Google Cloud will enforce multi-factor authentication for all users by 2025

November 6, 2024Ravie LakshmananCloud security / phishing protection

Google's cloud division has announced that it will enforce mandatory multi-factor authentication (MFA) for all users by the end of 2025 as part of its efforts to improve account security.

“We will implement mandatory MFA for Google Cloud in a phased approach, rolling out to all users globally throughout 2025,” said Mayank Upadhyay, vice president of engineering and distinguished engineer at Google Cloud, in a statement.

“To ensure a smooth transition, Google Cloud is informing businesses and users in advance to help them plan MFA deployments.”

The rollout process is expected to take place in three phases, starting this month and continuing until the end of 2025 –

• Phase 1 (Starting November 2024) when administrators will receive information about preparing for the security upgrade
• Phase 2 (Early 2025) when Google begins requiring MFA for all new and existing Google Cloud users who sign in with a password
• Phase 3 (End 2025) when Google expands MFA protections to federated users

“For example, you can enable MFA with your primary identity provider before accessing Google Cloud. We will work closely with identity providers to ensure standards are in place for a smooth handover,” Upadhyay said.

“Alternatively, if you prefer our system, you can add an additional level of MFA via your Google Account.”

The development comes as phishing and stolen credentials remain the primary way threat actors gain unauthorized access to computer networks.

The announcement also follows similar moves by cloud rivals Amazon and Microsoft, which in recent months have also begun rolling out mandatory MFA for Amazon Web Services (AWS) and Azure, respectively.

In July 2024, data warehousing company Snowflake introduced an option allowing administrators to enforce mandatory MFA for all users following a data breach campaign that exploited stolen credentials from more than 165 of its customers.

The suspected threat actor behind the data theft and extortion scheme, a 26-year-old Canadian named Alexander “Connor” Moucka, was arrested late last month at the request of U.S. authorities. Another co-conspirator, John Erin Binns, was arrested in Turkey in late May 2024.

Other members of the UNC5537 cybercriminal gang, part of a larger underground network called Com, remain at large, according to WIRED.