Google Less Secure Apps (LSAs) deprecation FAQ

Google has announced the deprecation of Less Secure Apps (LSAs) to connect to Google Workspace using a username and password. Review the FAQ for details as this deprecation might impact if you are using Automation 360 to automate Gmail using Email and Email Trigger packages with Basic authentication.

What is Google Less Secure Apps (LSA) deprecation?
Starting September 30, 2024, third-party applications that use username and password to access Google accounts and Google sync will no longer be supported.
Why this change?
Signing in to Google using LSA is not secure, as it requires users to share their credentials with third-party applications, which allows unauthorized access to the account.
When will this change occur?
Google will turn off access to LSA in two stages:
  1. Starting June 15, 2024, the LSA setting will be removed from the Google Admin console, and disabled users cannot access Gmail, Calendar, and Contacts using the third-party app with a password only. The IMAP enable/disable setting will also be removed from users’ Gmail settings. However, they can continue to use LSA until September 30, 2024.
  2. Starting September 30, 2024, access to LSA will be turned off for all Google Workspace accounts.
What is Google’s recommendation to deal with this deprecation?
Google recommends that customers use the Sign-in with Google option, an app that supports OAuth-based authentication, which is safe and secure and follows best practices for OAuth mode of authentication.

See Google Less Secure Apps (LSA) deprecation.

How will this deprecation impact Automation 360 customers?
If you are using Basic authentication to automate Gmail, the connection to your Google Workspace account will fail after this deprecation, therefore impacting your automation.
The latest Automation 360 v.32 version of the Email package gives you an option to switch from Basic authentication to OAuth2 - Authorization code with PKCE.
Note: OAuth2 - Authorization code with PKCE is an attended flow as it requires login consent from user.

If you are using the Email Trigger package, we provide the OAuth2-Client Credential option. However, it does not support Gmail, and therefore, you will be affected by this deprecation.

Which feature will be provided in Automation 360 to mitigate the risk of Less secure app deprecation?
In Automation 360 v.33 release, the Email and Email Trigger packages will be enhanced with a new Control Room managed OAuth2 mode of authentication that you can use to automate Gmail. This authentication mode is secure and uses the centralized access token management from the Control Room.
What is the guidance for Automation 360 customers to switch from Basic authentication to Control Room managed OAuth2 authentication mode?
We will provide a bot scanner utility to help you scan and identify the impacted automations that use the Email package or Email Trigger package with Basic authentication to automate Gmail.

The scanner will then provide you with a detailed CSV report that provides details on the number of automations that can be updated, along with review messages. This report will help you to estimate the effort required to switch from Basic authentication to Control Room managed OAuth2 mode of authentication.

See Scan automations that use Email action for Gmail with Basic authentication

What changes do the Automation 360 customers have to make to their automations to maintain the business continuity of their Gmail automation post the deprecation?
  • The Control Room administrator will first set up an OAuth connection for Google Workspace in the Control Room.

    See Create OAuth connection.

  • Professional developers can then update the impacted automations using Basic authentication in the Connect, Forward, Reply, Reply all, and Send actions of the Email package and Email Trigger with the Control Room managed OAuth2 mode for authentication.
Do you have any workaround for customers if their IT has disabled the Basic authentication for Gmail?
For customers who are using the Email package, you can use the OAuth2-Authorization code with PKCE option to connect to Gmail in attended mode.

However, for customers using Email Trigger, we do not support OAuth2-Authorization code with PKCE, and no workaround is currently available. In this scenario, you can wait for the new Control Room managed OAuth2 mode of authentication to be released in Automation 360 v.33.

Alternatively, you can ask your IT team for a few months’ extension since the EOL for Basic authentication from Google is September 30, 2024.

Will this EOL impact A360 customers automating Google Calendar, Drive, and Sheets apps?
No, it will not impact automations for Google Calendar, Drive, and Sheets apps. Starting Automation 360v.31, we have enhanced the respective packages to support Control Room managed OAuth2 authentication, which uses Authorization Code and Authorization Code with PKCE flow for authentication.

See Connect action for Google packages.