Google Cloud to Implement Multi-Factor Verification by 2025 for All Users

Nov 06, 2024Ravie LakshmananCloud Security / Phishing Protection

Google’s cloud unit has declared that it will compel obligatory multi-factor verification (MFA) for all users by the conclusion of 2025 as part of its endeavors to strengthen

Nov 06, 2024Ravie LakshmananCloud Security / Phishing Protection

Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users

Google’s cloud unit has declared that it will compel obligatory multi-factor verification (MFA) for all users by the conclusion of 2025 as part of its endeavors to strengthen account security.

“We will be initiating mandatory MFA for Google Cloud in a gradual manner that will be rolled out to all users across the globe by 2025,” Mayank Upadhyay, vice president of engineering and distinguished engineer at Google Cloud, stated in an announcement.

“To guarantee a seamless shift, Google Cloud will offer prior notification to businesses and users along the journey to assist in planning MFA deployments.”

The rollout strategy is projected to span through three phases, commencing this month and running until the end of 2025 –

Phase 1 (Initiating November 2024), during which admins will receive details for preparing for the security enhancement
Phase 2 (Early 2025), when Google will start mandating MFA for all new and existing Google Cloud users who log in with a password
Phase 3 (Conclusion of 2025), when Google will broaden MFA protections to federated users

“For instance, you have the option to activate MFA with your primary identity provider prior to accessing Google Cloud — we will be collaborating closely with identity providers to ensure there are protocols in place for a seamless hand-off,” Upadhyay mentioned.

“Alternatively, you can add an extra security layer through your Google account if you prefer using our system.”

This development arises as phishing and pilfered credentials continue to be the predominant methods by which malicious actors gain unauthorized entry to computer networks.

The declaration also echoes analogous actions from its cloud competitors Amazon and Microsoft, who have also commenced enforcing obligatory MFA for Amazon Web Services (AWS) and Azure, respectively, in recent periods.

In July 2024, data warehousing firm Snowflake introduced a choice that empowers administrators to institute obligatory MFA for all users post a data breach campaign that exploited pilfered credentials from over 165 of its clients.

The threat actor purportedly linked to the data theft and extortion scheme, a 26-year-old Canadian individual named Alexander “Connor” Moucka, was apprehended at the end of last month at the behest of U.S. authorities. Another co-conspirator, John Erin Binns, was detained in Turkey at the end of May 2024.

Other affiliates of the UNC5537 cybercrime syndicate, which is part of a broader underground network identified as the Com, are still at large, according to WIRED.

Found this article intriguing? Follow us on Twitter and LinkedIn to peruse more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts