how to allow less secure apps in gmail
You can’t truly “allow less secure apps in Gmail” anymore for regular accounts, but you can still connect older apps and SMTP clients using safer alternatives like App Passwords and OAuth.
Below is a clear, up‑to‑date guide plus what’s changed and what still works.
How to Allow Less Secure Apps in Gmail (2026 Reality Check)
1. Key Change: “Allow less secure apps” Is Gone
- Google has removed the old “Allow less secure apps” toggle from standard Google accounts; you can no longer simply flip that setting on.
- Less secure apps were ones that only asked for your Gmail username and password, without modern security like OAuth or multi-factor authentication, which made accounts easier to hijack.
- Google has been phasing this out for Workspace (business/education) accounts too, with less secure app access disabled or being fully retired.
In other words, the legacy switch is effectively dead for most people, and the supported path now is: 2‑Step Verification + App Password or an OAuth‑based compatible app.
2. Modern Way: Use an App Password (Recommended Workaround)
App Passwords let you connect “old” apps (printers, legacy SMTP, classic email clients) without turning your whole account into a security risk.
Step 1: Turn on 2‑Step Verification
- Go to your Google Account page (myaccount.google.com) and sign in.
- Open the Security section.
- Under How you sign in to Google , click 2‑Step Verification.
- Follow the prompts to add a second factor (phone prompt, SMS, or authenticator app).
You must have 2‑Step Verification enabled before Google will let you create App Passwords.
Step 2: Create an App Password
- Still under Security , scroll again to How you sign in to Google and click 2‑Step Verification , then go to the bottom and click App passwords.
- Google may ask you to re-enter your password.
- Choose the app and device (or select “Other” and type something descriptive like “Old Outlook on PC” or “Website SMTP”).
- Click Create ; Google shows a 16-character password.
- Copy this code and paste it into your app/client instead of your normal Gmail password.
Example: In an old email client or in your website’s SMTP settings, your username is still your full Gmail address, but the password is now this special 16‑character app password.
You can generate multiple app passwords and revoke individual ones later if a device or app is compromised.
3. SMTP / IMAP / POP Settings to Use
Once you have an App Password, you use it with standard Gmail server settings. For most older apps:
- SMTP server:
smtp.gmail.com - Port: 465 (SSL) or 587 (TLS/STARTTLS)
- Username: full Gmail address
- Password: your 16‑character App Password (not your usual password)
For receiving email (if the client needs it):
- IMAP server:
imap.gmail.com, port 993 (SSL) - POP server:
pop.gmail.com, port 995 (SSL)
This lets you keep using legacy devices or scripts without ever re-enabling the dangerous global “less secure apps” switch.
4. If You Have Google Workspace (Admin‑Level Option)
In some Google Workspace domains, admins historically could still control less secure apps in the Admin console, though Google has been shutting this down on a defined schedule.
For admins who still see this control:
- Go to the Admin console (admin.google.com) and sign in as an administrator.
- Navigate to Security → Basic settings (exact labels can vary with console version).
- Under Less secure apps , there used to be options like:
- Enforce access to less secure apps for all users
- Allow users to manage their access
- Disable access
- Modern guidance is to disable less secure apps and use App Passwords or OAuth‑based apps instead.
Many organizations now have less secure apps completely off, so even admins cannot revert to the old risky toggle and must use the same App Password or OAuth approaches.
5. Better Alternatives to “Less Secure Apps”
Instead of fighting Google’s security model, you can often modernize the connection:
- Use a client that supports “Sign in with Google” or OAuth, which avoids passwords entirely and uses tokens.
- For websites and apps (like WordPress or custom code), use a Gmail API integration or a dedicated mailer library that talks to Google via API rather than raw SMTP with basic auth.
- If you’re sending transactional emails from a site, consider external providers (SendLayer, etc.) that support modern authentication and are built for application email.
These options reduce the risk of password theft and comply with Google’s current security posture.
6. Security Risks and When to Avoid This
Google removed the global “Allow less secure apps” setting precisely because it was a common entry point for attackers.
Risks include:
- Stolen credentials if the old app or device saves your password insecurely.
- Higher chance of account takeover if a hacked app or site stores your Gmail password in plaintext.
- Difficulty monitoring and revoking access once multiple “less secure” connections are active.
App Passwords are somewhat safer because each is scoped and revocable, but they still merit caution.
Use this approach only when:
- You truly need a legacy integration that can’t be upgraded.
- You protect your main account with 2‑Step Verification and keep an eye on Security activity.
7. Quick FAQ
Q: I saw a 2025 YouTube video that still shows “Allow less secure apps”
under Security—why don’t I see it?
A: That setting has been progressively removed; many newer accounts and
regions no longer show it at all. The current official way is 2‑Step
Verification plus an App Password, or OAuth‑compatible apps.
Q: Can I completely bypass 2‑Step Verification and still use Gmail SMTP with
user/pass?
A: For most accounts, no. Google’s direction is to require 2‑Step Verification
for external app access via App Passwords or to use OAuth. Simple
username/password basic auth is being removed or heavily restricted.
Q: Is there any scenario where the old less secure apps toggle still
works?
A: Some older guides and niche environments still show it, but Google has
clearly said it’s being shut down and is no longer the recommended or
supported path. Expect it to disappear everywhere.
TL;DR : You generally cannot re-enable the old “Allow less secure apps” in Gmail anymore; instead, enable 2‑Step Verification, create an App Password, and use that in your legacy app or SMTP client, or upgrade to an OAuth‑capable, more secure solution.
Information gathered from public forums or data available on the internet and portrayed here.