Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users

Google’s cloud division has announced that it will enforce mandatory multi-factor authentication (MFA) for all users by the end of 2025 as part of its efforts to improve account security.

“We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025,” Mayank Upadhyay, vice president of engineering and distinguished engineer at Google Cloud, said in a statement.

“To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments.”

The rollout process is scheduled to take place over three stages, starting from this month and until the end of 2025 –

• Phase 1 (Starting November 2024), when administrators will be provided information to prepare for the security upgrade
• Phase 2 (Early 2025), when Google will begin requiring MFA for all new and existing Google Cloud users who sign in with a password
• Phase 3 (End of 2025), when Google will extend MFA protections to federated users

“For example, you can enable MFA with your primary identity provider before accessing Google Cloud — we will be working closely with identity providers to ensure there are standards in place for a smooth hand-off,” Upadhyay said.

“Alternatively, you can add an extra layer of MFA through your Google account if you prefer to use our system.”

The development comes as phishing and stolen credentials continue to be the primary way through which threat actors gain unauthorized access to computer networks.

The announcement also follows similar moves from its cloud rivals Amazon and Microsoft, which have also begun enacting mandatory MFA for Amazon Web Services (AWS) and Azure, respectively, in recent months.

In July 2024, data warehousing company Snowflake introduced an option that allows administrators to enforce mandatory MFA for all users following a data breach campaign that leveraged stolen credentials from more than 165 of its customers.

The threat actor allegedly behind the data theft and extortion scheme, a 26-year-old Canadian man named Alexander “Connor” Moucka, was arrested late last month at the request of U.S. authorities. Another co-conspirator, John Erin Binns, was arrested in Turkey in late May 2024.

Other members of the UNC5537 cybercriminal gang, which is part of a larger underground network called the Com, remain at large, according to WIRED.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.