Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Google has recently announced that it plans to implement mandatory multi-factor authentication (MFA) on all Cloud accounts by the end of 2025. Google argues that MFA strengthens security without sacrificing a smooth and convenient online experience.
It is reported that 70% of Google users enabled this feature already and security consultants urge the remaining 30% to switch to MFA immediately.
The implementation will affect both admins and users with access to Google Cloud. General consumer Google accounts will not be affected.
In an official announcement, Mayank Upadhyay, Google Cloud’s VP of Engineering and Distinguished Engineer stated that they will be implementing mandatory MFA in a phased approach throughout 2025 and to help plan MFA deployments they will provide assistance.
We’ve been strong advocates for our MFA system for over a decade, and we’re here to help you with this important security upgrade. At Google, we understand that you need flexibility and control when implementing new security measures. That’s why we’re rolling out mandatory MFA in phases.
Mayank Upadhyay, Google Cloud’s VP of Engineering and Distinguished Engineer (Source)
The Phased Approach
The first phase will kickstart in November 2024 and its role will be to encourage MFA adoption. Google will post helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan rollout, conduct testing, and smoothly enable MFA for users.
The second phase will begin early next year and Google will start requiring MFA for all new and existing Google Cloud users who sign in with a password. You’ll see notifications and guidance across the Google Cloud Console, Firebase Console, gCloud, and other platforms. To continue using these tools, you’ll need to enroll in MFA.
The third and final phase will take place at the end of 2025 when Google will extend the MFA requirement to all users who federate authentication into Google Cloud. You’ll have flexible options to meet this requirement.
Why Is Google Requiring MFA for Google Cloud?
In the announcement blog, the company stated that they’re pushing the MFA for the users to be better protected.
We’ve always prioritized protecting your identity in order to keep your account and sensitive information safe, and we use a variety of risk-based signals to quickly detect if an account is compromised and subsequently help users restore it securely.
Google (Source)
Google pioneered consumer-scale MFA in 2011 with the launch of 2-Step Verification for millions of users. While 2SV was effective at protecting accounts from stolen passwords, the company knew it needed to provide even stronger protection against more sophisticated attacks. This step was made in 2014 with the introduction of phishing-resistant Security Keys for Google Accounts and the development of passkeys.
Strong evidence supporting this change comes from U.S. government agencies as well as from Google’s own experience. According to research by the Cybersecurity and Infrastructure Security Agency (CISA), MFA reduces user vulnerability by 99%, which is a compelling argument for switching.
Google provided a guide on how to enable 2SV here.
If you liked this piece, you can find more on the blog. Follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.
