Google Cloud mandates MFA by end of 2025

Google Cloud on Nov. 4 told the business community that it plans to implement mandatory multi-factor authentication (MFA) in three phases starting now and continuing to the end of 2025.

In a blog post, the company said mandatory MFA will affect all Google Cloud customers, including business customers and individual developers who access the Google Cloud Platform with their Gmail accounts.

MFA has been around for several years, and Google pointed out that roughly 70% of frequent users of Google services already have a second factor registered on their account.

“With the explosion of online accounts over the last 15 years, remembering unique, complex passwords for each is a recipe for password reuse and security risks,” said Mayank Upadhyay, vice president of engineering at Google Cloud. “Google Threat Intelligence continues to see phishing and stolen credentials as a top attack vector, thereby making protection of identities a top priority for security teams. With many MFA solutions readily available today, it’s easy for an organization to find a solution that fits their needs.”

Upadhyay added that MFA options don’t have to cost businesses a lot of money. For example, Upadhyay said Google’s 2-Step Verification tools have been free for users since its launch in 2011. Options range from simple app-based authentication with Google Authenticator to convenient SMS or push notifications. Newer technology such as passkeys allow platform password managers to be leveraged in a phishing resistant way, said Upadhyay. And most security-sensitive customers might choose to deploy dedicated tokens such as security keys.

Leave a Comment