Google Cloud to Mandate Multi-Factor Authentication for All Users by 2025

In a move to improve account security, Google Cloud has announced that it will require multi-factor authentication (MFA) for all users worldwide by the end of 2025. This decision aims to enhance security, especially as cloud environments become increasingly vulnerable to sophisticated attacks.

In a recent blog, Google said the MFA requirement will be implemented in three key phases:

• Phase 1: Encouraging Adoption (Starting November 2024) — Google Cloud is urging users who rely solely on passwords to adopt MFA. Throughout this phase, Google Cloud Console will feature reminders, resources, and best practices to support organizations in raising awareness and preparing for MFA deployment.
• Phase 2: MFA for Password Logins (Early 2025) — In early 2025, MFA will become mandatory for all Google Cloud users who log in with a password. Notifications and guidance will appear across platforms like Google Cloud Console, Firebase Console, and gCloud to assist users in enrolling.
• Phase 3: MFA for Federated Users (End of 2025) — By the end of next year, federated users—those who authenticate into Google Cloud via third-party providers—must also use MFA. Google is collaborating with identity providers for a smooth integration and to offer flexibility in fulfilling the MFA requirement.

The Importance of MFA in Cybersecurity

Google Cloud introduced 2-Step Verification (2SV) in 2011, making MFA accessible to millions and significantly reducing the risks associated with password theft. Understanding the need for stronger defenses against advanced threats, Google introduced phishing-resistant security keys three years later, in 2014, leading to the development of passkeys. This industry-standard technology enhances security with the convenience of biometric verification.

Today, MFA adoption has grown substantially across Google services, with many users relying on 2SV. However, cloud deployments remain a high-risk area for phishing and credential theft, threats that are regularly flagged by Google’s Mandiant Threat Intelligence team. The decision to mandate MFA is in line with findings from the Cybersecurity and Infrastructure Security Agency (CISA), which claims that MFA reduces the chances of account compromise by a whopping 99%.

What the Experts Are Saying

“Google’s decision to mandate multi-factor authentication (MFA) for all Cloud accounts by the end of 2025 is a positive move to enhance security,” comments Jason Soroko, Senior Fellow at Sectigo. “Similar to how Snowflake required MFA after some of their customers had experienced high-profile breaches, Google’s mandate addresses the growing risks associated with single-factor authentication.

Soroko says MFA can be enabled by using methods such as Google Authenticator app at no additional cost. These options are included in the standard offerings of Google Cloud Identity and Google Workspace accounts.  Any costs would come from purchasing physical security keys or upgrading to premium services for advanced security needs.  Businesses that need to scale MFA rollouts may need these premium services.

 Google’s phased rollout eases users into the new requirement, as MFA can be met with resistance due to perceived friction in user experience, especially when implemented abruptly, added Patrick Tiquet, Vice President, Security & Architecture at Keeper Security. “ The multi-step plan, starting with console reminders and advancing to full enforcement, prioritizes user adoption and minimizes operational disruption with gradual transition to ease users into MFA – paving the way for smoother implementation and stronger compliance.”

However, Tiquet says organizations using Google Cloud will also need to plan for implementation within their workforce. “Employee training about the importance of MFA will be critical and tools like a password manager can facilitate adoption by securely storing and filling MFA codes.”

Rom Carmel, Co-Founder and CEO at Apono says the fact that it’s taken Google so long to make this move is a testament to the difficulty of rolling out security measures that may impact people’s productivity.  “Striking the right balance between security and productivity is a serious challenge that all organizations struggle with, especially when it comes to crucial elements like access to critical infrastructure. Getting it right means getting past the security theater that restricts work, enabling teams to access their resources quickly and securely.”

How Users Can Enable 2-Step Verification Now

In preparation for the upcoming requirement, Google Cloud users are encouraged to enable 2-step Verification at once. They can visit Google’s security settings to initiate the setup, ensuring an added layer of protection against unauthorized access. Instructions are available through the Google Cloud Console, where users can find step-by-step guidance on enabling MFA.