Jump to Content
Security & Identity

Mandatory MFA is coming to Google Cloud. Here’s what you need to know

November 4, 2024
Mayank Upadhyay

VP of Engineering and Distinguished Engineer, Google Cloud

Hear monthly from our Cloud CISO in your inbox

Get the latest on security from Cloud CISO Phil Venables.

Subscribe

At Google Cloud, we’re committed to providing the strongest security for our customers. As pioneers in bringing multi-factor authentication (MFA) to millions of Google users worldwide, we've seen firsthand how it strengthens security without sacrificing a smooth and convenient online experience. That’s why we will soon require MFA for all Google Cloud users who currently sign in with just a password.

We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025. To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments.

A phased approach to MFA

We’ve been strong advocates for our MFA system for over a decade, and we're here to help you with this important security upgrade. At Google, we understand that you need flexibility and control when implementing new security measures. That's why we're rolling out mandatory MFA in phases.

Phase 1 (Starting November 2024): Encourage MFA adoption: If you're not already among the 70% of Google users benefiting from MFA, we encourage you to get started. Beginning this month, you'll find helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan your rollout, conduct testing, and smoothly enable MFA for your users.

Phase 2 (Early 2025): MFA required for password logins: Early next year, we'll begin requiring MFA for all new and existing Google Cloud users who sign in with a password. You'll see notifications and guidance across the Google Cloud Console, Firebase Console, gCloud, and other platforms. To continue using these tools, you'll need to enroll in MFA.

Phase 3 (End of 2025): MFA for federated users: By the end of 2025, we'll extend the MFA requirement to all users who federate authentication into Google Cloud. You'll have flexible options to meet this requirement.

For example, you can enable MFA with your primary identity provider before accessing Google Cloud — we will be working closely with identity providers to ensure there are standards in place for a smooth hand-off. Alternatively, you can add an extra layer of MFA through your Google account if you prefer to use our system.

https://storage.googleapis.com/gweb-cloudblog-publish/images/1_-_Mandatory_MFA_roll-out_phases.max-2100x2100.png

Mandatory MFA roll-out phases.

Why we’re requiring MFA for Google Cloud

We’ve always prioritized protecting your identity in order to keep your account and sensitive information safe, and we use a variety of risk-based signals to quickly detect if an account is compromised and subsequently help users restore it securely.

We pioneered consumer-scale MFA in 2011 with the launch of 2-Step Verification (2SV) for millions of users. We chose the name "2-Step" as a nod to the iconic Texan dance, making it a bit more approachable than the technical term "two-factor authentication." It's been exciting to see the industry adopt this term, embracing clear, simple language for consumer security.

While 2SV was effective at protecting accounts from stolen passwords, we knew we needed even stronger protection against more sophisticated attacks.

We introduced phishing-resistant Security Keys for Google Accounts in 2014. To make this technology more widely available, we worked with industry partners to standardize it, leading to the development of passkeys. Passkeys offer the same strong security but with added convenience, using fingerprint or facial recognition for a smoother sign-in experience.

Today, there is broad 2SV adoption by users across all Google services. However, given the sensitive nature of cloud deployments — and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team — we believe it’s time to require 2SV for all users of Google Cloud.

This shift is backed by strong evidence both from our own experience and from U.S. government agencies. The Cybersecurity and Infrastructure Security Agency (CISA) found that MFA makes users 99% less likely to be hacked, a powerful reason to make the switch.

Enable 2-Step Verification today

You can proactively enable free 2SV for your Google Account right now, by following these two steps:

Step 1: Access security settings

  • For consumer Google Accounts and Cloud Identity managed accounts, go to security.google.com. (If you use federated authentication to access Google Cloud, we recommend you set it up with your identity provider. Your provider may refer to it as 2SV or MFA.)

Under How you sign in to Google, Select 2-Step Verification.

https://storage.googleapis.com/gweb-cloudblog-publish/images/2_-_Select_2-Step_Verification.max-1700x1700.png

Select 2-Step Verification.

If you're using a Cloud Identity managed account and don't see the option for 2-Step Verification, your administrator may have disabled it. Reach out to your administrator for assistance.

Step 2: Turn on 2SV

  • Select Turn on 2-Step Verification.
  • Follow the on-screen instructions to complete enrollment.
https://storage.googleapis.com/gweb-cloudblog-publish/images/3_-_Turn_on_2-Step_Verification.max-1700x1700.png

Turn on 2-Step Verification.

Learn more

2SV is a critical step in protecting your cloud environment from unauthorized access. We encourage all Google Cloud users to enable 2SV as soon as possible. Please refer to these resources for more information:

Posted in