All Google Cloud users across the world will need to implement multi-factor authentication (MFA) in 2025 with approximately 30 percent of all current Google users still not having MFA.
In early 2025, Google will mandate MFA for all users who sign into their account with a password.
By the end of 2025, mandatory MFA security will expand to all users who federate authentication into Google Cloud via identity providers.
The MFA mandate includes users of Google Cloud Platform (GCP), Android and Google Workspace—which includes Google’s collaboration suite of Gmail, Meet, Drive, Calendar and more.
MFA makes users 99 percent less likely to be hacked, which is a “powerful reason to make the switch,” said Google Cloud’s Mayank Upadhyay, vice president of engineering, in a recent blog post.
[Related: The 10 Biggest Google Cloud News Of 2024: Gemini, AI And $45B Run Rate]
“As pioneers in bringing multi-factor authentication to millions of Google users worldwide, we've seen firsthand how it strengthens security without sacrificing a smooth and convenient online experience,” said Upadhyay. “Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments.”
The company said approximately 70 percent of all Google users are currently leveraging MFA as of late 2024.
Two Phases Of Google Cloud’s MFA Mandate
The Mountain View, Calif.-based said Google is rolling out mandatory MFA in two main phases.
One phase will begin in early 2025 with MFA being required for password logins.
“Early next year, we’ll begin requiring MFA for all new and existing Google Cloud users who sign in with a password. You'll see notifications and guidance across the Google Cloud Console, Firebase Console, gCloud, and other platforms. To continue using these tools, you’ll need to enroll in MFA,” said Upadhyay.
The next phase will be implemented near the end of 2025 with MFA required for users who federate authentication into Google Cloud.
“You can enable MFA with your primary identity provider before accessing Google Cloud—we will be working closely with identity providers to ensure there are standards in place for a smooth hand-off,” Upadhyay said. “Alternatively, you can add an extra layer of MFA through your Google account if you prefer to use our system.”
Why MFA Is Needed; AWS And Microsoft Make Similar Move
Massive cyberattacks against Ticketmaster and Santander Bank brought scrutiny over cloud companies’ MFA policy.
Enabling MFA greatly improves the account security of customers, with MFA being one of the key recommendations in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Secure By Design initiative.
Both Microsoft and Amazon Web Services initiated MFA mandates earlier this year.
For example, Microsoft began requiring MFA for all Azure sign-ins in October.
“Given the sensitive nature of cloud deployments—and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team—we believe it’s time to require 2SV [two-step verification] for all users of Google Cloud,” said Google’s Upadhyay.