Google has confirmed plans to require all Google Cloud customers to use multi-factor authentication (MFA), a process that kicks off this month with prompts and “helpful reminders” embedded inside the Google Cloud console, before a gradual enforcement period starting in the new year.
The internet and cloud giant quietly announced its MFA plans in a document published in October, though the company’s VP of engineering, Mayank Upadhyay, formally announced this in a blog post this week.
“We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025,” Upadhyay wrote. “To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments.”
The news, inarguably a long-time coming, arrives amid a swathe of data breaches, with at least 1 billion stolen records in 2024 so far. By way of example, the UnitedHealth-owned healthcare giant Change Healthcare was hit by ransomware attack in February, a data breach that saw health data stolen on more than 100 million people in the United States. The cause? Stolen back-end credentials that lay unprotected by MFA.
Data warehousing giant Snowflake, meanwhile, also hit the headlines after hundreds of its customers’ (including Ticketmaster) private data leaked online. These breaches were again caused by the lack of mandatory MFA enforcement, with Snowflake subsequently introducing mandatory MFA as an option for Snowflake admins, though it’s still up to the customer whether to switch this on.
Ironically, as it relates to today’s news at least, security researchers at Google-owned cybersecurity company Mandiant worked with Snowflake to investigate the data theft, concluding that the data breaches highlighted the need for “…universal enforcement of MFA and secure authentication.”
And so Google is now following its own subsidiary’s advice.
Starting in early 2025, Google says that it will require all Google Cloud users who currently sign in with a password to activate MFA — this means they will only be able to access their Google Cloud accounts by using a secondary authentication mechanism, such as authenticator app or physical security key.
By the end of 2025, this requirement will be extended to so-called “federated users,” which refers to those who access Google Cloud resources through a third-party authenticator.
Google’s announcement follows hot on the heels of similar enforcements at rival cloud giants. AWS began a phased rollout of mandatory MFA back in June, while Microsoft followed suit with Azure shortly after.
It’s worth noting that while consumers can also benefit from MFA for standard Google Accounts, this remains optional, with users able to activate and deactivate the feature on a whim. The company says that while 70% of Google Accounts (those that are in regular use, at least) have what it calls two-step verification (2SV) turned on, it’s only making this mandatory for business customers due to the increased risks that come with enterprise cloud deployments.
“Today, there is broad 2SV adoption by users across all Google services,” notes Upadhyay. “However, given the sensitive nature of cloud deployments — and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team — we believe it’s time to require 2SV for all users of Google Cloud.”