Google Cloud has announced that multifactor authentication (MFA) will be mandatory for all user accounts worldwide by the end of 2025.
“We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025,” Google announced.
MFA adds an extra layer of security above passwords, ensuring that user accounts remain secured if passwords are compromised.
Despite hackers’ persistent efforts to bypass MFA, CISA notes that the additional layer of security provided by multi-factor authentication protects user accounts 99% of the time.
Google Cloud rolls out mandatory MFA in three phases
Nearly a third (30%) of all Google Cloud users have not activated MFA. The tech giant says it plans to enforce MFA in three phases to reduce disruptions: “To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments.”
Starting November 2024, the Mountain View, California-based company will notify Google Cloud users to activate MFA before the deadline via helpful console reminders.
In early 2025, Google will ramp up notifications across Google Cloud console, Firebase console, and other company products.
By the year’s end, the tech giant will enforce MFA across all Google Cloud accounts while allowing users to utilize Google’s inbuilt or third-party MFA solutions.
“For example, you can enable MFA with your primary identity provider before accessing Google Cloud — we will be working closely with identity providers to ensure there are standards in place for a smooth hand-off,” the company stated. “Alternatively, you can add an extra layer of MFA through your Google account if you prefer to use our system.”
Google’s MFA includes passkeys introduced in 2014 which now link to biometric data and are the default sign-in option across personal Google Accounts.
Meanwhile, Google Cloud users can activate MFA by navigating to ‘security.google.com’ and clicking on ‘2-Step verification’ under the ‘How you sign in to Google’ section. However, some users could be subject to additional enterprise-level admin restrictions.
Google introduced consumer-grade MFA in 2011 via the 2-Step Verification (2SV) that most users have gradually activated across the company’s various products.
Explaining the reasons for enforcing MFA across all Google Cloud accounts, the tech colossus says the transition was necessary, “given the sensitive nature of cloud deployments – and with phishing and stolen credentials remaining a top attack vector.”
As a pioneer of multi-factor authentication, Google says it has “seen firsthand how it (multi-factor authentication) strengthens security without sacrificing a smooth and convenient online experience.
“That’s why we will soon require MFA for all Google Cloud users who currently sign in with just a password,” said Google.
Google’s move seen as significant step forward
“Google Cloud’s decision to make multi-factor authentication (MFA) mandatory by the end of 2025 is a significant step forward in securing the digital ecosystem,” said Anna Collard, SVP Content Strategy & Evangelist at KnowBe4. “As cyber threats continue to evolve, especially with phishing and credential-based attacks on the rise, MFA has become essential in protecting both organizations and users.”
Besides Google, other tech giants such as Apple and Microsoft are slowly ditching passwords for MFA solutions such as passkeys and FIDO keys in line with the FIDO Alliance and the World Wide Web Consortium (W3C) standards.
Global MFA adoption will allow users to authenticate across accounts, apps, and websites, regardless of the provider using stored passkeys and even “nearby” devices.
It will also eliminate passwords, which are vulnerable to various exploits including cracking, brute force, and credential-stuffing attacks.
“This news from Google, to enforce MFA on all Google Cloud accounts is a good move for Google Cloud Service customers and brings them in line with a similar policy that Microsoft has enabled for its Azure Accounts,” remarked Darren James, a Senior Product Manager at Specops Software. “However, this won’t affect regular users with Google accounts or Gmail users, only elevated accounts will be enforced.”
“Also don’t forget that not all MFA or second factors are equal,” James warned. “SMS one-time passcodes for example aren’t regarded as secure by NIST, so when choosing your 2nd factor, make sure you use something that is strong like a Biometric or an authenticator App or a physical security key.”

