Dive Brief:
- Google Cloud is mandating multifactor authentication for all users, the company said in a Monday blog post. It will roll out MFA in phases through the end of 2025.
- The hyperscaler said it will start encouraging users to enroll in MFA this month. More than 70% of Google accounts owned by people who regularly use its products already use MFA, the company said.
- In early 2025, Google Cloud said it will require MFA for all users who sign into their account with a password. By the end of next year, the MFA requirement will extend to all users who federate authentication into Google Cloud via identity providers.
Dive Insight:
Google Cloud’s wholesale adoption of MFA, which began in earnest for administrator accounts last year, follows similar measures by AWS and Microsoft. The three-largest cloud providers — AWS, Microsoft Azure and Google Cloud — will have MFA mandates in place for some or all customers by the end of next year.
The collective access policy changes across cloud providers marks a significant boost and endorsement of the Cybersecurity and Infrastructure Security Agency’s efforts to shift security responsibility from customers to vendors. MFA is a core tenet of the agency’s secure-by-design initiative, a set of goals all three hyperscalers pledged to adopt in their processes and products.
“This shift is backed by strong evidence both from our own experience and from U.S. government agencies,” Mayank Upadhyay, VP of engineering and distinguished engineer at Google Cloud, said in the blog post announcing the MFA mandate. “CISA found that MFA makes users 99% less likely to be hacked, a powerful reason to make the switch.”
AWS began mandating MFA for its most-privileged users earlier this year and initiated a more expansive, phased rollout in June.
Microsoft kicked off its MFA mandate for all Azure sign-ins in October, and the company said it will phase in MFA at sign-in for additional services in early 2025.
