Google Cloud will make MFA mandatory by the end of 2025 – here’s what you need to know
Admins and federated users will be required to use MFA to sign in by the end of 2025 in a move Google Cloud says will bolster cyber resilience
Google Cloud has set out its plan to raise the bar on cyber resilience and make multi-factor authentication (MFA) mandatory for all Cloud users around the world by the end of 2025.
The roll-out will follow three stages aimed at ushering Google Cloud customers into a new era of improved security, the company said.
Mayank Upadhyay, VP of engineering and distinguished cloud engineer at Google Cloud, announced the change in a 5 November blog post, stating Google Cloud has seen firsthand how MFA can bolster security without hindering user experience.
Upadhyay explained Google’s phased approach to implementing MFA on all Cloud accounts going forward, beginning with a period of encouraging the adoption of the security layer, beginning in November 2024.
The firm said 70% of users are already benefiting from MFA, and is encouraging the remainder to start now by adding “helpful reminders” in their Google Cloud console. This will include resources to help admins plan their rollout, conduct testing and smoothly enable MFA for their users.
From early 2025, Google will start requiring MFA for all new and existing Cloud users who use a password to sign in.
Finally, the third phase of the roll-out will see Google extend this MFA requirement to all users who federate authentication into Google Cloud by the end of 2025.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Google said federated users will have a set of flexible options to do this, for example by enabling MFA with their primary identity provider , or adding an extra layer of MFA through the Google account itself.
A big step for Google Cloud users, but not all MFA is created equal
Explaining why Google is taking action now, Upadhyay referred back to the firm’s roll-out of consumer-scale MFA with its two-step verification system in 2011, as well as the introduction of phishing-resistant security keys in 2014, which were thereafter developed into passkeys.
“Today, there is broad 2SV adoption by users across all Google services. However, given the sensitive nature of cloud deployments — and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team — we believe it’s time to require 2SV for all users of Google Cloud,” he argued.
The new transition to mandatory MFA on all user and admin accounts is backed by strong evidence, according to Google, with the firm citing CISA research that found MFA makes users 99% less likely to be hacked.
Anna Collard, SVP of content strategy and evangelist at security awareness specialist KnowBe4, praised the decision as an important one in boosting cyber resilience across the board.
"Google Cloud’s decision to make multi-factor authentication (MFA) mandatory by the end of 2025 is a significant step forward in securing the digital ecosystem,” she declared.
“As cyber threats continue to evolve, especially with phishing and credential-based attacks on the rise, MFA has become essential in protecting both organizations and users.”
Collard added that MFA will not solve all security problems, however, and businesses should scrutinize how phishing-resistant their MFA solution is before implementing it across their stack.
“By adding an extra layer of verification, MFA reduces the risk of unauthorized access even if passwords are compromised. That said, MFA alone isn’t a silver bullet; effective security relies on a layered defense approach that combines multiple strategies to protect assets and data,” she cautioned.
“Not all MFA quality is equal either, for example phishing-resistant MFA, such as those enabled by FIDO are a much better option than text based or push based MFA."
Chris Fuller, senior director of technical field operations at Obsidian Security, noted that although MFA should help secure organizations against rudimentary password spraying techniques, threat actors are already evolving their TTPs to work around MFA.
Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.