Google is making multi-factor authentication (MFA) mandatory for all Google Cloud users in a phased rollout that starts this month and should be complete by the end of 2025.

Already, about 70% of Google Cloud users have adopted MFA for their accounts and now the company wants to give a shove to the other 30% to do the same, according to Mayank Upadhyay, vice president of engineering and Distinguished Engineer at Google Cloud.

“We’ve seen firsthand how it strengthens security without sacrificing a smooth and convenient online experience,” Upadhyay wrote in a blog post announcing the initiative. “To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments.”

It’s the latest effort by Google to enhance the security of Google account holders who right now are only using passwords to authenticate their identity. Passwords have long been viewed as being highly insecure, from people using the same password for multiple online accounts and storing passwords in easily discovered place to bad actors being able to easily brute-force their way past them.

Upadhyay pointed to a YouTube video by CISA Director Jen Easterly explaining that having MFA in place make its 99% less likely that a user will have their account hacked.

Microsoft Also Mandating MFA for Azure

Google isn’t the only cloud provider to make MFA mandatory for its users. Microsoft in August announced a similar plan to make it mandatory for its Azure cloud accounts starting last month with users signing into Azure portal and the Entra and Intune administrator centers.

The first phase starts this month, with Google encouraging the 30% of cloud users not using MFA to start getting ready, including finding information in the Google Cloud console to raise awareness, plan a rollout, and conduct testing. It’s also a way for organizations to begin enabling MFA for their users.

Early next year, Google will start requiring MFA for all new and existing cloud users who sign in using a password. There will be notifications and guidance in a range of platforms, including the Google Cloud Console, Firebase Console, and gCloud.

Phase three will hit at the end of 2025, when Google extends the MFA requirement to all users who federate authentication into Google Cloud. The vendor will give these users options for meeting the requirement.

“For example, you can enable MFA with your primary identity provider before accessing Google Cloud,” Upadhyay wrote. “We will be working closely with identity providers to ensure there are standards in place for a smooth hand-off. Alternatively, you can add an extra layer of MFA through your Google account if you prefer to use our system.”

Stronger Protection Needed

He noted that Google in 2011 launched two-factor authentication (2FA) – what the vendor calls two-step verification, or 2SV – that users could embrace, but wrote that while effective, the company needed stronger protection against increasingly sophisticated cyberattacks.

“Today, there is broad 2SV adoption by users across all Google services,” Upadhyay wrote. “However, given the sensitive nature of cloud deployments – and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team –we believe it’s time to require 2SV for all users of Google Cloud.”

It makes sense, according to Rom Carmel, co-founder and CEO of cloud access management firm Apono, saying it adds a layer of defense that will increase the costs to hackers targeting the users.

“The fact that it’s taken Google so long to make this move is a testament to the difficulty of rolling out security measures that may impact people’s productivity,” Carmel said. “Striking the right balance between security and productivity is a serious challenge that all organizations struggle with, especially when it comes to crucial elements like access to critical infrastructure.”

Is MFA Already Outdated?

However, Kris Bondi, co-founder and CEO of identity management and assurance company Mimoto, questioned whether MFA is the answer to the problem.

“MFA has evolved from being a valuable cybersecurity tool to becoming a weak link that bad actors leverage to gain access and create account takeover scenarios,” Bondi said. “It’s often misunderstood that MFA isn’t verifying a person, it’s verifying a device at a point in time. Who is holding that device isn’t guaranteed to be who you expect it to be. Second, MFA and two-factor authentication (2FA) has been in use for more than 20 years.”

The longer tools are around, the more time threat actors have to innovate against it, she said, adding that “frankly, many MFA approaches haven’t evolved much over time.”

Google is among a growing number of vendors – such as Microsoft and Apple – that are advocating for getting rid of passwords for authentication altogether in favor of such tools as passkeys. The Fast IDentity Online (FIDO) Alliance, which advocates for a passwordless future, said in a report this month that support for passkeys and other password alternatives like biometrics is growing.