Google implements mandatory MFA and passkey expansion for cloud security

Google recently announced that it will require multi-factor authentication (MFA) for all Google Cloud accounts starting in early 2025. This change affects both corporate and individual Google Cloud users, as Google steps up its efforts to combat cybersecurity threats across its platforms.

The implementation of MFA is being rolled out in phases with the first phases beginning this month with reminders and information in the Google Cloud console. By early next year, Google will require MFA for all new and existing Google Cloud users who sign in with a password, and by the end of 2025, Google says it will extend the MFA requirement to all users who federate authentication into Google Cloud.

With MFA, Google Cloud users will need to verify their identity through an additional factor beyond their password, such as a one-time code or biometric verification. Google has provided a range of MFA options, including Google Authenticator and various third-party authentication apps. For enterprises, this will involve updating security policies and educating employees on new authentication requirements. Additionally, administrators will have access to Google Cloud’s identity and access management (IAM) resources to aid the transition.

The company’s blog post on the subject emphasizes the pressing need for enhanced security protocols, especially given the sensitive data handled on Google Cloud. “We’ve always prioritized protecting your identity in order to keep your account and sensitive information safe, and we use a variety of risk-based signals to quickly detect if an account is compromised and subsequently help users restore it securely,” the company notes.

Google is not the only one. Tech giant Microsoft has also made MFA mandatory for Azure sign-ins, and Amazon Web Services (AWS) added passkeys to the list of supported MFA for AWS Identity and Access Management (IAM) users.

Accelerating the adoption of passkeys

In addition to mandatory MFA, Google is accelerating the adoption of passkeys in replace of passwords. Earlier this year, Google announced that it would be transitioning millions of users toward passkeys, unveiling the expansion of its Cross-Account Protection program and new updates to passkeys.

The Cross-Account Protection program is a scheme Google created for sharing security notifications, with other companies that run the non-Google apps and services its users use.

Google previously outlined seven steps it is taking to fulfill the Secure by Design Pledge, an initiative introduced by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) earlier this year. Google is among over 200 organizations that have signed onto this commitment.

A key component of Google’s security measures is MFA, along with a strong push toward passkeys for a passwordless login experience.

Article Topics

biometric authentication  |  biometrics  |  cloud services  |  Google  |  multifactor authentication  |  passkeys