Google Cloud on Tuesday announced a mandatory multi-factor authentication (MFA) rollout for all users who currently sign in with just a password.
Currently, 70% of Google users have their accounts protected by the additional authentication layer, but Google Cloud is pushing all accounts to take advantage of the extra protection and will begin a phased implementation this month.
Initially, Google Cloud plans to deliver reminders to enterprises to get started on rolling out MFA for their users. “Beginning this month, you’ll find helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan your rollout, conduct testing, and smoothly enable MFA for your users,” according to a Google statement.
Beginning early 2025, MFA will become mandatory for all new Google Cloud users, as well as for existing users who sign in with a password.
Users will be receiving notifications and guidance through the Google Cloud Console, the Firebase Console, gCloud, and other platforms, requiring them to enroll in MFA to continue using those tools. The final phase, expected to be completed by the end of 2025, will require MFA for all users who federate authentication into Google Cloud.
The company said sers will have the option to enable MFA with their primary identity provider before accessing Google Cloud, but will also have the option to add an extra layer of MFA through their Google accounts.
“We’ve always prioritized protecting your identity in order to keep your account and sensitive information safe, and we use a variety of risk-based signals to quickly detect if an account is compromised and subsequently help users restore it securely,” Google Cloud added.
The company’s first incursion into MFA was in 2011, when it introduced 2-step verification (2SV) for millions of users. In 2014, it introduced phishing-resistant security keys that led to the development of passkeys, which allow users to sign-in with fingerprint or facial recognition.
Related: MFA Isn’t Failing, But It’s Not Succeeding: Why a Trusted Security Tool Still Falls Short
Related: Seeing Is Believing… and Securing
Related: Most Attack Paths Are Dead Ends, but 2% Lead to Critical Assets: Report
Related: How Bot and Fraud Mitigation Can Work Together to Reduce Risk