← All controls

33 Disable POP/IMAP / app-specific passwordsdraft

POP, IMAP and app-specific passwords predate 2SV and do not honour it. Since Google's less-secure-apps turndown (March 2025) the account password itself no longer works over POP/IMAP for third-party apps — the remaining password-only path through them is an app password. An app password in particular is a full-mailbox credential a user can mint for themselves, and it is the exact bypass used to defeat 2SV in the UNC6293 campaign. Closing these paths — together with the auto-forwarding and delegation settings that share this screen (№18) — is what makes 2SV enforcement actually binding.

Caveats

Setup steps

  1. open ↗ Apps › Google Workspace › Gmail › End User Access
    POP and IMAP access
    uncheck 'Enable POP access for all users' and 'Enable IMAP access for all users' (IMAP can instead be restricted to OAuth mail clients only)

    Turn POP & IMAP on or off for users ↗

  2. open ↗ Security › Authentication › 2-Step Verification
    Allow users to generate app passwords
    Do not allow
  3. Apps › Google Workspace › Gmail › End User Access

    Allow users to automatically forward email to another address = unchecked (mail delegation: №18)

    Let users automatically forward their own Gmail emails ↗

  4. Exception list
    documented, time-boxed, in a separate OU

    Transition from less secure apps to OAuth ↗ Route outgoing SMTP relay messages through Google ↗

Ongoing maintenance

How to verify

  1. App passwords are the loudest legacy hole — enumerate them tenant-wide; the list should be empty.

    gam all users print asps
  2. From a test account, try enabling IMAP in Gmail settings — the option should be absent or greyed out.

draftv0.1.4Prevent policy #27 · #8 ↗