Mandatory MFA coming to Google Cloud, security consultants urge to act now


Google is implementing mandatory multi-factor authentication (MFA) for the Cloud. While the phased approach will roll out to all users during 2025, security consultants suggest switching immediately.

Google argues that MFA strengthens security without sacrificing a smooth and convenient online experience. Already, 70% of Google users have enabled this feature.

The first phase starts in November 2024 and aims to raise awareness. Admins on Google Console will find reminders and information on how to plan the rollout, conduct testing, and smoothly enable MFA for all users.

ADVERTISEMENT

In the second phase, which starts in early 2025, Google Cloud will require MFA for users who use passwords to log in.

“You'll see notifications and guidance across the Google Cloud Console, Firebase Console, gCloud, and other platforms. To continue using these tools, you'll need to enroll in MFA,” Google said.

In the final phase, by the end of 2024, the MFA requirement will be extended to all the users who federate authentication into Google Cloud.

Google Cloud will provide notifications to enterprises and users along the way in advance.

“Given the sensitive nature of cloud deployments — and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team — we believe it’s time to require 2-Step Verification for all users of Google Cloud,” the tech giant said.

Google urges users to enable free security features today proactively. So do security consultants.

Ed Russell, CISO Business Manager at Qodea, Europe’s GCP technology consultancy, welcomes the push for MFA.

“New mandates often cause disruption within organizations. Mandatory MFA will likely follow suit as it directly impacts employees' daily access to platforms and applications. Organizations must, therefore, carefully plan their MFA transition and provide staff with dedicated training to ensure a smooth transition,” Russell said.

ADVERTISEMENT
Gintaras Radauskas Stefanie Konstancija Gasaityte profile jurgita
Don't miss our latest stories on Google News

While lack of skills and understanding remains a crucial barrier to organizations adopting zero trust controls, Russell suggests that “now is the time for organizations to get ahead of the upcoming changes.”

“Dedicate either internal resources or external partners to achieving total MFA compliance.”

Lack of MFA has led to many breaches in the past, as malicious attackers use stolen credentials to compromise accounts. One infamous case was a data heist that affected 165 Snowflake customers.

Microsoft Azure has required mandatory MFA for administrators since July 2024.