Google Cloud to Enforce MFA on Accounts in 2025

In a bid to improve account security, Google will enforce mandatory multi-factor authentication for all Google Cloud users by the end of 2025. Currently, 70% of Google users have multi-factor authentication enabled.

This requirement will apply to all Google Cloud users who currently use passwords for authentication and all new users but will not apply to general consumer Google accounts. The company will begin a phased implementation starting this month, with the plan to require MFA for all users who federate authentication into Google Cloud by the end of 2025.

"Beginning this month, you'll find helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan your rollout, conduct testing, and smoothly enable MFA for your users," the company said.

MFA adoption is one of the key recommendations in the Cybersecurity and Infrastructure Security Agency's secure-by-design initiative and the shift to mandatory MFA is happening throughout the industry. In July, Snowflake introduced an option to allow administrators to enforce mandatory MFA for all users. Amazon started requiring mandatory MFA for Amazon Web Services back in June, Microsoft announced its rollout for Microsoft Azure in August. In June, Amazon required customers signing into the AWS Management Console with the root user of an AWS Organizations management account to use MFA. Since then, mandatory MFA has been extended to standalone accounts outside of AWS Organizations.

Microsoft's plan, similar to Google Cloud's, also takes a phased approach. Phase 1 for Microsoft started last month, with MFA being required to sign in to Azure portal, Microsoft Entra admin center, and Intune admin center. Phase 2, also beginning in early 2024, will gradually enforce MFA for Azure CLI (command-line interface), Azure PowerShell, Azure mobile app, and infrastructure-as-code tools.

While CISA has said that MFA means users are 99% less likely to be hacked, it is important to remember that MFA is not fool-proof.

"Mandatory MFA is necessary but not sufficient for enterprise security. This is because MFA is not created equal and doesn't offer the same level of security assurances," says Jasson Casey CEO of Beyond Identity.

MFA and two-factor authentication has been in use in some shape or form for more than 20 years, and attackers have had time to innovate against it, Kris Bondi, CEO and Co-Founder of Mimoto, said in an emailed statement. Threat actors are increasingly launching phishing operations which can bypass legacy MFA, which is why NIST and CISA have urged adopting phishing-resistant MFA.