Google Cloud plans to enforce multifactor authentication (MFA) for all users by the end of 2025. The initiative, which began last year for administrator accounts, aligns with similar efforts from AWS and Microsoft. By late 2025, the three largest cloud service providers — AWS, Microsoft Azure, and Google Cloud — will have mandatory MFA policies for a significant portion of their customer base.
These collective changes across major cloud platforms support the Cybersecurity and Infrastructure Security Agency’s (CISA) drive to enhance security by transferring part of the responsibility from customers to service providers. MFA forms a core component of CISA’s “secure-by-design” framework, a set of principles the major cloud providers have committed to integrating into their services.
Google Cloud’s decision reflects strong evidence gathered from both internal assessments and U.S. government agencies, indicating that implementing MFA significantly reduces the risk of unauthorized access. CISA data suggests that users are 99% less likely to be compromised when MFA is in place.
Earlier in the year, AWS began its MFA mandate for accounts with the highest privileges and expanded this requirement in June as part of a phased rollout. Microsoft also introduced an MFA requirement for all Azure sign-ins starting in October and plans to extend this requirement to additional services in early 2025.
The move towards a universal MFA mandate by the top cloud providers underscores the increasing emphasis on enhanced user security and a collective shift towards more robust authentication standards.