Google Cloud to roll out mandatory MFA

Phased rollout concluding by the end of 2025

Image:
Google Cloud will make MFA mandatory

Google Cloud, the platform for businesses to build, deploy, and manage applications in the cloud, has announced a significant security upgrade.

In a phased rollout planned throughout 2025, Google Cloud will make multi-factor authentication (MFA) mandatory for all users.

Currently, approximately 70% of Google Cloud users have already adopted MFA. However, the upcoming mandate will ensure that all users, including new ones, are required to enable this extra layer of protection.

"As pioneers in bringing multi-factor authentication (MFA) to millions of Google users worldwide, we've seen first-hand how it strengthens security without sacrificing a smooth and convenient online experience," said Mayank Upadhyay, VP of Engineering and Distinguished Engineer, Google Cloud, in a blog post.

"We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025. To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments."

MFA requires users to verify their identity beyond just a password. This could involve a security key, a code sent to their phone, or biometric authentication using a fingerprint or facial recognition.

Google says the MFA rollout will occur in three phases to ensure a smooth transition for users:

The move aims to enhance security in light of increasingly sophisticated cyber threats, Google says. They cite research from the US Cybersecurity and Infrastructure Security Agency (CISA) demonstrating that MFA reduces the likelihood of hacking by 99%.

Users can enable MFA for their Google Cloud account by visiting 'security.google.com' and following the on-screen instructions under the "How you sign in to Google" section.

Google Cloud's decision aligns with a broader industry trend towards stricter security measures. Other major cloud providers, such as Amazon Web Services (AWS) and Microsoft Azure, have also implemented or announced plans for mandatory MFA.

AWS has already mandated MFA for root users of AWS Organizations management accounts and is extending the requirement to standalone accounts.

Microsoft is also taking a phased approach to enforce MFA for various Azure services, including the Azure portal, Azure CLI, and Azure PowerShell.