Google to Require MFA For Google Cloud Users

Google said that starting next year, it is mandating multi-factor authentication (MFA) for all Google Cloud users that currently sign into their accounts with just a password.

“We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025,” said Mayank Upadhyay, VP of Engineering and Distinguished Engineer with Google Cloud in a Monday post. “To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments.”

Key Details:

• Starting in early 2025, Google will require MFA for all new and existing Google Cloud users - in order to continue using Google Cloud tools, users will need to enroll in MFA

• Users will be able to find enrollment guidance across the Google Cloud Console, Firebase Console, gCloud, and other platforms

• Starting this month, meanwhile, Google will “encourage MFA adoption” for users with new resources in the Google Cloud console to help plan the rollout, conduct testing and enable MFA for users

• By the end of 2025, Google said it will extend the MFA requirement for federated users that use federated authentication to access Google Cloud, and they will “have flexible options to meet this requirement”

The Background: Over the years, Google has launched various measures to help strengthen the security of Google accounts, including 2-step verification (Google’s term for two-factor authentication, which can be done via phone number, backup codes, verification code apps and more) in 2011 and passkeys (an alternative, more secure method of authentication tying in fingerprint or financial recognition) for Google accounts in 2023. Currently, Google said that 70 percent of Google users leverage MFA.

“Today, there is broad 2SV adoption by users across all Google services,” said Upadhyay. “However, given the sensitive nature of cloud deployments — and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team — we believe it’s time to require 2SV for all users of Google Cloud.”

The Big Picture: Accounts without MFA are a lucrative target for threat actors, and have led to several big security breaches this year. More companies have announced that they are enforcing MFA for their various products - including Microsoft and Amazon Web Services, for instance.

Currently, Google said users can proactively enable 2-step verification by going to security.google.com and selecting 2-Step Verification under the How you sign in to Google option. From there, users can select Turn on 2-Step Verification and follow the instructions to enroll. Google has also given further resources for Workspace admins in its blog post.