Google Cloud to make multi-factor authentication mandatory in 2025

Google has announced a mandate for all Google Cloud customers to implement multi-factor authentication (MFA), beginning this month with preliminary prompts and reminders within the Google Cloud console. This initiative, spearheaded by Mayank Upadhyay, Google’s VP of engineering, will transition into a gradual enforcement phase starting January 2025. The phased rollout aims to ensure that enterprises and users have sufficient advance notice to prepare for mandatory MFA deployments.

The urgency for this requirement is underscored by a significant increase in data breaches, with over a billion records compromised in 2024 alone. High-profile incidents, such as the ransomware attack on Change Healthcare which resulted in the theft of health data for over 100 million individuals, exemplify the risks associated with inadequate security measures. These breaches often stemmed from unprotected backend credentials without MFA.

In a similar vein, data warehousing company Snowflake faced severe repercussions when sensitive customer data was leaked, prompting them to initially offer MFA as an option for administrators. The lack of obligatory MFA in such cases fueled security discussions within the industry, notably amongst security experts at Mandiant, Google’s cybersecurity subsidiary, who advocated for universal MFA enforcement as essential for safeguarding data integrity.

Starting in early 2025, Google will require all users who currently log in to Google Cloud with a password to enable MFA, necessitating a secondary authentication mechanism, including options like an authenticator app or a physical key. By the conclusion of 2025, this requirement will extend to federated users, who access Google Cloud through third-party authenticators.

This move to enforce MFA follows trends seen among competitors in the cloud space, as both Amazon Web Services (AWS) and Microsoft Azure have initiated similar mandatory measures for their users. These developments indicate a growing recognition of the importance of enhanced security protocols to combat widespread vulnerabilities.

While Google accounts for general consumers can also utilize MFA, this feature remains optional and can be toggled on or off by users. Currently, about 70% of active Google accounts utilize a system known as two-step verification (2SV); however, given the heightened risks associated with enterprise cloud environments, Google has determined that mandatory MFA will apply exclusively to its business clientele.

Upadhyay acknowledged the growing adoption of 2SV among users across all Google services but emphasized that the sensitive nature of cloud services necessitates a more stringent security measure. He pointed to phishing attacks and credential theft as prevalent threats that demand immediate action, thus justifying the requirement of MFA for all Google Cloud users.

In summary, Google’s decisive action to implement mandatory MFA for its Cloud customers is a response to escalating security threats and a broader trend toward stricter authentication protocols in the cloud services industry. The initiative highlights the company’s commitment to bolstering security and protecting sensitive data against unauthorized access.