Google no longer allows username and passwords on third-party email applications

A couple of weeks ago, people started noticing that apps such as Outlook, Thunderbird, and other email clients started prompting them for their Google passwords. When they would re-enter their Google password, it would get rejected saying it was incorrect.

Google started locking down its email service and how it connects to third-party email clients, finally retiring “less secure apps”. When enabled, it allowed you to use your main Google email address and password to sign into an email client, weakening the overall security of your Google account.

You can still use Google on third-party apps, but the app must support either “OAuth2” (An authentication method that opens a dialog box allowing you to authenticate by signing into Google and allowing the application access to your Google account), or you must use an app-specific password.

App-specific passwords are used in conjunction with two-factor authentication on your Google account.

Most applications do not know how to handle two-factor. Thus, giving you no way to enter an authentication code, so app-specific passwords were created.

This allows you to create a special password on a per-application basis. Once created, instead of giving an application such as Outlook your Google password you give it an “app-specific” password instead.

There are still people out there who have yet to enable two-factor (2FA) authentication on their Google accounts.

2FA greatly enhances the security of a Google account. This type of authentication is separated into 3 different groups:

• Something you know - A password.
• Something you have - A phone in your possession that gets a text message, a code generated by an authentication app, or a sign-in prompt.
• Something you are - Your fingerprint or face.

Without 2FA enabled, all you have is “something you know”, which could also be something an attacker knows, too. That is if you accidentally give out your credentials from a phishing email or they were obtained from a website breach.

Once 2FA is enabled, even if an attacker were to find out your password, they would be prompted by an authentication code that only you have in your possession.

You are probably thinking to yourself, “Well that sounds pretty cool. How do I turn that on?" I’m glad you asked.

• First, log into your Google account.
• Next, click your profile icon (circle) in the top right corner of the screen and click “Manage your Google Account”.
• Click “Security” on the left-hand side of the screen.
• On the right, scroll down until you see “2-Step Verification” and click it to start enabling two-factor authentication.

• In that same section, you will also see “Backup Codes”. Print a copy of these, as it gives you a sheet of 10 one-time use codes as a form of “Get out jail free” in case you lose access to your phone or authentication app.

• Once you are finished enabling 2FA and printing off a copy of your backup codes, go back to the security section of your Google account.
• You’ll see an option called “App password”. Click it and enter your Google password.

• Click “Select app”, and select an option from the drop-down menu. The same goes for “Select device”.
• Once finished, click “Generate” and it will give you a nice random-looking password. Copy it and paste (or type it) it into your email client.

Your email program should be able to send and receive emails again.

Google no longer allows username and passwords on third-party email applications