Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> In less than a month, many third-party apps (mail, calendar, etc.) will stop connecting to Workspace accounts.

For anyone else like myself who couldn't understand what was changing:

  Examples of apps that don’t support modern security standards include:
     Native mail, contacts, and calendar sync applications on older versions of iOS and OSX 
     Some computer mail clients, such as older versions of Microsoft Outlook
https://support.google.com/a/answer/6260879?hl=en

Although I'm still not understanding how these applications authenticate in the first place.



[Edit: Apparently incorrect, see below.]

These applications authenticate with username and password directly – meaning the mail client will have knowledge of the password for your Google account. This is the method of authentication that Google will now disable.

With OAuth authentication, instead of using a password, the application receives an authentication token, which is typically valid for a limited time.


Worth noting this is completely nonstandard, meaning Google has completed EEE. Standards conforming clients are completely unable to interoperate with Google servers.


That's not entirely true -- Google has wanted you to generate an application-specific password for a long time.


Aha! So will they disable app passwords then…?


From the (less sensationalist) primary source linked in the article:

> If the app you are using does not support OAuth, you will need to switch to an app that offers OAuth or create an app password to access these apps.


Ah, got it. Like I thought then.


Probably - they already disabled them for Gmail.


What a terrible communication from Google if even tech savvy people can't understand what's exactly changing for them.


There's plenty enough stuff to blame Google for. I'm happy enough this time to blame my own lack of willingness to invest any more time, now that this feels certain that I'm unaffected :)

For anyone who needs to dig deeper, this so far seemed the most pointedly focused first-party documentation on the topic (though again, I'm not actively investigating it):

https://support.google.com/a/answer/14114704


Indeed. They should explicitly state either “App Passwords will no longer be accepted after <deadline>” or “App Passwords will still be accepted even after <deadline>” depending on which is true.


While Google is making the change and 100% responsible for the mess, the work to understand the impact and adapt to it lays on the application devs and users.

I don't think there's any reliable way Google can properly guide users to deal with apps they don't (and shouldn't) control. You and me would be properly horrified if Google could dictate how Outlook auth works and what exact steps will help the user transition, whatever the Outlook team decides to do on their own.

The most they can do will be to help the app developpers to prepare for the change, and vaguely gesturing at users about potentially impacted settings.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: