Email, Messaging, & Video Calls Email How to Unlock Gmail for a New Email Program or Service App passwords and 'less secure apps' security add a layer of protection By Heinz Tschabitscher Writer A former freelance contributor who has reviewed hundreds of email programs and services since 1997. our editorial process Heinz Tschabitscher Updated December 19, 2019 Email Gmail Yahoo! Mail Tweet Share Email Gmail insists that you avoid common security gaps that lead to compromised accounts. This secure-by-design approach prevents you from choosing less-protected approaches to email management that seem convenient but open your account to additional security holes. Google's Approach to App Security Google deems an app "less secure" if the app cannot be easily disconnected from your Google Account, cannot connect using an app-specific password, cannot be limited to what data it accesses from your account, and refuses to disclose the level of access the app requires when you connect to it. By default, apps that fail Google's criteria cannot connect to your Google Account, including to Gmail. You can, however, bypass this security setting with a configuration tweak within your Google Account. How to Allow Gmail Access for Less Secure Email Programs or Services To enable "less secure" email programs to access Gmail, if your account is not set to use multi-factor authentication: Click your photo, avatar or outline near Gmail's top right corner, then select Google Account. Select Sign-in & security. Make sure Allow less secure apps is On. If you have two-step authentication — what Google calls 2-Step Verification — enabled for your account, this setting is not available; you will have to create an app password for each application. How to Generate an App Password With multi-factor authentication activated, you'll need to confirm account activities like logins and account changes with both a username-and-password credential as well as either a code generated by an app or a text message, or a hardware token. With multi-factor authentication active, you cannot enable the "less secure access" feature, becuase that feature still uses your Google Account password. Instead, you'll need an app password, which is a single-use, revocable credential you'll use with a single program or service. To generate an app password: Visit Google's My Account control panel page in your favorite browser. Google Account From the left sidebar menu, select Security then scroll to the section labeled Signing in to Google. Select the App Passwords link. Re-authenticate to your Google Account, if you're prompted to do so. Review the app passwords you've already created. If an app no longer requires access to your Google Account, delete its specific password. Regular review of this screen helps to protect your account from unauthorized access, especially when you're connecting to a service rather than to a program on your desktop. Add a new password by using the Select App and Select Device drop-downs, then clicking Generate. Available apps include Mail, Calendar, Contacts, YouTube, and Other. When you select an app, you're describing for your own benefit what you're doing, so that if you generate a long list of app passwords and you need to revoke one, it'll be easier to find the relevant account. Available devices include iPhone, iPad, BlackBerry, Mac, Windows Phone, Windows Computer, and Other. If you select Other, you'll be prompted to free-text the app and device. Specifying an app and a device does not constrain the account access — a device using an app password still has full access to your Google Account. After you generate the app password, Google Account raises a pop-up window that offers a randomized 16-character password. Use that password, in addition to your email address, to authenticate to the app or service. Although the password appears in four groups of four letters, if you retype the password by hand, you will not include spaces. (When you copy it, you'll discover that there aren't any spaces embedded in the app password.) The app password displays in the pop-up box. When you dismiss the box, you cannot re-access that password. In other words — use it when the box is open, because when the box closes, the 16-character password is gone for good.