Source URL: https://cloud.google.com/blog/products/identity-security/mandatory-mfa-is-coming-to-google-cloud-heres-what-you-need-to-know/
Source: Cloud Blog
Title: Mandatory MFA is coming to Google Cloud. Here’s what you need to know
Feedly Summary: At Google Cloud, we’re committed to providing the strongest security for our customers. As pioneers in bringing multi-factor authentication (MFA) to millions of Google users worldwide, we’ve seen firsthand how it strengthens security without sacrificing a smooth and convenient online experience. That’s why we will soon require MFA for all Google Cloud users who currently sign in with just a password.We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025. To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments.
A phased approach to MFAWe’ve been strong advocates for our MFA system for over a decade, and we’re here to help you with this important security upgrade. At Google, we understand that you need flexibility and control when implementing new security measures. That’s why we’re rolling out mandatory MFA in phases.Phase 1 (Starting November 2024): Encourage MFA adoption: If you’re not already among the 70% of Google users benefiting from MFA, we encourage you to get started. Beginning this month, you’ll find helpful reminders and information in the Google Cloud console, including resources to help raise awareness, plan your rollout, conduct testing, and smoothly enable MFA for your users.Phase 2 (Early 2025): MFA required for password logins: Early next year, we’ll begin requiring MFA for all new and existing Google Cloud users who sign in with a password. You’ll see notifications and guidance across the Google Cloud Console, Firebase Console, gCloud, and other platforms. To continue using these tools, you’ll need to enroll in MFA.Phase 3 (End of 2025): MFA for federated users: By the end of 2025, we’ll extend the MFA requirement to all users who federate authentication into Google Cloud. You’ll have flexible options to meet this requirement.For example, you can enable MFA with your primary identity provider before accessing Google Cloud — we will be working closely with identity providers to ensure there are standards in place for a smooth hand-off. Alternatively, you can add an extra layer of MFA through your Google account if you prefer to use our system.
Mandatory MFA roll-out phases.
Why we’re requiring MFA for Google CloudWe’ve always prioritized protecting your identity in order to keep your account and sensitive information safe, and we use a variety of risk-based signals to quickly detect if an account is compromised and subsequently help users restore it securely.We pioneered consumer-scale MFA in 2011 with the launch of 2-Step Verification (2SV) for millions of users. We chose the name “2-Step" as a nod to the iconic Texan dance, making it a bit more approachable than the technical term "two-factor authentication." It’s been exciting to see the industry adopt this term, embracing clear, simple language for consumer security.While 2SV was effective at protecting accounts from stolen passwords, we knew we needed even stronger protection against more sophisticated attacks.We introduced phishing-resistant Security Keys for Google Accounts in 2014. To make this technology more widely available, we worked with industry partners to standardize it, leading to the development of passkeys. Passkeys offer the same strong security but with added convenience, using fingerprint or facial recognition for a smoother sign-in experience.Today, there is broad 2SV adoption by users across all Google services. However, given the sensitive nature of cloud deployments — and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team — we believe it’s time to require 2SV for all users of Google Cloud.This shift is backed by strong evidence both from our own experience and from U.S. government agencies. The Cybersecurity and Infrastructure Security Agency (CISA) found that MFA makes users 99% less likely to be hacked, a powerful reason to make the switch.Enable 2-Step Verification todayYou can proactively enable free 2SV for your Google Account right now, by following these two steps:Step 1: Access security settingsFor consumer Google Accounts and Cloud Identity managed accounts, go to security.google.com. (If you use federated authentication to access Google Cloud, we recommend you set it up with your identity provider. Your provider may refer to it as 2SV or MFA.)Under How you sign in to Google, Select 2-Step Verification.
Select 2-Step Verification.
If you’re using a Cloud Identity managed account and don’t see the option for 2-Step Verification, your administrator may have disabled it. Reach out to your administrator for assistance.Step 2: Turn on 2SVSelect Turn on 2-Step Verification.Follow the on-screen instructions to complete enrollment.
Turn on 2-Step Verification.
Learn more2SV is a critical step in protecting your cloud environment from unauthorized access. We encourage all Google Cloud users to enable 2SV as soon as possible. Please refer to these resources for more information:Setup 2-Step Verification – User AccountDeploy 2-Step Verification – Workspace adminTurn on 2-Step Verification – Android – Google Account HelpDeploy 2-Step Verification – Cloud Identity Help
AI Summary and Description: Yes
Summary: Google Cloud is rolling out a mandatory multi-factor authentication (MFA) requirement for all users as part of their commitment to enhancing security. The phased implementation will occur throughout 2025, starting with encouraging MFA adoption, followed by mandatory enforcement for password logins and federated users. This move is supported by industry data indicating that MFA significantly reduces account compromise risk.
Detailed Description:
Google Cloud’s move to enforce MFA stems from a long-standing commitment to user security and the escalating need to protect sensitive information in the cloud environment. Here are the key aspects of this initiative:
– **Phased Implementation Approach**: Google Cloud will roll out mandatory MFA in three phases:
– **Phase 1 (Starting November 2024)**: Users are encouraged to adopt MFA. Assistance will be provided to help raise awareness and facilitate the adoption.
– **Phase 2 (Early 2025)**: MFA will be required for all new and existing users who log in with a password. Users will receive notifications and guidance on this transition.
– **Phase 3 (End of 2025)**: The MFA requirement will extend to all users who federate authentication into Google Cloud.
– **Strengthening Identity Protection**: Google has a history of advocating for MFA, having pioneered consumer-scale options since 2011. The introduction of phishing-resistant Security Keys and passkeys further indicates their proactive stance against more sophisticated attacks.
– **Industry Validation**: The need for MFA is underscored by findings from the Cybersecurity and Infrastructure Security Agency (CISA), which states that users enabled with MFA are 99% less likely to be hacked.
– **User Guidance and Resources**: Google Cloud provides clear instructions for users to enable MFA on their accounts and assures organizational leaders of resources to manage the rollout.
– **Risk Mitigation**: The initiative aims to mitigate risks associated with stolen credentials and phishing, common attack vectors in the current threat landscape. By mandating MFA, Google Cloud aims to enhance overall security posture for its cloud service users.
Overall, the mandatory MFA rollout represents a significant advancement in security measures within cloud environments, particularly in light of ongoing threats, and underscores the trend of prioritizing user identity protection in the cloud. Security professionals should consider how similar measures can be implemented within their organizations to safeguard cloud resources.