Google has announced that starting this month, all Google Cloud customers will be required to use multi-factor authentication (MFA) as part of a phased rollout. The initiative aims to enhance security by embedding prompts and helpful reminders within the Google Cloud console, with full enforcement expected in early 2025.
This decision was quietly detailed in an October document, though Mayank Upadhyay, VP of Engineering at Google, formally shared the plans in a blog post this week. Upadhyay noted that MFA implementation will occur gradually, with enterprises and users receiving advance notifications to aid in deployment.
The move comes amidst rising concerns about data breaches. In 2024 alone, over 1 billion records were reported compromised. For instance, UnitedHealth’s Change Healthcare was targeted by ransomware in February, resulting in the exposure of sensitive health data for over 100 million Americans. These breaches were attributed to the absence of MFA protection on backend credentials.
Similarly, data breaches involving Snowflake, including leaks affecting Ticketmaster customers, were linked to a lack of mandatory MFA. Snowflake later introduced MFA as an optional feature, though it remained at the discretion of their customers.
Interestingly, Google’s cybersecurity arm, Mandiant, previously collaborated with Snowflake to investigate these incidents, emphasizing the need for “universal enforcement of MFA and secure authentication.”
With this context in mind, Google is now heeding Mandiant’s advice. Starting early 2025, MFA will be mandatory for all Google Cloud users who sign in with a password, requiring a secondary authentication method like an authenticator app or security key. By the end of 2025, this requirement will expand to federated users accessing Google Cloud via third-party authenticators.
This decision mirrors similar moves by other cloud providers, such as AWS and Microsoft Azure, which enforced mandatory MFA earlier in 2024.
It’s important to note that while MFA will become mandatory for Google Cloud business accounts, individual users of Google Accounts (such as personal Gmail users) will still have optional access to 2-Step Verification (2SV). However, Google emphasizes the increased risks associated with enterprise cloud deployments, which justifies making MFA mandatory for business users.