Google Workspace no longer supports basic username-password login for email clients. To maintain secure and uninterrupted access to your business email, you must now authenticate using either OAuth 2.0 or an App Password.
This guide explains both methods in detail, when to use them, and how to configure them properly in supported email clients or devices.
📌 Table of Contents
-
🔍 What Changed in Google Workspace Authentication
-
⚖️ OAuth 2.0 vs App Passwords: Key Differences
-
🛠️ How to Use OAuth 2.0 in Email Clients
-
🔑 How to Generate and Use App Passwords
-
🧑💼 Admin Console: Enforcing Secure Access
-
🛠️ Troubleshooting Common Issues
-
📌 Conclusion & Best Practices
🔍 1. What Changed in Google Workspace Authentication
As of May 2025, Google Workspace permanently disabled Basic Authentication (username + password) in email clients that access Gmail via IMAP, POP, or SMTP.
✅ Required Now:
-
OAuth 2.0 (token-based login – most secure)
-
App Passwords (for legacy clients only, after enabling 2-Step Verification)
⚖️ 2. OAuth 2.0 vs App Passwords: Key Differences
| Feature | OAuth 2.0 | App Password |
|---|---|---|
| 🔐 Security | Highest – token-based | Secure, but tied to 2FA |
| 🧰 Usage | Modern apps (Outlook, Gmail, Apple Mail) | Legacy clients (Outlook 2013, iOS Mail manual) |
| 🔁 Expiration | Can be revoked anytime | Regenerated manually |
| 📲 2-Step Verification | Required | Required |
| 🔎 Visibility | View token access in Google account | View/delete in App Password settings |
🛠️ 3. How to Use OAuth 2.0 in Email Clients (Recommended)
✅ Supported Clients:
-
Microsoft Outlook 2016/2019/365
-
Apple Mail (via “Google” account option)
-
Thunderbird 78+
-
Gmail App on Android/iOS
-
Windows Mail / Windows 11 “New Outlook”
🔁 Steps:
-
Open your email client and add a new account.
-
Enter your Google Workspace email address.
-
The app opens a browser window prompting Google login.
-
Complete sign-in and approve access.
-
A token is generated and stored securely – you're done!
📌 No password is saved locally – this method uses encrypted, revocable tokens.
🔐 Google Workspace Settings Required for OAuth 2.0 Login
These settings must be configured by the Google Workspace Admin to allow OAuth-based access via email clients.
🧑💼 1. Enable IMAP in Gmail Settings (User-Level)
Each user must enable IMAP in their Gmail account:
-
Sign in to Gmail via browser.
-
Click the ⚙️ gear icon → See all settings.
-
Go to Forwarding and POP/IMAP tab.
-
Under IMAP Access, select ✅ Enable IMAP.
-
Click Save Changes.
🛠️ 2. Allow IMAP/POP in Admin Console (Organization-Level)
-
Go to: https://admin.google.com
-
Navigate:
Apps → Google Workspace → Gmail → User Settings -
Select your organizational unit (OU).
-
Scroll to End User Access.
-
✅ Ensure both IMAP access and SMTP access are enabled.
-
Click Save.
🔐 3. Allow OAuth Access to Trusted Email Clients
-
In Admin Console:
Security → Access and data control → API Controls -
Click Manage Third-Party App Access.
-
✅ Make sure the apps (e.g., Outlook, Thunderbird) are marked as trusted or allowed to access Gmail API via OAuth.
-
If needed, add the app by its OAuth client ID.
🔐 4. Enforce or Recommend 2-Step Verification
-
Go to: Security → 2-Step Verification
-
Ensure 2FA is either optional or enforced for users.
-
This is required for App Passwords and recommended for OAuth login security.
🧪 Optional: Review Login Activity Logs
To verify successful token-based logins:
-
Go to: Reports → Audit → Login
-
Filter by user to check OAuth login events and any failures
✅ Once all the above are in place, your users can:
-
Open their email client
-
Enter their Workspace email
-
Get redirected to a Google login window
-
Approve access
-
And start sending/receiving emails — no password stored locally
🔑 4. How to Generate and Use App Passwords (For Legacy Clients)
App Passwords are 16-digit codes used in place of your actual password, and only work if 2-Step Verification is enabled.
🔁 Steps to Enable and Generate:
-
🔐 Go to: https://myaccount.google.com
-
Click Security in the sidebar.
-
Under "Signing in to Google", click 2-Step Verification → Enable it.
-
Once enabled, go back to the Security page.
-
Click App Passwords.
-
Choose an app (e.g., Mail) and device (e.g., Windows PC).
-
Click Generate.
-
Copy the 16-digit password.
🛠️ Use It In:
-
Outlook 2013 / 2010
-
iOS Mail (manual config)
-
Thunderbird (older versions)
-
Scanners / third-party apps sending SMTP mail
🚫 Do NOT use your main Google password – it will be rejected.
🧑💼 5. Admin Console: Enforcing Secure Authentication
Admins can manage and enforce access policies via the Google Admin Console:
✅ Recommended Settings:
-
Apps → Google Workspace → Gmail → End User Access
➤ Enable IMAP & SMTP only for allowed clients -
Security → Access and data control → API controls
➤ Manage trusted OAuth apps -
Security → 2-Step Verification
➤ Enforce for all users (organizational units supported) -
Reports → Audit → Login Log
➤ Track login methods and failed auth attempts
🛠️ 6. Troubleshooting Common Issues
| Issue | Cause | Solution |
|---|---|---|
| "Incorrect password" error | Basic auth used | Switch to OAuth or App Password |
| Outlook login fails | 2FA not enabled | Enable 2-Step Verification |
| No browser popup for OAuth | Client version too old | Upgrade to a supported version |
| SMTP from app/device fails | Device doesn’t support OAuth | Use SMTP Relay or App Password |
📌 7. Conclusion & Best Practices
🔐 Using OAuth 2.0 and App Passwords ensures your Google Workspace email remains secure, reliable, and compliant with modern standards.
✅ Always:
-
Enable 2-Step Verification
-
Use OAuth wherever possible
-
Revoke unused tokens and App Passwords regularly
-
Monitor login logs in Admin Console
