A 3-minute video about Gmail's Allow Less Secure Apps setting. The video shows the toggle as it existed in early 2022. Important: Google removed this setting on May 30, 2022 (personal accounts) and by May 1, 2025 (Google Workspace). This page explains the timeline and gives you the modern replacement.
Video Transcript
Hello and welcome. This video originally showed how to enable Allow Less Secure Apps in your Gmail account. Important update: Google removed the Less Secure Apps setting from personal Gmail accounts on May 30, 2022, and from Google Workspace accounts in early 2025. The toggle no longer exists in your account settings, no matter what older tutorials show.
The reason Google removed it: signing in to third-party apps with just your Gmail username and password is dangerous. If a hacker steals your password, they get full access to your account. Modern auth methods like OAuth and App Passwords are far safer.
To connect Gmail to a third-party app today, you have two options. Option one, the recommended path: use an App Password. Turn on two-factor authentication on your Google account. Open your Google Account at myaccount.google.com. Go to Security. Find App passwords. Generate a 16-character app password and paste it into your email client instead of your regular Gmail password.
Option two, for modern email clients: use OAuth, which signs you in via a Google login window without your password ever touching the third-party app. Most modern email clients including Outlook, Thunderbird, and Apple Mail support OAuth automatically when you add a Gmail account.
Both options work better and more securely than the old Less Secure Apps approach. The Less Secure Apps page is gone and is not coming back. Thanks for watching.
What Was Less Secure Apps?
Less Secure Apps (LSA) was a Google account toggle, located at myaccount.google.com/lesssecureapps, that let third-party email clients and other apps sign in to your Gmail using only your username and password. It existed because old IMAP, POP3, SMTP and CalDAV clients were built before modern token-based authentication was standardised, and they could not handle anything more sophisticated than "send credentials, get inbox". With LSA off (the default), Gmail rejected those clients entirely. With LSA on, Gmail accepted them but flagged the connection as a security risk.
The setting was always controversial inside Google because it created a permanent backdoor into accounts. In April 2020, Google announced LSA would be phased out. Google's official announcement made it clear: the feature was being removed because "less secure apps can make it easier for hackers to get in to your account". The official replacement was OAuth 2.0 for new clients and App Passwords for legacy clients that genuinely could not be updated.
The Removal Timeline (Confirmed Dates)
The removal happened in stages over three years. These dates are from Google's official Workspace Updates blog and the Google Workspace Admin Help.
| Date | What changed |
|---|---|
| April 2020 | Google publicly announces Less Secure Apps will be deprecated. Recommended migration path documented. |
| May 30, 2022 | Personal Gmail accounts (gmail.com): Less Secure Apps toggle removed entirely. Existing connections stopped working. Users were forced to switch to App Passwords or OAuth. |
| September 2022 | Final cutoff for personal Gmail. Any third-party app using basic auth on a gmail.com address was permanently blocked. |
| September 2023 | Google announces the same removal will roll out to Google Workspace customers in 2024. |
| September 30, 2024 | Original deadline for Workspace LSA removal. Postponed on October 15, 2024, to allow more time for enterprise migration. |
| January 2025 | Workspace deprecation rollout resumes. New Workspace users can no longer connect via LSA. |
| March 14, 2025 | OAuth becomes mandatory for all Workspace third-party app access. Google Sync also sunsetted on this date. |
| May 1, 2025 | Google Workspace: Less Secure Apps fully disabled. CalDAV, CardDAV, IMAP, SMTP and POP no longer work with basic password auth on any Workspace account. |
| 2026 (current) | The Less Secure Apps page redirects to a help article. The toggle does not exist in any Google account, anywhere. |
The Modern Replacement: App Passwords or OAuth
Whichever email client or third-party app you wanted Less Secure Apps for, the modern path is one of these two. Pick based on which your client supports.
| Method | When to use it |
|---|---|
| App Password (recommended for legacy clients) | 16-character code generated from your Google Account. Paste into the email client where it asks for your Gmail password. Required for clients that only support basic IMAP/SMTP auth: older Outlook versions, scripts, scanners, embedded devices, custom CRMs that send email. |
| OAuth (Sign in with Google) | Modern token-based flow. The email client opens a Google login window in your browser, you sign in normally, the client gets a temporary access token. Your password never touches the third-party app. Required for all Workspace accounts as of May 2025. Supported by Outlook 2024, Thunderbird 115+, Apple Mail (macOS Catalina+), iPhone Mail (iOS 13+), Samsung Email and most modern clients. |
5 Steps to Connect Gmail Today (Modern Replacement)
-
Confirm Less Secure Apps is gone. Open myaccount.google.com and look in Security. The old "Less secure app access" section is genuinely missing for everyone now. Older blog posts, YouTube tutorials and even some printed manuals still reference it because they were written before the removal. Do not waste time hunting for a toggle that no longer exists.
-
Turn on 2-Step Verification if you have not already. Visit myaccount.google.com > Security > 2-Step Verification. Follow the prompts to add a phone number, authenticator app or hardware key. 2FA is required before App Passwords becomes visible as an option.
-
Generate an App Password directly at myaccount.google.com/apppasswords. Type a clear name describing where you will use it ("Outlook on Office Laptop", "iPhone Mail at Home"). Click Create. Google shows a 16-character code in a small dialog. Copy this immediately, you cannot see it again later. If you lose it, generate a new one and revoke the old.
-
Paste the App Password into your email client wherever it asks for your Gmail password. Server settings stay the same: imap.gmail.com port 993 SSL incoming, smtp.gmail.com port 465 SSL or 587 TLS outgoing. Username is your full email address. Test by sending yourself an email. We have a complete walkthrough of this in our Gmail App Password tutorial.
-
OR use OAuth if your client supports it (modern Outlook, Thunderbird 115+, Apple Mail, iPhone Mail, Samsung Email). When adding a Gmail account, pick "Sign in with Google" or "Add Google account" rather than typing a password. A browser window opens, you sign in to Google normally, you grant the client access. No password ever stored in the app. This is the safer path and Google's preferred method.
Common Confusions and Fixes
| Symptom | Cause and fix |
|---|---|
| "I cannot find Less Secure Apps in my Google Account" | Correct, it does not exist anymore. Google removed it. Stop searching. Generate an App Password instead at myaccount.google.com/apppasswords. |
| "App Passwords also missing" | You have not enabled 2-Step Verification yet. App Passwords only appears after 2FA is on. Enable 2FA first, then refresh the security page. |
| "Old YouTube tutorial says click here, button missing" | The tutorial was made before May 2022 and is now outdated. Mark it down to the page age. The button it references was removed by Google. Use the modern flow on this page instead. |
| "Workspace admin says Less Secure Apps disabled" | As of May 2025 this is enforced at the platform level. Even if your admin wanted to enable it, they cannot. The setting is gone from the Workspace Admin Console. OAuth is the only path forward. |
| "My old script that sends Gmail SMTP stopped working" | Your script was using basic auth. Generate an App Password and substitute that for the password variable in the script. Most existing SMTP libraries (PHPMailer, Nodemailer, Python smtplib) accept App Passwords with no code changes. |
| "Outlook 2016 keeps prompting for password" | Outlook 2016 has limited OAuth support and may not work with current Gmail. Generate an App Password for it. If it still fails, upgrade to Outlook 2021 or Outlook 365 which have proper OAuth. |
| "I forgot the App Password I made" | App Passwords are shown only once. Go to myaccount.google.com/apppasswords, find the entry by name, click the trash icon to revoke it, then generate a new one. Update your client with the new code. |
| "Workspace account does not show App Passwords link" | Your administrator has disabled App Passwords as a security policy. Contact IT and ask them to enable App Passwords from the Workspace Admin Console > Security > Less Secure Apps (yes, the admin policy still has this name even though the user-facing toggle is gone) or to set you up with OAuth. |
Why the Removal Was Good for Security
The deprecation was unpopular at the time because it broke a lot of existing workflows. Three years on, the security argument has been validated. Account takeover attacks where leaked Gmail passwords were used to silently configure IMAP forwarders to attacker-controlled servers were one of the most common compromises in 2018-2021. With Less Secure Apps gone, the same leaked password can no longer be used directly: the attacker needs your second factor or a hijacked OAuth token, both of which are dramatically harder to obtain at scale.
App Passwords also limit the blast radius of any single leak. If your "Outlook on Office Laptop" app password is leaked or your laptop is stolen, you revoke that one specific 16-character code and only that connection breaks. Your other 5 app passwords keep working, your main Gmail password is unchanged, your 2FA stays in place. Compare to the old LSA model where the leaked credential WAS your main password, and revoking it meant changing your password and re-authenticating every device.
Common Apps and Their Current Status
| App or service | Modern auth status (April 2026) |
|---|---|
| Microsoft Outlook 2024 / 365 | Full OAuth support. Sign in with Google works directly. No App Password needed. |
| Microsoft Outlook 2019, 2021 | Partial OAuth. Often falls back to App Password. Generate an App Password if Outlook keeps prompting. |
| Microsoft Outlook 2016 and earlier | No OAuth. App Password required. Consider upgrading. |
| Mozilla Thunderbird 115 ESR and later | Full OAuth. Add account using Google sign-in flow. |
| Mozilla Thunderbird 102 and earlier | OAuth in some versions. App Password as fallback. |
| Apple Mail (macOS Catalina 10.15+) | Full OAuth via System Settings > Internet Accounts > Google. |
| Apple Mail (macOS Mojave or older) | App Password required. Apple no longer updates Mail on these versions. |
| iPhone Mail (iOS 13+) | Full OAuth. Settings > Mail > Add Account > Google. |
| Android Gmail app | Uses Google's own protocol, never used IMAP. Unaffected by the change. |
| Samsung Email | OAuth supported. Add account via the standard Google sign-in. |
| Mailbird, eM Client, Postbox | OAuth supported. Use Add Gmail Account flow. |
| WordPress SMTP plugins (WP Mail SMTP etc.) | App Password recommended. Some plugins now support OAuth via Google Cloud Console. |
| Custom Python smtplib / PHPMailer scripts | App Password works directly with no code changes. Substitute for the password variable. |
| Old multi-function printers / scan-to-email | App Password required. Most printers cannot do OAuth. |
| CRM systems with built-in email (Zoho CRM etc.) | OAuth via Google API integration. App Password as fallback for older CRM versions. |
đź’ˇ Pro tips for the modern Gmail third-party setup
- Prefer OAuth over App Passwords when both are available. OAuth is the better path, App Passwords exist mainly to support legacy software that cannot speak OAuth.
- One App Password per device or app. If your phone is stolen, revoke just that App Password. The others keep working. Never reuse the same App Password across multiple apps.
- Name your App Passwords descriptively. "Outlook Home Laptop", "iPhone 13 Mail", "WordPress Mailer". Six months later you will not remember which is which.
- Audit your App Passwords every quarter. Open myaccount.google.com/apppasswords and revoke any whose device you no longer use. A laptop sold to a friend with an active App Password is a real security gap.
- Do not paste App Passwords into untrusted apps. The 16-character code is essentially a password. Treat it accordingly.
- For Workspace accounts, talk to your admin. Some organisations disable App Passwords as policy, leaving OAuth as the only option. Your admin can confirm what is allowed.
- If an old tutorial confuses you, check the date. Anything written before June 2022 about Gmail third-party access is potentially outdated. Anything from 2024 or later is reliable.
- Companion guides: our Gmail app password walkthrough covers the App Password generation in detail, and our Gmail IMAP enable guide covers the IMAP toggle (which still exists for personal Gmail).
Frequently Asked Questions
Can I still enable Less Secure Apps in Gmail in 2026?
No. Google removed the Less Secure Apps setting from personal Gmail accounts on May 30, 2022 and from Google Workspace by May 1, 2025. The toggle no longer exists in your account settings, no matter what older tutorials show. The replacements are App Passwords (for clients that need IMAP/SMTP basic auth) and OAuth (for modern clients that support Sign in with Google).
Why did Google remove Less Secure Apps?
Google said the setting let third-party apps connect using your real Gmail password, which meant a leak of that one password gave full account access. App Passwords and OAuth both avoid this: App Passwords are 16-character codes specific to one app and revocable per-app, OAuth uses temporary tokens that never expose your password. Removing Less Secure Apps closed off a common attack path used in account takeovers.
Does this affect Outlook, Thunderbird and Apple Mail?
Modern versions of all three support OAuth and work fine with Gmail when you add the account using Sign in with Google. Older versions (Outlook 2019 and earlier on Windows, very old Thunderbird, Apple Mail on Mojave and earlier) may not support OAuth and need an App Password. If your client refuses to authenticate, generate an App Password from your Google Account.
What about my Gmail account in iPhone Mail or Samsung Email?
iPhone Mail and Samsung Email both use OAuth automatically when you add a Gmail account. You sign in via the standard Google login flow. There is no Less Secure Apps step needed and no App Password needed. If iPhone Mail prompts for your password instead of opening a Google sign-in page, your iOS version is too old. Update iOS or remove and re-add the account.
How do I generate an App Password for Gmail?
Turn on 2-Step Verification first. Then go to myaccount.google.com/apppasswords directly. Type a description of the app (such as "Outlook Laptop"). Click Create. Google shows a 16-character code once. Copy it and paste into your email client where it asks for the Gmail password. Each app should get its own password so you can revoke individually if a device is lost. We have a complete walkthrough of Gmail app password generation.
Is my old YouTube tutorial wrong now?
If it was made before May 2022 and shows the Less Secure Apps toggle, then yes, the procedure no longer works. The toggle does not exist on any Google account anymore. The video can still be useful for understanding the historical context, but anyone trying to follow along today will hit a dead end. Use App Passwords or OAuth instead.