Google’s cloud division has announced that it will make multi-factor authentication (MFA) mandatory for all users by the end of 2025 as part of efforts to improve account security.
“We will be phasing in mandatory MFA for Google Cloud, rolling out to all users worldwide throughout 2025,” Mayank Upadhyay, VP of Development and Principal Engineer, Google Cloud. said in the statement.
“To ensure a smooth transition, Google Cloud will provide advance notice to businesses and users along the way to help plan for MFA deployment.”
The deployment process is planned to take place in three phases starting this month and ending in 2025 –
- 1 stage (Starting in November 2024) when administrators will receive information to prepare for security updates
- Phase 2 (Early 2025) when Google starts requiring MFA for all new and existing Google Cloud users who sign in with a password
- 3 phase (Late 2025) when Google extends MFA protection to federated users
“For example, you can enable MFA with your primary identity provider before accessing Google Cloud — we’ll work closely with identity providers to ensure standards are in place for a seamless transfer,” Upadhyay said.
“Alternatively, you can add an additional level of MFA through your Google Account if you prefer to use our system.”
This comes as phishing and stolen credentials continue to be the primary means of unauthorized access to computer networks.
The announcement also follows similar moves by its cloud rivals Amazon and Microsoftwhich have also started to introduce mandatory MFA for Amazon Web Services (AWS) and Azure respectively in recent months.
In July 2024, data storage company Snowflake introduced an option that allows administrators to enforce MFA for all users following a data breach campaign that used stolen credentials for more than 165 customers.
The threat actor allegedly behind the data theft and extortion scheme, a 26-year-old Canadian named Alexander “Connor” Mooka, was arrested at the end of last month at the request of the US authorities. Another conspirator, John Erin Binns, was arrested in Turkey at the end of May 2024.
Other members of the cybercriminal gang UNC5537, which is part of a wider underground network called Com, remain at large, according to WIRELESS.
