Maksim Kabakou – stock.adobe.com
Latest Google Cloud policy to enforce multifactor authentication across its user base is welcomed by security professionals
By
-
Alex Scroxton,
Security Editor
The cyber security community has reacted positively to Google's 4 November announcement that it will begin to enforce multifactor authentication (MFA) for millions of Google Cloud users worldwide during 2025, with the move being described as a significant step forward in securing the wider digital ecosystem.
The enhanced policies, announced earlier this week by Google Cloud vice-president of engineering Mayank Upadhyay, will see mandatory MFA rolled out to every user who currently signs in with just a password.
“We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025. To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments,” said Upadhyay.
“We've been strong advocates for our MFA system for over a decade, and we're here to help you with this important security upgrade. At Google, we understand that you need flexibility and control when implementing new security measures. That's why we're rolling out mandatory MFA in phases,” he added.
The first phase, beginning this month, will see Google begin to target unprotected users with more reminders and information on MFA in their Google Cloud Console, specifically targeting the 30% of service users not already enrolled. This guidance will push organisations towards raising awareness and planning for MFA, as well as providing advice on testing processes and enablement.
From early 2025, Google will begin to require MFA for all new and existing users who sign in with a password, with notifications and guidance on this appearing throughout the Google Cloud Console, Firebase Console, gCloud, and other platforms. Those that wish to continue to use these tools will have no option but to enrol in MFA at this time.
Finally, by this time next year, MFA requirements will have been extended to all users who federate authentication into Google Cloud. There will be a number of options available to meet this requirement – organisations may choose to enable MFA with their primary identity provider prior to accessing Google Cloud, and work is ongoing to ensure there are standards and procedures in place to make this easier. Or users may wish to add extra layers of MFA through their Google accounts, if they prefer to use Google's own system.
Mandatory MFA already successful for others
Introducing mandatory MFA for cloud services is very much an idea whose time has come, and Google is not the only cloud giant to be making such moves – earlier in 2024, Microsoft announced it was introducing such a policy in the wake of a number of high-profile cyber attacks involving its users,
