Don't have MFA on a Google Cloud account? You'll have to from Jan

Google Cloud is the latest to take the decision away from customers and enforce the use of multi-factor authentication (MFA) for all users to improve the security of the minority that don't already have it enabled.

The company's phased approach has already begun but starting in January, the roughly 30 percent of Google Cloud customers that still rely on a password only for account authentication will be forced to enable an MFA solution.

For the next two months, Google Cloud will be pushing reminders about the impending change to MFA-less users, along with links to resources to make the rollout easier for organizations who need a little extra support.

"At Google Cloud, we're committed to providing the strongest security for our customers," the company blogged today. 

"As pioneers in bringing multi-factor authentication to millions of Google users worldwide, we've seen firsthand how it strengthens security without sacrificing a smooth and convenient online experience. That's why we will soon require MFA for all Google Cloud users who currently sign in with just a password."

The final phase of the rollout is slated to begin at the end of next year. After the password-only crowd, all customers who used federated authentication for Google Cloud will also be roped into enabling MFA.

There will, however, be some flexibility for these customers. Google Cloud said it's working with the major identity providers so that MFA can be enabled on their side and that will satisfy the company's new MFA requirements, or customers can choose to enable it on Google's side, whichever is the preferred option.

Google introduced consumer-grade 2FA for users in 2011 and since then has developed it further to phishing-resistant security keys, which latterly evolved into passkeys. 2FA isn't mandatory for consumer accounts, although Google said it's widely used, and Google Cloud customers are most likely hosting more sensitive data anyway, which necessitates greater security controls.

"Today, there is broad [two-step verification (2SV)] adoption by users across all Google services. However, given the sensitive nature of cloud deployments – and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team – we believe it's time to require 2SV for all users of Google Cloud.

"This shift is backed by strong evidence both from our own experience and from U.S. government agencies. The Cybersecurity and Infrastructure Security Agency (CISA) found that MFA makes users 99% less likely to be hacked, a powerful reason to make the switch."

Google Cloud's move follows that of Amazon which last week announced MFA as an account security option for WorkMail customers for the first time, eight years after the enterprise email service launched.

Its cloud arm, AWS, also announced over the summer its intention to force MFA on customers, but only for privileged accounts. The approach was similar to that of Microsoft, whose execs confirmed in May that its policy would only apply to Azure admins.

Snowflake said it too would be mandating MFA for all users in July, although this was essentially forced on the company after a swathe of account break-ins were attributed to users lacking the extra authentication security.

Regardless of the motivations behind the respective companies' decisions to enforce MFA on more customers, doing so is always a step forward in security. 

The prevailing advice from all corners of the infosec industry is to enable it as widely as possible – it's one of the most effective ways of preventing breaches.

• Snowflake lets admins make MFA mandatory across all user accounts
• Cloud threats have execs the most freaked out because they're not prepared
• AWS is pushing ahead with MFA for privileged accounts. What that means for you ...
• Microsoft gives Windows admins a break and MFA a hard push

It's something that should ideally be adopted across the wider industry and not just at the big tech companies given that cybercrims have targeted cloud customers on an increasing basis for years now, with researchers citing chunky year-on-year increases in targeting attempts. 

A report from PwC released in September found that cloud-based threats were at the very top of CISOs' list of fears mainly due to their organizations not being set up to defend against them – an even greater fear than ransomware for many.

Similarly, Microsoft's research into Storm-0501, a double trouble group which both breaches cloud environments and uses ransomware, showed that its methods could all be stifled heavily by enabling MFA. It serves as a case study showing how effective additional account controls can be for organizations defending against the most sophisticated cybercriminals. ®