Google and Microsoft Change Third-party Access Process
Many VTScada customers rely on Google or Microsoft’s email servers to send alarm notifications to operators. This year (2022) both providers will change how third-party applications such as VTScada can access their systems. Authentication by username and password over POP3 and SMTP will no longer be allowed and instead, access via OAuth 2.0 will be required.
This only affects customers using Google or Microsoft email servers For Alarm Notifications. If your site maintains its own email server or if you are using a different provider, this change does not affect you.
- Trihedral recommends OAuth 2.0, as will be required by both Google and Microsoft. Changing from basic authentication to this new system will involve effort, but in today’s security environment it is simply not safe to continue using basic authentication.
- You can try using an App Password. These are vender-generated passwords that can be used only with a specific app or device. After generating the App Password, use that as the password when configuring outgoing and incoming email accounts in VTScada. While the instructions state that it need be used only once, you are advised to leave the App Password configured. Instructions to generate an App Password for Google are available here. Instructions to generate an App Password for Microsoft are available here.
Venders note that this option is less secure than OAuth 2.0, therefore use at your own risk.
- There are other Internet-based email providers who do continue to provide basic authentication over POP3 and SMTP. While Trihedral cannot recommend these, we acknowledge that they are an option, especially for smaller sites that might find it challenging to implement an OAuth 2.0 solution.
To Implement OAuth 2.0
Before configuring VTScada to send and receive email using your OAuth 2.0 credentials you will need to do the following:
- Obtain an account with either Google or Microsoft Azure that allows OAuth 2.0 configuration, to be used by your VTScada server. Refer to the Google or the Microsoft documentation for specifics of how to create such an account. Both companies provide a variety of options, and we cannot provide guidance beyond noting the importance of ensuring that the account must allow for OAuth 2.0 configuration.
- Protect access to your VTScada server with an X.509 certificate. (Or as it is more commonly known, an SSL Certificate.) This is an absolute requirement for OAuth 2.0. Reference notes and instructions are provided in the VTScada documentation here.
With those in place, you can proceed with OAuth 2.0 configuration for your VTScada email notifications. Reference notes, instructions and examples are provided in the VTScada documentation here.
As always, please feel free to contact us via any of the below methods: