Google confirmed it will require all Google Cloud customers to implement multi-factor authentication, starting this month with prompts and "helpful reminders" inside the Google Cloud console, ahead of a phased rollout starting in the new year.
The internet and cloud giant quietly introduced its MFA plans in a document published in October, although the company's VP of engineering, Mayank Upadhyay, officially announced this in a blog post this week.
We will be mandating MFA for Google Cloud in a phased approach, which will roll out to all users worldwide during 2025, Upadhyay wrote. Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments.
At the same time, the news was long in coming: following a spate of breaches that, so far, have yielded at least 1 billion stolen records this year. To give but one example, the Change Healthcare company, owned by UnitedHealth, suffered ransomware attack in February this year-a data breach with health data stolen from over 100 million people across the United States. Again, it was the consequence of backend credentials stolen where MFA wasn't provided.
Data warehousing giant Snowflake also made headlines when hundreds of its customers' private data leaked online. Again, as in the case of Ticketmaster, these breaches were due to the lack of mandatory MFA enforcement, and Snowflake subsequently introduced mandatory MFA as an option for Snowflake admins, though it's still up to the customer whether to switch this on.
Ironically, in as far as today's news goes, security researchers at Google-owned cybersecurity firm Mandiant worked with Snowflake to look into the data theft and concluded that data breaches called for ".universal enforcement of MFA and secure authentication."
And now Google is following the advice of its own subsidiary.
Starting in early 2025, Google states that it will require all Google Cloud users who currently sign in with a password to activate MFA — that is, they will only be able to access their Google Cloud accounts by using a secondary authentication mechanism, such as authenticator app or physical security key.
The requirement will extend so-called "federated users," or those accessing Google Cloud resources through a third-party authenticator, by the end of 2025.
Google announced its measure as other rival cloud giants followed similar enforcements. AWS began the roll out of mandatory MFA as early as June. And shortly after that, it was followed by Azure with Microsoft.
Note that although MFA is also of value to consumers using the standard Google Accounts, the latter will remain optional to use or not. Business customers are being made compulsory for reasons of higher risks faced by enterprises in cloud computing deployments. The company reveals that even though 70% of Google Accounts which at least have accounts being regularly used have what is called 2SV, this feature is only required to be turned on as it comes with increased risks faced in enterprise cloud computing.
"Today, there's full 2SV uptake among users of all Google services," comments Upadhyay. "Yet as cloud deployments are especially sensitive, and phishing & stolen credentials still very much in the playbook — observed through our Mandiant Threat Intelligence group — it's time to make 2SV a requirement for Google Cloud's users broadly too."