Google Cloud to Enforce MFA on Accounts in 2025

Source: Genius Studio via Adobe Stock Photo

In a bid to improve account security, Google will enforce mandatory multifactor authentication (MFA) for all Google Cloud users by the end of 2025. Currently, 70% of Google users have MFA enabled.

This requirement will apply to all Google Cloud users who currently use passwords for authentication and all new users; it will not apply to general consumer Google accounts. The company will begin the first phase of a year-long implementation this month.

• In Phase 1, Google Cloud administrators will receive information on how to prepare for the transition. Phase 1 will raise awareness and provide materials to help plan a rollout and conduct testing.

• Phase 2, to begin in early 2025, will require all new users and existing Google Cloud users who use passwords for authentication to enable MFA on their accounts. The notifications and guidance will be displayed in Google Cloud Console, Firebase Console, gCloud, and other platforms.

• Phase 3, at the end of 2025, will require users who federate authentication into Google Cloud to turn on MFA. Users can enable MFA with their primary identity providers before accessing Google Cloud — or add an extra layer of MFA through the Google account.

“Beginning this month, you’ll find helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan your rollout, conduct testing, and smoothly enable MFA for your users,” the company said.

MFA adoption is one of the key recommendations in the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure By Design initiative. The shift to mandatory MFA is happening throughout the industry. In June, Amazon started requiring mandatory MFA for Amazon Web Services. Customers signing into the AWS Management Console with the root user of an AWS Organizations management account also had to start using MFA, which has since been extended to stand-alone accounts outside of AWS Organizations.

Mandatory MFA has also be adopted by Snowflake, which in July introduced an option to allow administrators to enforce mandatory MFA for all users. The following monty, Microsoft announced its rollout for Microsoft Azure. Microsoft’s plan, similar to Google Cloud’s, takes a phased approach. Phase 1 for Microsoft started last month, with MFA required to sign in to Azure portal, Microsoft Entra admin center, and Intune admin center. Phase 2, also beginning early next year, will gradually enforce MFA for Azure CLI (command-line interface), Azure PowerShell, Azure mobile app, and infrastructure-as-code tools.

While CISA has said that MFA means users are 99% less likely to be hacked, it is important to remember that MFA is not foolproof.

“Mandatory MFA is necessary but not sufficient for enterprise security,” says Jasson Casey, CEO of Beyond Identity. “This is because MFA is not created equal and doesn’t offer the same level of security assurances.”

MFA and two-factor authentication has been in use in some shape or form for more than 20 years, and attackers have had time to innovate against it, said Kris Bondi, CEO and co-founder of Mimoto, in an emailed statement. Threat actors are increasingly launching phishing operations that can bypass legacy MFA, which is why the National Institute of Standards and Technology and CISA have urged adopting phishing-resistant MFA.