Google Cloud on Nov. 4 told the business community that it plans to implement mandatory multi-factor authentication (MFA) in three phases starting now and continuing to the end of 2025.
In a blog post, the company said mandatory MFA will affect all Google Cloud customers, including business customers and individual developers who access the Google Cloud Platform with their Gmail accounts.
MFA has been around for several years, and Google pointed out that roughly 70% of frequent users of Google services already have a second factor registered on their account.
“With the explosion of online accounts over the last 15 years, remembering unique, complex passwords for each is a recipe for password reuse and security risks,” said Mayank Upadhyay, vice president of engineering at Google Cloud. “Google Threat Intelligence continues to see phishing and stolen credentials as a top attack vector, thereby making protection of identities a top priority for security teams. With many MFA solutions readily available today, it’s easy for an organization to find a solution that fits their needs.”
Upadhyay added that MFA options don’t have to cost businesses a lot of money. For example, Upadhyay said Google’s 2-Step Verification tools have been free for users since its launch in 2011. Options range from simple app-based authentication with Google Authenticator to convenient SMS or push notifications. Newer technology such as passkeys allow platform password managers to be leveraged in a phishing resistant way, said Upadhyay. And most security-sensitive customers might choose to deploy dedicated tokens such as security keys.
“Google has successfully deployed these technologies across hundreds of millions of accounts, demonstrating their cost-effectiveness and ease of use,” said Upadhyay. “We believe it's time for all organizations handling sensitive user data to follow suit and embrace these readily available, mature security measures.”
Security pros praise Google’s MFA requirement
Industry security pros reacted positively to Google’s plan to require MFA for Google Cloud.
"The move by Google Cloud to make MFA mandatory is long overdue,” said Mike Britton, chief information security officer at Abnormal Security. “This is a foundational security service that should be 100% mandatory for all software and platform providers — especially for email, which continues to be the primary vector through which threat actors are launching advanced attacks.”
Britton, an SC Media columnist, said he believes software vendors should include MFA and other core security services like single sign-on to their customers as part of their standard baseline offering. Britton said the industry shouldn’t monetize basic security capabilities and features in its product unless those features are cost prohibitive to provide without additional subscription fees — and that’s often not the case, said Britton.
Galit Lubetzky, chief executive officer of Wing Security, added tha Google Cloud enforcing MFA is a welcome advancement and one step closer to preventing attacks like credential stuffing, phishing, and smishing. Lubetzky said Wing Security’s data from hundreds of customer environments shows that 49% of Google users do not have MFA enabled — and 18% of admins don’t have MFA enabled for Google.
“These numbers are highly concerning, so we can only hope that Google’s new policies help close the gap,” said Lubetzky. "However, this is not a total victory, as MFA bypassing is still a common attack vector that employs phishing to extract credentials and session cookies, as seen by attacks from EvilProxy and APT 29. This leads to the growing issue known as MFA fatigue, so in addition to MFA, another layer of education and prevention is needed to thwart attackers.”
Patrick Tiquet, vice president, security and architecture at Keeper Security, said that Google’s announcement of mandatory MFA for all Google Cloud accounts by the end of 2025 marks a significant commitment to increasing cybersecurity standards for its customer base that could set a precedent for other major technology providers.
“The phased rollout by Google eases users into the new requirement, as MFA can be met with resistance due to perceived friction in user experience, especially when implemented abruptly,” said Tiquet. “The multi-step plan, starting with console reminders and advancing to full enforcement, prioritizes user adoption and minimizes operational disruption with gradual transition to ease users into MFA — paving the way for smoother implementation and stronger compliance. However, organizations using Google Cloud will also need to plan for implementation within their workforce.”
Google detailed the phased rollout plan in its recent blog:
Phase 1 (November 2024): Google will start encouraging MFA adoption. Starting now, customers will find helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan the company’s rollout, conduct testing, and smoothly enable MFA for users.
Phase 2 (Early 2025): Early next year, Google will begin requiring MFA for all new and existing Google Cloud users who sign in with a password. Customers will see notifications and guidance across the Google Cloud Console, Firebase Console, gCloud, and other platforms. One note: to continue using these tools, customers will need to enroll in MFA.
Phase 3 (End of 2025): By the end of 2025, Google will extend the MFA requirement to all users who federate authentication into Google Cloud. Google promises flexible options to meet this requirement.
John Gunn, chief executive officer of Token, said while he thought Google made the right move by requiring MFA, some may feel it’s still not enough. Gunn said considering that passwords are 60-year-old technology and legacy MFA is 20-year-old technology, Google should mandate phishing-resistant MFA instead of the legacy MFA that’s already being defeated in 80-90% of successful ransomware attacks.
“Many very large organizations use Google Cloud and they cannot change their internal policies on a dime,” said Gunn. “The timetable Google has set will still pose challenges for the slow movers among their customers. Google’s slow progress reflects the fact that no service provider wants to alienate customers by imposing rules they don’t want to follow. In every business, adding friction results in lost revenue. But if Google did not take this action and impose stricter security measures, more of their customers would become victims of cyberattacks and that would ultimately damage their reputation.”