The cybersecurity community reacted positively to Google’s November 4 announcement that it would begin implementation Multi-factor authentication (MFA) for millions of Google Cloud users worldwide through 2025, with the move described as an important step forward in securing the broader digital ecosystem.
The improved policies were announced earlier this week Written by Google Cloud Vice President of Engineering Mayank Upadhyaymandatory MFA will be rolled out to every user who is currently logging in using only a password.
“We will implement mandatory MFA for Google Cloud in a phased approach that will be rolled out to all users worldwide throughout 2025. To ensure a smooth transition, Google Cloud will provide advance notice to organizations and users along the way to help plan MFA deployments,” Upadhyay said.
“We’ve been a strong advocate for our MFA system for more than a decade, and we’re here to help you with this important security upgrade. At Google, we understand that you need flexibility and control when implementing new security measures. That’s why we’re rolling out mandatory MFA to stages”.
The first phase, starting this month, will see Google start targeting unprotected users with more reminders and information about MFA in the Google Cloud Console, targeting the 30% of service users who aren’t already signed up. This guidance will push organizations towards raising awareness and planning for MFA, as well as providing advice on testing and enabling processes.
Starting in early 2025, Google will begin requiring MFA for all new and existing users who sign in with a password, with notifications and instructions about this appearing across Google Cloud Console, Firebase Console, gCloud, and other platforms. Those who wish to continue using these tools will have no choice but to enroll in the MFA program at this time.
Finally, by this time next year, MFA requirements will be expanded to include all users who federate authentication in Google Cloud. There will be a number of options available to meet this requirement – organizations may choose to enable MFA with their primary identity provider before accessing Google Cloud, and work is ongoing to ensure there are standards and procedures in place to facilitate this. Or users may want to add additional layers of MFA through their Google accounts, if they prefer to use Google’s own system.
Mandatory MFA is already successful for others
Introducing mandatory MFA for cloud services is largely an idea whose time has come, and Google isn’t the only cloud giant making such moves — as early as 2024, Microsoft announced that it is introducing such a policy Following a number of high-profile cyberattacks involving its users, it has been implemented across Azure since the beginning of October.
Meanwhile, open source community giant GitHub, which brought mandatory MFA to select developers and projects in 2023, said it saw a 95% opt-in rate across code contributors who received the MFA requirement, and a 54% increase in MFA adoption among all active contributors to Projects you host.
Mike Britton, Head of Information Technology at Abnormal securityHe said Google’s move was long overdue: “[MFA] It is an essential security service that should be 100% mandatory for all software and platform providers – especially for email, which remains the primary vector through which threat actors launch advanced attacks.
“I believe software vendors should provide MFA – and other core security services like SSO – to their customers as part of their standard core offerings. We should only monetize core security capabilities and features in our product if the cost of providing those features is prohibitive without additional subscription fees,” Which doesn’t happen often.
Patrick Tickett, Vice President of Security and Compliance at Security guard, “Google’s rollout in phases makes it easier for users to adapt to new requirements, as MFA can be met with resistance due to perceived friction in the user experience, especially when implemented suddenly,” he added.
“The multi-step plan, from console reminders and progressing to full implementation, prioritizes user adoption and minimizing operational disruption while gradually transitioning to easing users into MFA – paving the way for smoother implementation and stronger compliance.
“However, organizations using Google Cloud will also need to plan for implementation within their workforce. Training employees on the importance of MFA will be critical and tools like a password manager can facilitate adoption by securely storing and filling out MFA codes.”
Anna Collard, Senior Vice President of Content Strategy and Evangelist for Security Training Specialist KNOB4He also praised Google’s new policy, but said that the State Department alone is not the magic solution.
“Effective security relies on a layered defensive approach that combines multiple strategies to protect assets and data. Not all quality MFA is created equal either, for example, phishing-resistant MFA, such as those enabled by FIDO are a much better option than text-based MFA or Payment based.