Google Cloud to roll out mandatory MFA

Phased rollout concluding by the end of 2025

Image:

Google Cloud will make MFA mandatory

Google Cloud, the platform for businesses to build, deploy, and manage applications in the cloud, has announced a significant security upgrade.

In a phased rollout planned throughout 2025, Google Cloud will make multi-factor authentication (MFA) mandatory for all users.

Currently, approximately 70% of Google Cloud users have already adopted MFA. However, the upcoming mandate will ensure that all users, including new ones, are required to enable this extra layer of protection.

"As pioneers in bringing multi-factor authentication (MFA) to millions of Google users worldwide, we've seen first-hand how it strengthens security without sacrificing a smooth and convenient online experience," said Mayank Upadhyay, VP of Engineering and Distinguished Engineer, Google Cloud, in a blog post.

"We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025. To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments."

MFA requires users to verify their identity beyond just a password. This could involve a security key, a code sent to their phone, or biometric authentication using a fingerprint or facial recognition.

Google says the MFA rollout will occur in three phases to ensure a smooth transition for users:

Phase 1: Beginning this month, users who haven't already activated MFA for their accounts will receive gentle reminders to do so within the Google Cloud console. According to Google, this applies to roughly 30% of Cloud users.
Phase 2: Starting in early 2025, all users who still rely solely on a password will be required to enable MFA. Notifications prompting them to set up MFA will appear across Google Cloud Console, Firebase Console, gCloud, and other platforms.
Phase 3: The final phase, slated for the end of 2025, extends the MFA requirement to users who access Google Cloud through a federated identity provider. These users will have the flexibility to use their existing provider's MFA solution or add an additional layer through Google.

The move aims to enhance security in light of increasingly sophisticated cyber threats, Google says. They cite research from the US Cybersecurity and Infrastructure Security Agency (CISA) demonstrating that MFA reduces the likelihood of hacking by 99%.

Users can enable MFA for their Google Cloud account by visiting 'security.google.com' and following the on-screen instructions under the "How you sign in to Google" section.

Google Cloud's decision aligns with a broader industry trend towards stricter security measures. Other major cloud providers, such as Amazon Web Services (AWS) and Microsoft Azure, have also implemented or announced plans for mandatory MFA.

AWS has already mandated MFA for root users of AWS Organizations management accounts and is extending the requirement to standalone accounts.

Microsoft is also taking a phased approach to enforce MFA for various Azure services, including the Azure portal, Azure CLI, and Azure PowerShell.