Google has confirmed plans to require all Google Cloud customers to use multi-factor authentication (MFA). The process begins this month and will embed prompts and “helpful reminders” within the Google Cloud console before it goes into effect in stages starting in the new year. year.
The internet and cloud giant quietly announced its MFA plans in a document published in October, but Mayank Upadhyay, the company's vice president of engineering, formally announced it in a blog post this week.
“We plan to implement mandatory MFA in Google Cloud in a phased approach and roll it out to all users globally in 2025,” Upadhyay wrote. “To ensure a smooth transition, Google Cloud will provide advance notice to businesses and users along the way to help plan for MFA adoption.”
This news, arguably the first in a while, comes amid a spate of data breaches that have so far seen at least one billion records stolen by 2024. As an example, healthcare giant Change Healthcare, part of UnitedHealth, was hit by a ransomware attack in February that resulted in a data breach that stole the health data of more than 100 million people in the United States. What is the cause? Stolen backend credentials lying unprotected by MFA.
Meanwhile, data warehousing giant Snowflake also made headlines after the personal data of hundreds of its customers (including Ticketmaster) was leaked online. These violations were also caused by a lack of enforcement of mandatory MFA, and Snowflake has since introduced mandatory MFA as an option for Snowflake administrators, who may or may not turn it on. It's still up to the customer.
Ironically, or at least relevant to today's news, security researchers at Google-owned cybersecurity company Mandiant, who worked with Snowflake to investigate the data theft, found that the data breach was due to “…MFA and secure authentication It concluded that it highlights the need for “universal application”.
So Google is now following the advice of its own subsidiary.
Google has announced that starting in early 2025, all Google Cloud users who are currently logged in with a password will be required to enable MFA. This means that users can only access their Google Cloud account by using a secondary authentication mechanism, such as an authenticator app. or a physical security key.
By the end of 2025, this requirement will be extended to so-called “federated users,” which refers to users who access Google Cloud resources through third-party authentication systems.
Google's announcement follows similar enforcement at rival cloud giants. AWS began rolling out mandatory MFA in stages in June, and Microsoft followed suit with Azure soon after.
Consumers can also benefit from MFA with standard Google Accounts, but note that this remains optional and users can enable or disable this feature at their whim. The company says that 70% of Google accounts (at least those that are used regularly) have something called two-step verification (2SV) enabled, but mandating this is due to increased risk. Therefore, it is only for corporate customers. Use an enterprise cloud deployment.
“Currently, we are seeing widespread user adoption of 2SV across all Google services,” Upadhyay said. “However, given the sensitive nature of cloud deployments, and given that phishing and credential theft remain the primary attack vectors observed by the Mandiant Threat Intelligence team, it is time to mandate 2SV for all Google Cloud users. I think it has arrived.”