Maksim Kabakou - stock.adobe.com

Google Cloud MFA enforcement meets with approval

Latest Google Cloud policy to enforce multifactor authentication across its user base is welcomed by security professionals

The cyber security community has reacted positively to Google’s 4 November announcement that it will begin to enforce multifactor authentication (MFA) for millions of Google Cloud users worldwide during 2025, with the move being described as a significant step forward in securing the wider digital ecosystem.

The enhanced policies, announced earlier this week by Google Cloud vice-president of engineering Mayank Upadhyay, will see mandatory MFA rolled out to every user who currently signs in with just a password.

“We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025. To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments,” said Upadhyay.

“We’ve been strong advocates for our MFA system for over a decade, and we’re here to help you with this important security upgrade. At Google, we understand that you need flexibility and control when implementing new security measures. That’s why we’re rolling out mandatory MFA in phases,” he added.

The first phase, beginning this month, will see Google begin to target unprotected users with more reminders and information on MFA in their Google Cloud Console, specifically targeting the 30% of service users not already enrolled. This guidance will push organisations towards raising awareness and planning for MFA, as well as providing advice on testing processes and enablement.

From early 2025, Google will begin to require MFA for all new and existing users who sign in with a password, with notifications and guidance on this appearing throughout the Google Cloud Console, Firebase Console, gCloud, and other platforms. Those that wish to continue to use these tools will have no option but to enrol in MFA at this time.

Finally, by this time next year, MFA requirements will have been extended to all users who federate authentication into Google Cloud. There will be a number of options available to meet this requirement – organisations may choose to enable MFA with their primary identity provider prior to accessing Google Cloud, and work is ongoing to ensure there are standards and procedures in place to make this easier. Or users may wish to add extra layers of MFA through their Google accounts, if they prefer to use Google’s own system.

Mandatory MFA already successful for others

Introducing mandatory MFA for cloud services is very much an idea whose time has come, and Google is not the only cloud giant to be making such moves – earlier in 2024, Microsoft announced it was introducing such a policy in the wake of a number of high-profile cyber attacks involving its users, and it has been in force across Azure since the beginning of October.

Meanwhile, open source community giant GitHub, which brought in compulsory MFA for select developers and projects in 2023, said it has seen an opt-in rate of 95% across code contributors who received the MFA requirement, and a 54% uplift in MFA adoption among all active contributors to projects that it hosts.

Mike Britton, CIO at Abnormal Security, said Google’s move was long overdue: “[MFA] is a foundational security service that should be 100% mandatory for all software and platform providers – especially for email, which continues to be the primary vector through which threat actors are launching advanced attacks.

“I believe that software vendors should provide MFA – and other core security services like SSO – to their customers as part of their standard baseline offering. We shouldn’t be monetising basic security capabilities and features in our product unless those features are cost prohibitive to provide without additional subscription fees, which is often not the case.”

Patrick Tiquet, vice-president of security and compliance at Keeper Security, added: “Google’s phased roll-out eases users into the new requirement, as MFA can be met with resistance due to perceived friction in user experience, especially when implemented abruptly.

“The multi-step plan, starting with console reminders and advancing to full enforcement, prioritises user adoption and minimises operational disruption with gradual transition to ease users into MFA – paving the way for smoother implementation and stronger compliance.

“However, organisations using Google Cloud will also need to plan for implementation within their workforce. Employee training about the importance of MFA will be critical and tools like a password manager can facilitate adoption by securely storing and filling MFA codes.”

Anna Collard, senior vice-president of content strategy and evangelist at security training specialist KnowBe4, also praised Google’s new policy, but said that MFA alone was no silver bullet.

“Effective security relies on a layered defence approach that combines multiple strategies to protect assets and data. Not all MFA quality is equal either, for example phishing-resistant MFA, such as those enabled by FIDO are a much better option than text-based or push-based MFA,” she said.

Read more about MFA and identity

  • The Security Think Tank considers best practices in identity and access management and how can they be deployed to enable IT departments to combat cyber-attacks, phishing attacks and ransomware.
  • Not every MFA technique is effective in combating phishing attacks. Enterprises need to consider new approaches to protect end users from fraudulent emails.
  • Traditional MFA provides benefits but tests users’ patience. Explore how invisible MFA can make it easier to access resources and reduce MFA fatigue.

Read more on Identity and access management products