Google Cloud to Mandate Multifactor Authentication  End of 2025

As part of the considerable steps taken to fortify security in its cloud platform, Google is making all users in its Google Cloud adopt multi-factor authentication by the end of 2025. This measure is part of a broader campaign against a threat that phishing attacks as well as stolen credentials bring to its customers.

Recently, Vice President of Engineering and Distinguished Engineer at Google Cloud Mayank Upadhyay made the confirmation in a statement regarding the development, stating that “We will start phasing in mandatory MFA for Google Cloud, to all users globally, during 2025.” He adds that Google Cloud will do it in phases so that when businesses or individuals begin to transition to an MFA type security, it won’t be a shock since Google will make sure it’s done with much notice and proper support given.

Mandatory MFA will be rolled out in three phases starting from November 2024, ending by the end of 2025:

Phase 1: Preparations Begin (Starting November 2024)

This first phase will be effective from this November. Google Cloud will start informing the administrators of the changes and give them the lead on how to prepare for the transition into MFA. The first phase will empower the organizations with all the tools and information that would enable them to smoothly and effectively implement the security upgrade.

Phase 2: MFA Requirement for All Users (Early 2025)

Starting in early 2025, Google will require MFA for all new and existing Google Cloud users to log into their account using a password. Users of cloud accounts will have to complete one more step to authenticate besides just providing the password itself. The company has confirmed this as an enforcement policy whereby everyone will be required to have a method for setting up MFA to maintain access to accounts.

Stage 3: Federated Users Integrated by the End of 2025

The final deployment phase for MFA will be at the end of 2025, where Google will further extend the requirement to federated users. Federated users are those who do not log in using Google credentials but, instead, access Google Cloud services from third-party identity providers. To ensure a smooth integration and allow federated users to use MFA with security, Google will coordinate with such identity providers.

Google is also allowing customers a little flexibility in what the installation of MFA does within their organization. Specifically, firms already managing employee access by a single primary identity provider – such as Okta or Microsoft Active Directory – can add MFA across all of Google Cloud before any user’s account is accessed. Users who want to instead leverage Google’s particular system for MFA can make that system add additional protection directly to their accounts through Google itself.

This occurs at a time when security breaches, especially those induced by stolen credentials, are becoming increasingly common. Phishing attacks, or the art of convincing a user to give away passwords or other sensitive information, is still one of the most effective tactics used by cybercriminals. Google is launching MFA, which requires a user to input two or more verification steps to authenticate their identity, including using a password and a mobile authentication code, to cut the risks posed by stolen or weak passwords.

A Reaction to Growing Threats

This is part of a trend within the cloud industry: Amazon and Microsoft, the main competitors, are making efforts to improve account security. Recently, AWS and Microsoft Azure have imposed identical strong policies for mandatory MFA in the face of growing rates of cyberattacks exploiting compromised credentials. This is a direct response to several high-profile data breaches, revealing the need for another security layer on cloud-based services.

Indeed, Google announced its move just a few months after data warehousing company Snowflake faced a major security incident. It had to introduce mandatory MFA for all users after suffering a major data breach in 2024. This is because the breach was reportedly caused by a cybercriminal gang that exploited stolen credentials from over 165 customers. According to sources, the attack has been attributed to a collective identified as UNC5537, though the main suspect is the 26-year-old Canadian hacker Alexander “Connor” Moucka, who was arrested on the last days of October in 2024 in association with the breach. An accomplice, John Erin Binns, was captured early in the year from Turkey.

The theft of sensitive data from companies like Snowflake and others has highlighted the vulnerabilities that exist in relying solely on passwords for account protection. As part of their defense against such threats, both Google and its competitors are putting emphasis on MFA as an essential tool in minimizing the risks associated with compromised credentials.

Industry-Wide Effort to Strengthen Security

Google Cloud has recently mandated MFA for all users. This is a reaction to the growing sophistication of cyberattacks but also part of the trend in the industry towards standardizing security practices. Cloud service providers are increasingly put on the spot to protect the data of their customers and prevent unauthorized access. This step aligns with the continued pursuit from other major techs toward creating a set of the best practices on securing online service especially now that cloud computing picks pace, and businesses relocate their sensitive data to the Cloud environments.

Mandatory MFA’s intention is to make it much more difficult than it currently is, in cases of getting somebody’s password for an unauthorized user accessing the system. MFA often relies on two kinds of information: what the user knows (a password), what the user possesses (for example, a cell phone or a security token), or even a biometric factor that could include a fingerprint or a face. This makes it much more difficult for attackers to gain access to the accounts.

 Planning for the Transition

The search giant has committed resources to assist customers and organizations in facilitating the transition to MFA. Business customers will be informed in advance regarding what to expect and also be provided with instructions on how to introduce MFA among their teams. Users can expect similar guidance regarding how to set up MFA for their Google Cloud account.

While the move to make MFA mandatory does require some adjustments, it is expected to enhance security significantly. Google has taken steps to protect its users against the growing number of cyber threats, and this new policy represents a proactive approach toward securing cloud-based services.

Starting 2024, as the compulsory rollout of MFA begins, it can be seen that securing the cloud infrastructure will be a key area of focus for Google and other major cloud providers going forward. The all-pervasive implementation of MFA is an indication of the fact that the industry is acknowledging the changing landscape of threats and is now ready to act to protect its users and their data., 

source: Wired