Google Cloud is increasing its security requirements, rolling out mandatory multi-factor authentication (MFA) beginning next year.

Companies have been increasingly relying on MFA to bolster cybersecurity by confirming the identity of authorized users. Google first introduced SMS-based MFA in 2011 and has been ramping up its support in the years since.

Beginning in 2025, however, the company will require MFA for Google Cloud users. The company made the announcement in a document outlining the company’s security measures.

In 2023, Google enforced MFA for all Workspace reseller administrator accounts, and started enforcing MFA for customer administrator accounts as well. For Google Cloud, additional efforts to increase MFA adoption are underway, moving to a model requiring MFA for all users. Near the end of 2024, Google Cloud will be encouraging all customers to enroll and enable MFA via in-console messaging. Starting in 2025, Google will roll out mandatory MFA enforcement for all Google Cloud users that log in with a password. Finally, later in 2025, Google will roll out MFA enforcement for all users who federate authentication to Google Cloud.

Google also touts the work it has done to enroll its customers in into account-level MFA since 2021.

Since 2021, Google has automatically enrolled over 400 million consumer accounts into MFA. Additionally, Google also requires MFA for any sign-in session that appears out of the ordinary to our risk engine, irrespective of whether the user is specifically enrolled in MFA. In practice, this means MFA is available, and in use, free of charge to all users who have a phone number or other means of verification on file. More than 70% of Google Accounts, owned by people regularly using our products, automatically benefit from this feature.

As cybersecurity threats continue to rise, security features like MFA will become increasingly important. Google Cloud’s decision to make it mandatory should go a long way toward protecting users.