Passwordless email delayed for now but Oauth2 is coming

Originally SMTP AUTH basic authentication (see February 2017 GMAIL blog) was going to be phased out by Microsoft as early as March of 2026 (see this April 2024 Exchange Online blog).  That has since been rescheduled for Dec 31, 2026 (January 2026 Exchange Online blog).

Microsoft 365 (formerly Office 365, which is Microsoft's cloud-based email, calendar, and contacts service) uses Exchange Online.

Microsoft 365 will still allow for app specific passwords (see our February 2017 blog referenced above which discusses app specific passwords in the context of using GMAIL) as long as multi-factor authentication (MFA) is enabled. The intention is however to ultimately eliminate that option.

So what is behind this change?  OAuth: an abbreviation of "open authorization" that provides a way to authorize permissions between applications.  Essentially it eliminates the use of passwords and therefore is considered to be more secure.  (More information: What is Oauth?)

OAuth has been in use since late 2006, starting with its development for Twitter's API, with the first public version (OAuth 1.0) released in December of 2007 followed by the now more common OAuth 2.0 in 2012, which significantly expanded its use for apps and devices beyond web browsers. Oauth 2.0 is a redesign of Oauth 1.0 which was designed for websites. OAuth 2.0 is also referred to as OAuth2 (there is also an OAuth 2.1 on the horizon which is a different product).

Google Workspace apps including GMAIL have required OAuth2 since March of 2025 but as noted also still allows app specific passwords as the only allowed password method for sending emails. 

The most popular email providers currently are GMAIL, MS Outlook (formerly Hotmail and including Office 365, now Microsoft 365)  and Yahoo.  These providers have been implementing OAuth2 on different schedules.

Yahoo for example hasn't announced a specific date regarding the elimination of app passwords but may no longer be using it for new accounts; instead, they are pushing users towards newer, more secure methods such as account key (passwordless sign-in) for their own apps, while app passwords remain necessary for many older third-party email clients that don't support newer security methods, with some reports suggesting that Yahoo removed them for new accounts but still supports them for legacy users. App password generation may become available for individual new accounts after a period of regular use.

Local IT providers will likely follow suit but may continue to offer traditional SMTP (Simple Mail Transfer Protocol) services.

Note that you do not choose between SMTP and OAuth 2.0; you use OAuth 2.0 for authentication within the SMTP connection for secure email delivery, especially as providers phase out older, less secure methods. 

So why do we care?  Desktop applications that send emails will have to support OAuth2 if their end users rely on utilizing Microsoft 365 after December of 2026 (unless delayed again) and in the future with other major email providers.

Uses though will still have other options that may be available through their website provider or via SMTP relay services such as https://www.smtp2go.com which already provides OAuth2 support.

So there is currently no reason currently to panic. We have been anticipating this change and have been closely monitoring the likely need to add OAuth2 support to Advanced Accounting's current email capability and have already identified several options.  Meanwhile we do plan to stay with our current email solution which for now works with all email providers.