Google’s new 2FA update alert – act now, the clock is ticking

Update, November 7, 2024: This story, originally published on November 6, now includes comments from multiple security experts on the mandatory Google Cloud 2FA decision.

If you're one of the 30% of Google Cloud users who currently only log in with a password, security will be significantly increased. Google is now “encouraging” users to take advantage of two-factor authentication with “useful reminders.” From the beginning of 2025, this funding will become a mandatory requirement for the use of 2FA for all new and existing customers who log in with a password. Here's what you need to know:

ForbesGoogle takes first place in the world as AI finds 0-day vulnerabilityFrom Davey Winder

Google wants to make 2FA mandatory for cloud users in 2025

In a November 5 announcement, Mayank Upadhyay, vice president of engineering at Google Cloud, dropped a security bombshell: Mandatory 2FA for all Google Cloud users will be phased in throughout 2025, sooner than you can imagine .

As part of its commitment to provide customers with the utmost security, Upadhyay confirmed that Google has seen first-hand how 2FA “strengthens security without sacrificing a smooth and convenient online experience.” Because of this, the announcement continues, 2FA will soon be required for all Google Cloud users who log in with a password. During the transition period, Upadhyay said, Google Cloud will notify users in advance so that 2FA deployments can be properly planned.

A phased approach to mandatory Google 2FA – but the clock is ticking

Google has stated that it is taking a phased approach to the mandatory 2FA requirement for Google Cloud users; Here's what that means in practice. The three-stage implementation begins immediately with phase one: Google encourages users to adopt 2FA now if they currently log in with a password and are not already among the 70% of users who have implemented 2FA protection.

ForbesNew Gmail security alert as a 10-second hacker attackFrom Davey Winder

Phase two is scheduled to begin in “early 2025,” although Google has not yet confirmed an actual date for the 2FA deployment effort. However, we know that all new and existing Google Cloud users who sign in with a password must implement 2FA. No ifs and buts; It is a mandatory requirement for the future. Notifications appear in Google Cloud Console, Firebase Console and gCloud, with Upadhyay warning that you will need to register with 2FA to continue using these tools.

The final phase, we're told, will take place by the end of 2025 and will extend the mandatory 2FA requirement to those who currently use federated authentication when signing in to Google Cloud. “You have flexible options to meet this requirement,” the announcement confirmed. This seems to mean that you can enable 2FA with the primary identity provider before accessing Google Cloud itself, or add an additional layer of 2FA security through the Google system using your Google Account.

ForbesNew Cyberattack Warning: Confirming You're Not a Robot Can Be DangerousFrom Davey Winder

Don't wait, enable 2FA for your Google Cloud account today

The truth is that 2FA has been accepted and adopted as an essential security measure across most Google services. This is nothing new in terms of a well-known security benefit for Google users. However, Upadhyay said: “Given the sensitivity of cloud deployments – and with phishing and stolen credentials continuing to be a key attack vector that our Mandiant Threat Intelligence team monitors – we believe it is time to bring 2FA to all users To demand Google Cloud.” To be honest, it's hard to imagine a reasonable argument against this opinion. You know what to do, Google users: implement 2FA sooner rather than later.

Security experts cautiously welcome the mandatory Google Cloud 2FA decision

“Google Cloud’s decision to make multi-factor authentication mandatory by the end of 2025 is a significant step forward in securing the digital ecosystem,” said Anna Collard, evangelist at KnowBe4, adding: “However, MFA stands alone no problem.” The silver bullet: Effective security relies on a layered defense approach that combines multiple strategies to protect assets and data.”

ForbesCyberattack warning as hackers exploit AI and Gmail in new campaignFrom Davey Winder

“Unfortunately, attacker methods are quickly adapting to this increasing MFA prevalence. In fact, breach data shows that 89% of compromised accounts have MFA enabled,” warned Chris Fuller, senior director of technical field operations at Obsidian Security. “The accessibility of phishing.” “As-a-service toolkits like Mamba, which can be purchased for $250 a month, as well as non-human identity compromises, suggest that identity compromises will continue regardless.”

“Google’s phased rollout makes it easier for users to get started with the new requirements, as MFA can face resistance due to perceived friction in the user experience, especially if implemented abruptly,” said Patrick Tiquet, vice president of security and compliance at Keeper Security. “However, organizations using Google Cloud must also plan for implementation within their workforce,” Tiquet continued. “Employee training on the importance of MFA will be critical and tools such as a password manager can ease adoption by securely storing and completing MFA codes.”