The announcement by Google on 4 November regarding the enforcement of multifactor authentication (MFA) for Google Cloud users has been met with enthusiasm by the cyber security community. This move is seen as a significant advancement in securing the digital ecosystem.
The new policies, revealed by Google Cloud’s vice-president of engineering, Mayank Upadhyay, will make MFA mandatory for all users who currently sign in with just a password.
“We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025. To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments,” said Upadhyay.
The first phase, starting this month, will target users who are not already enrolled in MFA, providing them with reminders and information in the Google Cloud Console. This will encourage organizations to raise awareness and plan for MFA adoption.
From early 2025, Google will require MFA for all users signing in with a password. Notifications and guidance on this will appear across various platforms, and users will have to enroll in MFA to continue using these tools.
By the following year, MFA requirements will extend to all users federating authentication into Google Cloud. Organizations will have options to meet this requirement, such as enabling MFA with their primary identity provider or adding extra layers of MFA through Google accounts.
Mandatory MFA already successful for others
Google is not the only cloud provider implementing mandatory MFA. Microsoft introduced a similar policy in 2024, while GitHub saw high adoption rates when it made MFA compulsory for select developers and projects.
Experts in the field, like Mike Britton from Abnormal Security and Patrick Tiquet from Keeper Security, emphasize the importance of MFA as a foundational security measure. They believe that MFA should be standard across all software and platform providers.
While praising Google’s phased approach to MFA implementation, experts like Patrick Tiquet highlight the need for employee training and tools like password managers to facilitate MFA adoption.
Anna Collard from KnowBe4 stresses the importance of a layered defense approach in security, mentioning that not all MFA methods are equal. Phishing-resistant MFA options, like those enabled by FIDO, are considered more secure than other methods.
