Google Cloud to roll out mandatory MFA for all users

Google is rolling out mandatory MFA requirements for all cloud users as identity-based attacks continue to rise.

In a blog post on Monday, Mayank Upadhyay, vice president of engineering at Google Cloud, detailed the company's three-phase plan to implement mandatory MFA across Google Cloud services. Phase 1 begins this month, and Phase 3 is scheduled to be completed by the end of 2025.

While the tech giant previously implemented two-step verification (2SV) for Google user accounts by default in 2021, Upadhyay said it's increasingly important to secure cloud services as well by requiring MFA for all users. Several high-profile attacks this year, including the Snowflake database breaches, have targeted and exploited accounts that lacked MFA protection.

In Monday's blog post, Upadhyay added that 70% of Google users already use MFA to protect their accounts.

"Today, there is broad 2SV adoption by users across all Google services. However, given the sensitive nature of cloud deployments -- and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team -- we believe it's time to require 2SV for all users of Google Cloud," Upadhyay wrote in the blog post.

To make the transition to mandatory MFA easier for users, Phase 1 focuses on building awareness. Google will send out notifications and information to help users plan their rollout and conduct testing. Phase 2 will begin early next year when Google starts to require MFA for password logins. Upadhyay said if users want to continue using tools such as Google Cloud Console, Firebase Console, GCloud and other platforms, they will be required to enroll in MFA.

Phase 3 is scheduled for the end of 2025 when MFA will be required for all those using federated authentication to access Google Cloud. Upadhyay said Google is working with unnamed third-party identity providers to make the final transition easier.

While the cybersecurity industry has pushed MFA for years, recent attacks show that it's increasingly important to implement. For example, earlier this year, the BlackCat/Alphv ransomware group breached UnitedHealth's Change Healthcare through a Citrix portal that did not have MFA enabled. Change Healthcare ultimately paid a $22 million ransom, and downstream customers suffered significant fallout.

Google is the latest cloud provider to implement mandatory MFA for sign-ins to its services. In August, Microsoft announced that it would require MFA for Azure cloud services; the two-phase rollout will be completed in early 2025. In 2023, AWS announced that it would begin requiring MFA for all privileged accounts.

TechTarget Editorial contacted Google for further comment regarding the timing of the mandatory MFA rollout. A Google spokesperson echoed the blog post and said the company is implementing new security measures to help users reduce risk in an evolving threat landscape.

"MFA serves as a critical component of modern cybersecurity frameworks and significantly reduces the risk of unauthorized access. We recognize that change can take time, which is why we are rolling out a phased approach. We are committed to working with our customers to enable a smooth transition over a period of multiple quarters," the Google spokesperson said.

Todd Thiemann, a senior analyst at TechTarget's Enterprise Strategy Group, said Google overall is a strong advocate of MFA. He pointed to the company's role in helping to drive the FIDO Alliance, which promotes passwordless authentication methods such as passkeys.

Thiemann added that MFA is the best way to protect identities and sensitive information, but he anticipates that Google could face challenges with the transition.

"The industry has applied MFA for the workforce and frequently focused on privileged users like admins with privileged access to systems. Google is taking the next step of applying mandatory MFA for all users of Google Cloud. Given the magnitude of technology surface that this covers and the shift in user behavior it requires, a phased deployment approach makes sense," Thiemann said. "Google will need to navigate nuances like enabling MFA with a primary identity provider before accessing Google Cloud -- Google and the identity providers need to ensure standards facilitate a smooth handoff."

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.