Phased MFA Implementation Begins This Month
Google has announced that multi-factor authentication (MFA) will become mandatory for all Google Cloud customers by 2025. Starting this month, Google Cloud users will see prompts and reminders within the Google Cloud console, marking the initial phase of MFA implementation. A gradual enforcement will then unfold over the coming year, according to Google’s VP of Engineering, Mayank Upadhyay.
Growing Security Concerns Prompt MFA Requirement- Google Cloud
The push for mandatory MFA comes amidst rising cybersecurity threats, as recent breaches highlight the risks associated with unsecured credentials. For instance, healthcare giant Change Healthcare faced a major ransomware breach impacting over 100 million records in the U.S., attributed to stolen credentials unprotected by MFA. Snowflake, another data warehousing giant, experienced similar breaches impacting customer data, emphasizing the need for stricter security protocols.
Industry Shift: Google Joins AWS and Microsoft in MFA Enforcement
Following similar steps taken by AWS and Microsoft Azure, Google Cloud’s phased MFA rollout targets all users who currently access their accounts with a password. By early 2025, these users must activate MFA, utilizing either an authenticator app or a physical security key. Google also plans to extend the requirement to “federated users” (those accessing Google Cloud via third-party authenticators) by the end of 2025.
Enterprise-Only Enforcement — For Now
While individual Google Accounts also support MFA, activation remains optional for personal users. Currently, 70% of active Google accounts have two-step verification (2SV) enabled. However, Google’s focus on mandatory MFA is targeted at its enterprise customers, given the increased risks associated with business cloud applications.
Upadhyay: “Time to Require 2SV for All Google Cloud Users”
In a blog post, Upadhyay cited Google-owned Mandiant’s findings that phishing and stolen credentials remain leading attack vectors, reinforcing the urgency for MFA in cloud security. “Given the sensitive nature of cloud deployments,” Upadhyay stated, “we believe it’s time to require 2SV for all users of Google Cloud.”
As the phased enforcement progresses, Google Cloud users will receive advance notifications, helping them prepare for the new security mandate set to strengthen the platform’s defenses against evolving cyber threats.
