Google has announced that it will require all Google Cloud customers to use multi-factor authentication (MFA), starting with reminders in the Google Cloud console this month and gradually enforcing the requirement beginning in early 2025.
The company first mentioned its MFA plans in a document published in October, and VP of Engineering Mayank Upadhyay confirmed the decision in a recent blog post. “We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025,” he wrote. To ensure a smooth transition, Google Cloud will provide notifications to help enterprises and users plan for MFA implementation.
The tech giant references research from the Cybersecurity and Infrastructure Security Agency (CISA), which indicates that MFA reduces the likelihood of hacking by 99%. Google also states that its own data supports these findings.
To ease the transition, Google has introduced user-friendly MFA options, such as passkeys that rely on biometric data, making the authentication process both more secure and convenient. This approach aims to minimize any potential disruptions to the user experience while strengthening account security.
This announcement comes amid a growing wave of data breaches, with over a billion records reportedly stolen in 2024 alone. One example is the ransomware attack on healthcare giant Change Healthcare in February, which exposed health data of over 100 million Americans due to stolen credentials that were not protected by MFA.
Similarly, data warehousing company Snowflake experienced a breach where customer data – including data from Ticketmaster was leaked. This breach led Snowflake to make MFA available to its administrators, although it remains optional for customers.
Google’s cybersecurity division Mandiant worked with Snowflake to investigate the breach, ultimately advocating for “universal enforcement of MFA and secure authentication”
The change will take place through three phases. Starting this month, users who are not using MFA on their accounts will be encouraged to do so via a prompt on the console screen. Then in early 2025, all Google Cloud users who log in with a password will be required to use a second layer of authentication, such as an authenticator app or physical security key, to access their accounts. Finally by the end of the year, this requirement will also apply to “federated users,” who use third-party authenticators to access Google Cloud resources.
Google’s move aligns with similar initiatives by other major cloud providers. AWS introduced mandatory MFA in June followed by Microsoft Azure in August
MFA is currently available for regular Google Accounts but it remains optional for personal users, who can enable or disable it as they choose. Google reports that around 70% of its regularly used accounts have two-step verification (2SV) enabled. However, the company believes that the increased risks in enterprise cloud deployments make mandatory MFA essential for Google Cloud.
“Today, there is broad 2SV adoption across all Google services,” Upadhyay noted. “However, given the sensitive nature of cloud deployments – and with phishing and credential theft being top attack vectors observed by our Mandiant Threat Intelligence team, we believe it’s time to require 2SV for all Google Cloud users.”
Why Wait? Enable MFA Now!
To enable MFA on your Google Cloud account visit ‘security.google.com,’ and under the “How you sign in to Google” section, select ‘2-Step Verification’ and follow the on-screen instructions to complete the setup.
Please note, Cloud Identity-managed account owners who do not see the ‘2-Step Verification’ option might be restricted by admin-imposed settings.
Source: https://www.linkedin.com/pulse/google-cloud-announces-mandatory-multi-factor-authentication-gqvoe/
