On November 4, Google announced a major change: starting in 2025, millions of Google Cloud users will have to use multifactor authentication (MFA). This decision has sparked excitement within the cybersecurity community, and many see it as a crucial move toward strengthening digital safety.
Mayank Upadhyay, Google Cloud’s vice president of engineering, detailed the move. “We will introduce mandatory MFA gradually, so users worldwide can prepare,” he explained. Google has championed MFA for over ten years, and now they’re ready to support businesses as they upgrade their security.
The rollout begins this month. Google plans to target the 30% of users not enrolled in MFA, nudging them with reminders and information about the new requirement in their Google Cloud Console. This guidance aims to raise awareness and help companies plan their MFA strategies.
Starting in early 2025, MFA will be mandatory for all current and new users who sign in with a password. Users will get advance notifications and assistance through Google’s platforms to help them adapt. Those who want to keep using Google’s services will need to enroll in MFA.
By the end of next year, MFA will apply to all users connecting through federated authentication in Google Cloud. Organizations can either enable MFA via their own identity providers or enhance their Google account security with additional MFA layers.
Other tech giants are making similar moves. Microsoft kicked off its mandatory MFA policy in October, following a series of cyberattacks targeting its users. GitHub, which introduced MFA for certain developers in 2023, reported an impressive 95% opt-in rate among contributors affected by the policy.
Mike Britton, CIO at Abnormal Security, believes Google’s move is overdue. He stated, “MFA should be mandatory for all platforms, especially email, where many threats emerge. It’s time for software vendors to include MFA as part of their standard offerings.”
Patrick Tiquet, vice president of security at Keeper Security, praised Google’s phased approach. He noted that many users resist MFA due to perceived complications. By starting with gentle reminders and gradually enforcing the change, Google is likely to improve user buy-in and minimize disruption.
Anna Collard from KnowBe4 echoed these sentiments but stressed that MFA isn’t a catch-all solution. “Effective security combines various strategies to protect data. The quality of MFA matters; phishing-resistant options, like those offered by FIDO, are much more secure than basic text or push notifications,” she pointed out.