![Outlook Outlook](/uploads/1/2/5/6/125602309/306305638.png)
In another scenario, you use a laptop, tablet, or smart phone, and the device is stolen. With Less Secure Apps on (simple username/password authentication), the thief now has full access to your Gmail account. But with Less Secure Apps disabled you can log into Google and revoke the token issued for that device.
I started seeing a lot of Gmail users asking for help because Outlook stopped syncing. It was perplexing until one client wanted me to fix it for him.
While I was looking at his computer, he told me Google sent him an email because someone tried to connect to his account and the email included a list of steps to take to insure the account was secure. He went through the steps and made the changes they suggested. One of the steps was to turn off the allow less secure apps options, which he did. (The 'someone' turned out to be himself while using a hotspot.) Other people said Google sent them an email recommending a security checkup or saying they were using less secure apps or and they took Google's advice to disable less secure apps. Unfortunately, when less secure apps are not allowed, Outlook can't connect to Gmail servers, unless you also enable two-factor authorization then use an app password in Outlook. (The app password is a one-time use password that can be voided if you suspect it is compromised, without affecting your “real” password.). My recommendation is to turn off less secure apps and enable two-factor auth.
In Gmail's implementation, you'll receive a code by text message to enter when the second authorization screen comes up. If you use an application, such as Outlook, that does not yet support the second authorization, you'll need to use an app password. To check or change your settings, sign in to Gmail then. If two-factor authentication is not enabled, the option to allow less secure apps is at the end of the page. If you enable two-factor authentication, you'll create new app passwords at.
Gmail allows you to revoke individual app passwords, which you can do by clicking the trash can icon to the right of the device name. In my experience with Gmail, their implememation of two-factor authorization is not annoying at all and retains the authorization. It doesn't request re-authorization often, which makes using an app password fairly painless. If you use public hotspots, you should enable two-factor.
If you choose to allow less secure apps, is it really insecure? No, it's just not as secure as using the newer OAuth protocol to login. Less secure apps use plain username/password authentication to access an account instead of OAuth 2.0. The username password should be transferred in a secure channel but there may be points where a sniffer could pick it up.