Google Cloud will make multi-factor authentication mandatory in 2025

Google has confirmed its plans to introduce mandatory multi-factor authentication (MFA) for all Google Cloud users. The process will begin this month with prompts and reminders appearing in Google Cloud Console, and gradual implementation of the new requirement will begin early next year.

Although Google previously mentioned MFA plans in a document published in October, an official announcement from the company’s VP of engineering, Mayank Upadhyay, was made this week on Google’s blog.

“We will be rolling out mandatory MFA for Google Cloud in stages, and this requirement will apply to all users worldwide throughout 2025,” Upadhyay wrote. “To ease the transition, Google Cloud will notify businesses and users in advance to help them prepare for MFA deployments.”

This long-awaited change is driven by the rise in data breaches, including incidents in which over 1 billion records were stolen in 2024 alone. For instance, in February, a ransomware attack on Change Healthcare, a UnitedHealth subsidiary, compromised the medical data of over 100 million people. The cause? Stolen login credentials that were not protected by MFA.

A similar incident occurred with Snowflake, where data from several clients, including Ticketmaster, was leaked. In response, Snowflake made MFA available for administrators, though its use remains at the client’s discretion.

Ironically, security specialists from Google’s cybersecurity subsidiary Mandiant helped Snowflake investigate the data theft and concluded that this incident highlights the need for universal MFA and secure authentication.

Now, Google has decided to follow Mandiant's recommendations and make MFA mandatory. Starting in 2025, users who log in to Google Cloud with a password will be required to use a secondary authentication method — for example, an authenticator app or a physical security key. By the end of 2025, this requirement will also extend to federated users who log in via third-party authentication services.

This move by Google follows similar actions taken by competitors — AWS began rolling out mandatory MFA in June, and Microsoft soon followed suit with Azure.

Standard Google account holders will still be able to enable MFA at their discretion, as this remains an option rather than a requirement. Google noted that 70% of active accounts already use two-step verification (2SV); however, unlike corporate clients, consumers won’t be required to use it. This is due to the increased risks associated with corporate cloud deployments.

“Today, two-step verification is widely used across all Google services,” Upadhyay noted. “But given the sensitive nature of corporate cloud solutions, and the fact that phishing and credential theft remain major threats, as identified by our Mandiant Threat Intelligence team, we believe it’s time to make two-step verification mandatory for all Google Cloud users.”