement to enable “Less Secure Apps”. There are other situations that may prompt you to turn this on, as well. What does that mean? Why does it matter? I think I can explain.

Google, by default, uses an authentication protocol known as OAuth (specifically, OAuth 2). When you sign in with OAuth, you sign in to Google’s system directly. This is true even when you sign for a third party app. With a correct OAuth implementation, an app will redirect you to Google’s sign-in page, and you never put your password into a place the app can see directly. Once you have signed in, Google issues you a special OAuth token, and the app can then validate and trust from the token that you have signed in properly.

There are several reasons this is important:

  1. By controlling the login form, Google can limit and monitor attacks attempting to discover passwords via brute-force login attempts.
  2. Controlling the login form also allows Google to protect you against a malicious or incompetent app that might not handle your password in an appropriate way.
  3. You don’t have to share (and risk compromising) a password that, let’s be honest, you probably re-use at every other internet service you have.
  4. By tracking tokens, Google allows you to revoke tokens for compromised devices or applications.

A LessSecureApp, then, is anything that doesn’t use OAuth.

Let me give you a couple scenarios where this matters. Let’s say that you connect an online service to your Gmail account… maybe something like Siri of IFTTT  (If This Then That). Later the service is then breached or hacked. Because LessSecureApps are disabled and you authenticate via OAuth, that breach does not include your Gmail password. This might be extra important if, say, that Gmail account is where confirmation messages are sent when someone tries to change the password at your bank’s web site. This helps you whether you use a mobile device or a desktop that never even leaves your house.

In another scenario, you use a laptop, tablet, or smart phone, and the device is stolen. With Less Secure Apps on (simple username/password authentication), the thief now has full access to your Gmail account. But with Less Secure Apps disabled you can log into Google and revoke the token issued for that device. The most the thief can see are the messages stored on the device locally. Even a thief who immediately accesses the device, before the token is revoked, will not be able to recover your original password from the device. The thief will not be able to use the account to reset access to other services, like a bank or credit card account.

If it’s such a big deal to enable Less Secure apps, the question now is why Google allows it all? Aside from the cynical view that it would cost them too many Outlook users, there are some legitimate uses for this ability. Where I’m at, we occasionally need to do a mail merge that cannot easily be done through Google’s own service, but is very easy through Outlook. In this case, I will enable Less Secure apps, do the mail merge, and then disable Less Secure apps again. This works for us because the situation only comes up a few times per year.

In practice, I strongly recommend leaving Less Secure apps disabled unless you are also able to turn on two-factor authentication (which you really should do anyway), and in that case Google provides an alternative Per-App Password mechanism to use instead of Less Secure apps anyway.


No Comments so far ↓

There are no comments yet...Kick things off by filling out the form below.

Leave a Comment