Google Cloud is set to make multi-factor authentication (MFA) mandatory for all users by 2025, a move aimed squarely at bolstering security in response to escalating cyber threats. Starting this month, Google will roll out reminders and resources, urging customers to adopt MFA. This phased enforcement plan underscores a broader industry trend: when it comes to security, relying solely on passwords is a thing of the past.
Why is Google requiring MFA on Google Cloud?
The motivation behind Google’s push for MFA is clear. Cyber breaches are spiking, and weak security practices are at the center of these attacks. In 2024 alone, over 1 billion records were stolen in various breaches. Prominent among these were incidents at Change Healthcare and Snowflake, where sensitive data was exposed due to compromised credentials lacking MFA. Google’s decision signals an acknowledgment that cybersecurity risks have outpaced traditional protective measures.
Mayank Upadhyay, Google’s VP of Engineering, laid out Google’s stance plainly: “Given the sensitive nature of cloud deployments — and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team — we believe it’s time to require 2SV for all users of Google Cloud.” By enforcing MFA, Google is raising the stakes for account security, reflecting a mindset that cyber resilience now requires more than just strong passwords.
How Google plans to roll out MFA for cloud users
Google isn’t flipping a switch overnight. Instead, it’s rolling out mandatory MFA in phases, giving users and businesses time to adjust. Here’s what to expect in each phase:
- Phase 1 (November 2024) – Encouragement to enable MFA:
Google has started embedding reminders and guidance into the Google Cloud console, encouraging users to voluntarily set up MFA. Resources are available to help teams plan, conduct tests, and ensure a smooth MFA deployment. This phase sets the foundation, raising awareness and easing customers into what will eventually become a requirement. - Phase 2 (Early 2025) – MFA becomes mandatory for password-based logins:
In early 2025, Google will begin requiring MFA for all Google Cloud users logging in with a password. This requirement extends to Google’s platforms like Firebase and gCloud, meaning users must verify their identity with a second authentication method — whether a security key, app-based authentication, or biometric verification. - Phase 3 (End of 2025) – Extending MFA to federated users:
By the close of 2025, Google’s MFA mandate will reach federated users — those logging in through third-party identity providers. This phase ensures that no matter the login method, accounts on Google Cloud are shielded by an additional security layer. For organizations using identity providers, Google’s MFA requirement adds an extra, unified layer of defense across all access points.
The phased rollout gives users a chance to integrate MFA without disrupting operations, allowing time to educate teams and secure compliance within their workflow.
Google’s move follows industry trends in security
This shift by Google aligns with recent moves from cloud giants like AWS and Microsoft. AWS began its MFA enforcement back in June 2024, and Microsoft’s Azure soon followed suit. With Google Cloud joining the trend, it’s clear that the tech industry is coalescing around MFA as the new standard for cloud security. For Google Cloud users, this shift may feel overdue, considering the company’s extensive track record with security innovations.
While consumer Google Accounts have long offered optional MFA, the stakes are different in the enterprise world. Business accounts often house critical and sensitive data, making them prime targets for cyberattacks. In recognition of these elevated risks, Google is drawing a line, mandating that enterprise users fortify their accounts. As Upadhyay observed, “Today, there is broad 2SV adoption by users across all Google services,” but given the level of access and data involved, mandatory enforcement was “inevitable.”
MFA: What’s driving the push for stronger authentication?
The push for MFA stems from a reality that most people, and companies, already know: passwords aren’t enough. With cyberattacks becoming more advanced and targeting weaknesses in digital infrastructure, MFA has proven to be one of the most effective methods for preventing unauthorized access.
Studies underscore MFA’s effectiveness. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), MFA reduces the likelihood of account compromise by 99%. It requires users to confirm their identity with a second form of verification — an extra step that often stops attackers who have already obtained a password.
Recent data breaches have served as cautionary tales. For instance, Snowflake faced a breach that leaked private data from customers like Ticketmaster, highlighting how lacking MFA makes even large organizations vulnerable. Google’s mandate aims to plug these gaps and sets a precedent for others to follow.
What this means for Google Cloud users
For businesses and individuals relying on Google Cloud, mandatory MFA means taking security adjustments seriously. Early adoption is encouraged, especially for enterprises managing multiple user accounts. Google provides resources within its Cloud console, guiding users through MFA setup, deployment planning, and team education.
The good news is that users have options. Google Cloud allows for a range of MFA methods — from authenticator apps and SMS codes to physical security keys. Federated users, meanwhile, can work with their primary identity providers to integrate MFA, allowing them to maintain a streamlined login process.
The phased timeline offers a degree of flexibility. Organizations can use this time to ensure that MFA policies are both compliant and practical, minimizing disruptions. Google’s resources aim to ease this transition, but organizations should begin preparing now to avoid last-minute hurdles.
Featured image credit: Kerem Gülen/Midjourney
