Google’s New Security Mandate: MFA to be Mandatory on All Google Cloud Accounts by 2025

Google is making multi-factor authentication mandatory by the end of 2025 for all Google Cloud accounts.

The tech giant said in a recent announcement that it will begin the transition with a phased rollout to help users adapt more smoothly.

Why MFA for Google Cloud?

Multi-factor authentication has long been recommended across the tech industry and cybersecurity industry. By implementing an additional verification step, MFA dramatically reduces the risk of unauthorized access, data breaches, and account takeover attacks – even if passwords are compromised. Google’s push for mandatory MFA follows alarming trends in cybersecurity, with sophisticated attacks on cloud infrastructure and sensitive data on the rise.

“This shift is backed by strong evidence both from our own experience and from U.S. government agencies,” Google said. “The Cybersecurity and Infrastructure Security Agency (CISA) found that MFA makes users 99% less likely to be hacked, a powerful reason to make the switch.”

The mandatory MFA requirement for Google Cloud will be introduced in three stages to smooth out the process for users and enterprises.

1. Phase 1: Encouragement and Awareness (Beginning November 2024)

• Starting immediately, Google will encourage Google Cloud users who are not yet using MFA to enable it, displaying reminders directly on the console screen. This phase primarily targets the estimated 30% of Cloud users who rely solely on password-based access, prompting them to upgrade to MFA.

1. Phase 2: Notifications to Enable MFA (Early 2025)

• Early in 2025, Google will notify all existing and new Google Cloud users still using passwords alone to enable MFA. These notices will appear across Google Cloud Console, Firebase Console, gCloud, and other related platforms, giving users ample time to make the switch.

1. Phase 3: Mandatory MFA Requirement (End of 2025)

• By the end of 2025, MFA will be mandatory for all Google Cloud users, including federated users who sign in with an external identity provider. These users will have the option to use their provider’s MFA solution or add an additional layer through Google’s MFA options.

To make MFA adoption as seamless as possible, Google has developed a range of MFA options, including passkeys that leverage biometric data for a smoother and more secure experience.

How to Enable MFA on Google Cloud

Users can proactively enable MFA on their Google Cloud accounts by visiting their account security settings. Here’s a quick guide to setting up MFA on Google Cloud:

1. Visit security.google.com.
2. Under the "How you sign in to Google" section, select 2-Step Verification.
3. Follow the on-screen instructions to complete the setup, which may include options for app-based verification or biometric passkeys.

For accounts managed through Cloud Identity, note that some users may not see the '2-Step Verification' option due to admin restrictions. Enterprise admins can consult Google’s official guide for further setup information or contact their account manager for support.