Google has confirmed plans to require all Google Cloud customers to use multi-factor authentication (MFA). This is a process that will begin this month through embedded messages and ‘helpful notifications’ in the Google Cloud Console ahead of the gradual implementation period for the new version. Year.
The internet and cloud giant quietly announced its MFA plans in a document released last October, but Mayank Upadhyay, the company’s vice president of engineering, officially announced them in a blog post this week.
“We will implement mandatory MFA on Google Cloud in a phased approach that will roll out to all users globally in 2025,” Upadhyay wrote. “To ensure a smooth transition, Google Cloud will provide proactive notification to businesses and users as we help them plan their MFA deployment.”
This news, no doubt long overdue, comes amid a spate of data breaches, with at least a billion records stolen as of 2024. For example, Change Healthcare, a healthcare giant owned by UnitedHealth, suffered a ransomware attack last February. Health data of more than 100 million people in the U.S. was stolen in a ransomware attack. What is the cause? Stolen backend credentials that are not MFA protected.
Meanwhile, data warehouse giant Snowflake also made headlines after the personal data of hundreds of its customers (including Ticketmaster) was leaked online. These breaches were again caused by the lack of enforcement of mandatory MFA, and while Snowflake has since introduced mandatory MFA as an option for Snowflake administrators, it is still up to customers to decide whether to turn it on or not.
Ironically, at least in relation to today’s news, security researchers at Mandiant, a Google-owned cybersecurity company that worked with Snowflake to investigate the data theft, said the data breach highlighted the need for “…universal enforcement of MFA and security authentication.” I concluded.
So Google is now following the advice of its own subsidiary.
Starting in early 2025, Google says all Google Cloud users who sign in with their current password will need to enable MFA. This means that your Google Cloud account can only be accessed through a secondary authentication mechanism, such as an authenticator app. Or a physical security key.
By the end of 2025, this requirement will be extended to so-called “affiliated users,” meaning users who access Google Cloud resources through third-party authenticators.
Google’s announcement follows similar implementations by rival cloud giants. AWS began phasing out mandatory MFA last June, and Microsoft followed suit with Azure soon after.
Consumers can also benefit from MFA for standard Google accounts, but it’s still optional and users can enable and disable the feature on a whim. The company says that 70% of Google accounts (at least those that are used regularly) have two-step verification (2SV) turned on, but that it’s mandating the feature only for business customers due to the increased risk it carries. Through enterprise cloud deployment
“2SV is now widely adopted by users across all Google services,” says Upadhyay. “However, given the sensitive nature of cloud deployments and phishing and stolen credentials being the top attack vectors observed by the Mandiant Threat Intelligence team, we believe it is time to require 2SV for all users on Google Cloud.”
