Google Workspace SMTP Authentication Update: App Passwords Now Required

This update is designed to prevent account breaches that often stem from compromised credentials reused across services. Previously, many SMTP-based apps connected using only a username and password—without any MFA, making them prime targets for attackers.

As Google phases out support for what it considers "less secure apps," all SMTP access must now conform to modern security standards that include multifactor authentication and app-specific credentials.

To keep your SMTP-based email delivery functional, follow these steps. You’ll need to complete actions both in the Google Workspace Admin Console and within the SMTP user account.

This must be done by the individual user account that will be sending email via SMTP.

1. Sign in at https://myaccount.google.com.
2. Navigate to Security > 2-Step Verification.
3. Click Get Started and follow the instructions to enable MFA using your mobile device or an authenticator app.
4. Once completed, your account will require an additional verification step during logins—but more importantly, you can now generate App Passwords.

For more on enabling 2FA, refer to Google's documentation: Turn on 2-Step Verification.

After enabling 2FA, you can generate a password for use in apps that don’t support standard MFA logins (like SMTP clients).

1. While logged into the account, return to https://myaccount.google.com.
2. Under Security, look for the App Passwords section (it will only appear once MFA is active).
3. Select the app type (“Mail”) and choose the device (“Other,” then label it something like “CRM SMTP”).
4. Click Generate. Google will display a 16-character password, such as abcd efgh ijkl mnop.
5. Important: Although the password is displayed with spaces for readability, you can omit the spaces when entering it into your SMTP application's password field. Both formats work, but most apps prefer it as a single 16-character string: abcdefghijklmnop

You can learn more here: Sign in using App Passwords.

An administrator must allow the use of app passwords within your Google Workspace organization.

1. Go to the Admin console at https://admin.google.com.
2. Navigate to:
   Security > Authentication > 2-Step Verification
3. Confirm:
4. 2-Step Verification is ON for the appropriate organizational unit (OU).
5. Allow users to generate app passwords is ENABLED.
6. Save your settings if changes were made.

More details can be found here: Google Admin Help – Enforce 2-Step Verification.

These settings remain the same, but now require the App Password:

• SMTP Server: smtp.gmail.com
• Port: 587 (TLS) or 465 (SSL)
• Authentication Required: Yes
• Username: Full Gmail address (e.g., user@yourdomain.com)
• Password: App Password (no spaces needed)
  

If your application continues trying to authenticate using a standard password, it will be rejected with an authentication error. This could result in failures of contact forms, alerts from monitoring tools, or unscanned documents not being sent from office equipment.

While this update may require a few extra steps, it ultimately improves security for your business. Google’s move is part of a broader industry trend to eliminate insecure authentication practices and better protect user data from phishing, brute force, and other credential-based attacks.

If your organization needs assistance making these changes or auditing your current email authentication methods, don’t hesitate to reach out to us.

Contact GRH Consulting at support@grhconsulting.com for professional configuration and support.