Multi-factor authentication to be mandatory on Google Cloud accounts

Google announced mandatory multi-factor authentication (MFA) is coming to Google Cloud accounts. This will be enacted by the end of 2025 for the purposes of enhanced security.

This mandatory MFA rollout will impact both admins and users with Google Cloud services; however, it will not influence general consumer accounts. Advance notification will be sent to organizations and users to facilitate a smooth transition toward MFA deployment. There will be three phases to make the process easier. 

  1. Starting November 2024: Encourage MFA through helpful reminders and resources to help enterprises and users rollout MFA with ease.  
  2. Starting early 2025: Require MFA for password logins. 
  3. Starting late 2025: Enact MFA requirement for all users federating authentication into Google Cloud. 

Security leaders weigh in 

Jason Soroko, Senior Fellow at Sectigo:

Google’s decision to mandate multi-factor authentication (MFA) for all Cloud accounts by the end of 2025 is a positive move to enhance security. Similar to how Snowflake required MFA after some of their customers had experienced high profile breaches, Google’s mandate addresses the growing risks associated with single-factor authentication

MFA can be enabled by using methods such as Google Authenticator app at no additional cost. These options are included in the standard offerings of Google Cloud Identity and Google Workspace accounts. Any costs would come from purchasing physical security keys or upgrading to premium services for advanced security needs. Businesses who need to scale MFA rollouts may need these premium services.

Patrick Tiquet, Vice President, Security & Architecture at Keeper Security:

Google’s announcement of mandatory MFA for all Google Cloud accounts by the end of 2025 marks a significant commitment to increasing cybersecurity standards for its customer base that could set a precedent for other major technology providers. MFA is a proven security measure that provides a critical second layer of protection for accounts. 

Google’s phased rollout eases users into the new requirement, as MFA can be met with resistance due to perceived friction in user experience, especially when implemented abruptly. The multi-step plan, starting with console reminders and advancing to full enforcement, prioritizes user adoption and minimizes operational disruption with gradual transition to ease users into MFA — paving the way for smoother implementation and stronger compliance. However, organizations using Google Cloud will also need to plan for implementation within their workforce. 

Employee training about the importance of MFA will be critical and tools like a password manager can facilitate adoption by securely storing and filling MFA codes.

Rom Carmel, Co-Founder and CEO at Apono:

Google’s plan to require MFA is a welcome move as it adds an important layer of defense that increase malicious actors’ costs. The fact that it’s taken Google so long to make this move is a testament to the difficulty of rolling out security measures that may impact people’s productivity. 

Striking the right balance between security and productivity is a serious challenge that all organizations struggle with, especially when it comes to crucial elements like access to critical infrastructure. Getting it right means getting past the security theater that restricts work, enabling teams to access their resources quickly and securely.

Kris Bondi, CEO and Co-Founder of Mimoto: 

The question we should be asking is does MFA solve our problems. 

MFA has evolved from being a valuable cybersecurity tool to becoming a weak link that bad actors leverage to gain access and create account takeover scenarios. There is a combination of reasons why MFA isn’t solving the unauthorized access problem. First, it’s often misunderstood that MFA isn’t verifying a person, it’s verifying a device at a point in time. Who is holding that device isn’t guaranteed to be who you expect it to be. Second, MFA and two-factor authentication (2FA) has been in use for more than twenty years. As with any tool, the longer it is in existence, the more time bad actors have had to innovate against it. And, frankly, many MFA approaches haven’t evolved much over time. 

While new capabilities for MFA haven’t kept up with today’s current AI world, there are needed improvements that don’t require the use of AI. For example, MFA that sends a message to the user’s device that the user then clicks to provide access doesn’t take into account the proximity of the MFA device and the endpoint where access is being granted. I’ve personally tested this with one person granting access via MFA and someone in another state accessing a system. The fix for this doesn’t require advanced AI. It utilizes geo locations on the MFA device as well as the endpoint used to access the protected data or system.