Google has announced that, by the end of 2025, multi-factor authentication (MFA) – aka 2-step verification – will become mandatory for all Google Cloud accounts.
“Given the sensitive nature of cloud deployments — and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team — we believe it’s time to require [2-step verification] for all users of Google Cloud,” said Mayank Upadhyay, VP of Engineering and Distinguished Engineer, Google Cloud.
A rollout in three phases
Currently, Google Cloud Administrators can enforce MFA use for some or all of their users, as well as prevent them from using less secure MFA methods.
“For example, some users may only be allowed to use phishing-resistant security keys or passkeys, while others may be allowed to use any method except SMS-based MFA,” Google explained in a recent whitepaper.
“Administrators also have the option of enforcing MFA after a SAML sign-in, offering protection against the scenario where an Identity Provider has been compromised.”
The push to increase the security of all Google Cloud accounts starts this month, with “helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan your rollout, conduct testing, and smoothly enable MFA for your users.”
By early 2025, all new and existing Google Cloud users who sign in with a password will have to enroll in MFA. If they don’t do it, they won’t be able to access Google Cloud (cloud computing services), Google Firebase (mobile and web app development platform), gCloud (the Google Cloud command line interface) and other platforms.
And, finally, by the end of 2025, MFA will become manadatory for all users who federate authentication into Google Cloud. The will be able to enable MFA with their primary identity provider before accessing Google Cloud or add an extra layer of MFA through their Google account.
The importance of MFA
Hardware-based (i.e., physical) security keys and passkeys are the most secure option for MFA as the authentication factor can’t be phished. Biometrics and time-based one-time passwords or push notifications delivered via authenticator apps are less secure options, but still more secure than static PINs (i.e., backup codes) and SMS-based MFA.
While adding a second authentication factor to one’s account is no universal remedy against account compromise, it makes things harder for attackers.
“The Cybersecurity and Infrastructure Security Agency (CISA) found that MFA makes users 99% less likely to be hacked, a powerful reason to make the switch,” Upadhyay pointed out.
The other big cloud providers – Amazon (AWS) and Microsoft (Azure) – have also started the push towards mandatory MFA for cloud accounts.