In the internet age, as people's awareness of protecting personal information security continues to increase, countries are also implementing stricter regulatory measures for privacy protection. Email, as an important means of communication, is increasingly necessary to secure its information. However, the recent frequent incidents of email information leaks have made email security a focal point of concern for many users. To cope with the escalating cybersecurity threats and avoid potential privacy regulation penalties, major service providers have been enhancing their email security measures.
This article will analyze the recent security measures implemented by Google and Microsoft to explore the development trends in overseas email security protection.
Google's Security Measures
Google is tightening its management of "Less Secure Apps" (LSA) and preparing to raise authentication standards for Gmail accounts. From April 1, all senders who send bulk emails to Gmail accounts need to meet specific authentication requirements, or their emails will be rejected. According to information published on Google Support, from September 30, 2024, Google will no longer support third-party apps and devices that use only a username and password (traditional authentication method) to access Gmail, Calendar, and Contacts accounts. After September 30, any application attempting to access a user's Google account (such as retrieving Gmail or contact information) with only a username and password will result in an error. Google stated that these errors will generally appear as "invalid username," "invalid password," or "unable to login."
Google has already removed the LSA settings from the Google Workspace Admin Console, but users who could access LSAs before June 15 can continue to use them until September 30. After September 30, users who logged in to their email through LSAs will need to remove their Google accounts and then re-add and log in to these accounts using the "Sign in with Google" option, which is more secure than the traditional authentication method. Additionally, since Google Sync does not support OAuth authentication, two-factor authentication (2FA), or security keys, Google considers using Google Sync to reduce data security and has decided to disable Google Sync for emails, recommending users transition to more secure alternatives as soon as possible.
Microsoft's Security Measures
On June 12, in an official Microsoft blog, David Los, an employee responsible for the Microsoft Tech Community, confirmed that Microsoft would implement a series of measures to enhance the security of Outlook users. Specifically, Microsoft has introduced three new security measures: no longer supporting personal Outlook logins using only usernames and passwords (traditional authentication method), disabling the lightweight version of the Outlook Web App, and stopping support for the Mail and Calendar apps. From June 30, 2024, Outlook web users will no longer be able to access their Gmail accounts through Outlook. Users who want to continue using Outlook to access Gmail will need to use the Outlook app for Android/iOS or Windows/Mac. The lightweight version of the Outlook Web App will be disabled on August 19, and the traditional authentication method for personal Outlook email accounts will be disabled on September 16, meaning that all users with Microsoft email accounts must use a mail app or the Outlook.com website that supports modern authentication to log in to their Outlook email, such as the latest version of Outlook, Apple Mail, or Thunderbird.
The reasons for Microsoft's measures are the same as Google's, which is to enhance user data security. David Los said: "We require all Outlook customers to adopt modern authentication methods to better protect the security of their personal accounts." The so-called "modern authentication" methods include OAuth (Open Authorization), two-factor authentication (2FA), and other authentication methods that are more secure than traditional methods. Microsoft recommends users download the Outlook app for Android/iOS or Windows/Mac.
Despite these measures causing inconvenience for many users, Microsoft stated that their intention is good: to protect users' account security. Leaked email information is often used for hacker attacks, and modern authentication methods can significantly reduce this risk. Therefore, any measures that enhance account security are welcome.
Insights
The measures by Google and Microsoft indicate that, with the full implementation of global data privacy regulations (such as GDPR, CCPA, etc.) and the increasing attention to personal data security, email service providers are adopting forward-looking strategies to meet compliance requirements. In terms of technical measures, strengthening authentication security has become the main trend. Major email service providers advocate promoting modern authentication technologies (such as OAuth and two-factor authentication) to enhance the overall security of user accounts. OAuth (Open Authorization) and two-factor authentication (2FA) have become mainstream. OAuth allows users to authorize third-party applications to access their account information without exposing passwords, significantly reducing the risk of credential theft. Two-factor authentication adds an extra verification step (such as SMS codes or app-generated codes), further enhancing account security. Even if a password is leaked, attackers would find it challenging to gain full access.
The implementation of these security measures will significantly improve the security of Gmail and other Google and Microsoft services, reducing the risk of malicious emails and unauthorized access. However, this also poses new challenges for applications that rely on traditional authentication methods. Developers need to update their applications to support modern authentication methods and ensure their users can transition smoothly to new systems. Users need to understand and adapt to new login processes to ensure their account security.
Although these changes may increase the burden on developers and users in the short term, in the long run, these improvements will help build a more secure internet environment. As user awareness of personal data security continues to increase, these forward-looking strategies of email service providers not only meet compliance requirements but also enhance user trust in their services, further consolidating their market position.
Kaamel's Response
Kaamel is always at the forefront of privacy protection, and we firmly believe in helping businesses identify and address privacy compliance risks through technology-driven methods. The innovative Kaamel AI detection engine relies on mainstream regulations and regulatory cases to help businesses quickly and comprehensively identify their privacy compliance risks. Kaamel also provides comprehensive privacy compliance solutions to help companies effectively respond to regulatory and user demands in their overseas business operations, reducing privacy risks and compliance hazards, and building privacy trust in the international market.
