Google Cloud to Make MFA Mandatory by the End of 2025

Google Cloud has announced plans to require multi-factor authentication (MFA) for all users, with prompts and reminders starting this month. This marks the beginning of a gradual enforcement process, with full implementation scheduled for early 2025.

The announcement, made official by Google VP of Engineering Mayank Upadhyay, follows a recent internal document release in October. Upadhyay emphasized a phased rollout worldwide to ease the transition for users, with proactive notifications to help organizations prepare.

This move comes in response to a rise in data breaches in 2024, which exposed over a billion records, often due to compromised credentials unprotected by MFA. For instance, a ransomware attack on healthcare giant Change Healthcare exposed data on over 100 million Americans, underscoring the risks of weak authentication.

Other companies like Snowflake have faced similar security incidents, resulting in the exposure of sensitive client data. Though Snowflake introduced optional MFA for admins after the breach, lack of universal enforcement left gaps in security. Google-owned cybersecurity company Mandiant, which investigated the breach, echoed the need for universal MFA.

Now, Google is following this advice: in 2025, all Google Cloud accounts will require a secondary form of authentication, such as an authenticator app or security key, to enhance data security across its cloud platform.