Photo credit: www.darkreading.com

Google Mandates Multi-Factor Authentication for Google Cloud Users by 2025

In an effort to bolster account security, Google has announced that it will implement mandatory multi-factor authentication (MFA) for all Google Cloud users by the end of 2025. As it stands, approximately 70% of users currently utilize MFA to protect their accounts.

This new requirement specifically targets Google Cloud users who rely on passwords for authentication, along with all new users. However, it will not extend to general consumer Google accounts. The rollout is set to begin this month with a phased approach, culminating in full compliance by the year-end deadline.

The first phase, commencing this month, involves preparing Google Cloud administrators for the transition. During this phase, the focus will be on raising awareness, providing resources, and outlining a strategy for a successful implementation.

In early 2025, the second phase will kick off, mandating that all new and existing users who authenticate with passwords must enable MFA. Notifications and guidelines will be accessible through the Google Cloud Console, Firebase Console, gCloud, and additional platforms.

The third phase, expected to conclude by the end of 2025, will require users with federated authentication to activate MFA. Users will have the option to set up MFA through their main identity provider prior to accessing Google Cloud, or they can incorporate an additional layer of MFA via their Google accounts.

Google has emphasized its commitment to this initiative, stating that “starting this month, you’ll find helpful reminders and information in the Google Cloud console, along with resources to assist in planning your rollout, conducting testing, and smoothly enabling MFA for your users.”

The mandate for MFA adoption aligns with the recommendations set forth by the Cybersecurity and Infrastructure Security Agency (CISA) as part of its secure-by-design initiative. This shift towards mandatory MFA is gaining traction across the tech industry. For instance, Snowflake has also begun enforcing mandatory MFA requirements, while Amazon implemented similar policies for its Amazon Web Services (AWS) earlier this year. Additionally, Microsoft announced its own phased MFA rollout for Azure in August, following up on earlier measures for AWS accounts.

Microsoft’s approach mirrors that of Google Cloud, starting with MFA requirements for essential administrative portals and gradually extending to other services and tools across the Azure platform in early 2024.

Despite CISA reports claiming that MFA significantly decreases the likelihood of hacking incidents, experts warn that MFA alone may not be foolproof. Jasson Casey, CEO of Beyond Identity, noted that while mandatory MFA is crucial, it does not inherently guarantee comprehensive enterprise security, reflecting the varying levels of protection offered by different MFA solutions.

As MFA technology has evolved over the last two decades, attackers have also adapted their methods. Kris Bondi, CEO and Co-Founder of Mimoto, emphasizes that malicious actors increasingly utilize sophisticated phishing techniques that can circumvent traditional MFA measures. This has prompted organizations like NIST and CISA to advocate for the adoption of more robust, phishing-resistant MFA methodologies.

Source
www.darkreading.com