Google Cloud has outlined a plan to require multi-factor authentication (MFA) for all users by the end of 2025. This new policy will shift MFA from an optional security measure to a standard requirement across all accounts, enhancing account protection across Google’s platforms. Currently, MFA is optional for users logging in with only passwords, but the updated policy will make it mandatory for all.
Google Cloud will implement mandatory MFA in three phases, allowing for gradual adoption. In Phase 1, beginning this month, Google Cloud will encourage users who have not yet enabled MFA to activate it. Reminders and instructions will be provided within the Google Cloud console, along with resources to assist users in the setup process.
Starting in early 2025, Phase 2 will require MFA for all users who sign in with a password. Notifications and guidance will be available across platforms, including the Google Cloud Console, Firebase Console, and gCloud, to assist users in enabling MFA.
In Phase 3, which will be carried out by the end of next year, the MFA requirement will be extended to users who authenticate through federated identity providers. Google Cloud will work closely with these providers to ensure smooth integration, giving users the option to enable MFA either through their primary provider or directly through Google’s system.
Google all aboard with MFA
Google has promoted MFA since 2011, when it introduced two-step verification (2SV) for consumer accounts. In 2014, the company added phishing-resistant security keys and later collaborated with industry partners to develop passkeys, which utilise fingerprint and facial recognition for secure login.
Google Cloud’s Mandiant Threat Intelligence team has identified phishing and credential theft as significant risks in cloud environments, prompting the decision to enforce MFA. Findings from the US Cybersecurity and Infrastructure Security Agency (CISA) indicate that MFA can substantially reduce the risk of account compromise.
Users can proactively enable 2SV on their accounts by navigating to their Google account’s security settings and selecting “2-Step Verification” under sign-in options, then following the on-screen instructions. Users logging in through federated identity providers are encouraged to enable MFA through their primary provider, which may list it as 2SV or MFA. Users who do not see this option are advised to contact their account administrator.
By making MFA mandatory, Google Cloud aims to establish a consistent security standard across all platforms, reducing user exposure to potential threats and enhancing authentication protocols for all users.