Google To Make MFA Mandatory Next Year

Alphabet’s Google has announced a new security measure, after confirming that multi-factor authentication (MFA) will be mandatory on all Google Cloud accounts by the end of 2025.

The move was revealed in a blog post by Mayank Upadhyay, VP of Engineering and distinguished engineer at Google Cloud, in which he noted that Google was already a pioneer in bringing MFA to millions of Google users worldwide, and “we’ve seen first hand how it strengthens security without sacrificing a smooth and convenient online experience.”

Google had introduced MFA (via 2-Step Verification) as far back as 2011, as part of its efforts back then to implement two-step verification to make a user’s Google Account significantly more secure.

Google Cloud

Google then also introduced another way to bolster two-factor authentication efforts for consumers, when it revealed its Titan Security Key to the world back in 2018, after it revealed the existence of its Titan Security chip in 2017.

Now the tech giant has confirmed it will require MFA for all Google Cloud accounts next year.

“At Google Cloud, we’re committed to providing the strongest security for our customers,” wrote Google’s Upadhyay. “As pioneers in bringing multi-factor authentication (MFA) to millions of Google users worldwide, we’ve seen firsthand how it strengthens security without sacrificing a smooth and convenient online experience. That’s why we will soon require MFA for all Google Cloud users who currently sign in with just a password.”

“We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025,” wrote Upadhyay. “To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments.”

He wrote that Google will be undertaking a phased approach to MFA, with Phase 1 (Starting November 2024) designed to encourage MFA adoption. Phase 2 (in early 2025) will see MFA required for password logins. Phase 3 (at the end of 2025) will see MFA required for federated users.

“By the end of 2025, we’ll extend the MFA requirement to all users who federate authentication into Google Cloud,” wrote Upadhyay.

He said mandatory MFA for Google Cloud accounts is needed to to protect identities in order to keep accounts and sensitive information safe.

“We pioneered consumer-scale MFA in 2011 with the launch of 2-Step Verification (2SV) for millions of users,” wrote Upadhyay. “We chose the name ‘2-Step’ as a nod to the iconic Texan dance, making it a bit more approachable than the technical term ‘two-factor authentication.’ It’s been exciting to see the industry adopt this term, embracing clear, simple language for consumer security.”

“While 2SV was effective at protecting accounts from stolen passwords, we knew we needed even stronger protection against more sophisticated attacks,” he added

Long overdue

The Google development has been welcomed by a security expert, who pointed out that in today’s threat landscape, MFA should be required for all software and platform providers.

“The move by Google Cloud to make MFA mandatory is long overdue,” noted Mike Britton, CIO at Abnormal Security.

“This is a foundational security service that should be 100 percent mandatory for all software and platform providers – especially for email, which continues to be the primary vector through which threat actors are launching advanced attacks.”

“I also believe that software vendors should provide MFA (and other core security services like SSO) to their customers as part of their standard baseline offering,” said Abnormal Security’s Britton. “We shouldn’t be monetising basic security capabilities and features in our product unless those features are cost prohibitive to provide without additional subscription fees, which is often not the case.”