Google Cloud to Mandate Multifactor Authentication by 2025
Google is rolling out mandatory multifactor authentication (MFA) on all Google Cloud accounts to protect against phishing and data theft.
The new requirement will be implemented in phases throughout 2025, all Google Cloud users worldwide will be mandated to enable MFA for sign-on by year’s end.
This change will not apply to owners of Google’s general consumer accounts.
Google Cloud’s Mandiant found phishing and stolen credentials to be the top attack vectors affecting cloud environments. In a November 5 blog post, Google said the new measure is a response to this.
“The [US] Cybersecurity and Infrastructure Security Agency (CISA) found that MFA makes users 99% less likely to be hacked, a powerful reason to make the switch,” said the post.
The company also noted that 70% of Google users have already enabled MFA.
Read more: Is MFA Enough to Protect You Against Cyber-Attacks?
MFA Rollout in Three Phases
The firm said it wanted to ensure a smooth transition with a phased rollout which will include the following steps:
- From November 2024 – Encourage MFA adoption with reminders and information in the Google Cloud console, including resources to help users plan the rollout, conduct testing and enable MFA
- From early 2025 – MFA required for all new and existing Google Cloud users who sign in with a password
- From the end of 2025 – Extending the MFA requirement to all users who federate authentication into Google Cloud
Google Cloud federated users will have flexible options to meet this third requirement.
“For example, you can enable MFA with your primary identity provider before accessing Google Cloud — we will be working closely with identity providers to ensure there are standards in place for a smooth hand-off. Alternatively, you can add an extra layer of MFA through your Google account if you prefer to use our system,” said Google.
Google introduced two-factor authentication in 2011 with its 2-Step Verification (2SV) feature and adopted the use of passkeys with its ‘Security Keys for Google Accounts’ scheme in 2014. The firm made passkeys the default sign-in option in 2023.
Read now: Interview – Andrew Shikiar on the Potential for a Passwordless Future