Cloud services giant Amazon Web Services (AWS) initiates competition in the cloud sector by mandating Multi-Factor Authentication (MFA) as the standard security measure.

Cloud services giant Amazon Web Services (AWS) initiates competition in the cloud sector by mandating Multi-Factor Authentication (MFA) as the standard security measure.

Google to Enforce MFA Across All Google Cloud Accounts by End of 2025

Google is set to require multifactor authentication (MFA) by default for all Google Cloud accounts, including privileged users, by the end of 2025. The rollout will be phased to help users adapt smoothly, starting before that deadline in 2025.

This MFA mandate is aligned with strong industry and government recommendations. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the use of MFA reduces the risk of hacks by 99%. Google offers several MFA options, including passkeys with biometric data for enhanced security and ease of use.

The transition is designed to minimize friction and ease the adoption process. The requirement represents a significant step in securing access to Google Cloud services against increasingly sophisticated cyber threats.

Google's announcement follows a trend among cyber authorities in the U.S. and six other nations, who recommend MFA for all privileged users as one of the secure-by-default tactics. Google is putting itself ahead of AWS' plans, as the MFA mandate will initially apply to the most privileged users in AWS and will be gradually enforced starting in mid-2024.

AWS is requiring most-privileged users and eventually more account types to use multifactor authentication (MFA) beginning in mid-2024. Root users on AWS, who have complete access to all AWS services and resources in an account, will be required to enable MFA to sign in to the AWS Management Console.

The move makes AWS the first of the three major hyperscalers to commit to MFA baseline controls by default. Microsoft has enabled security defaults for all new Azure AD customers and is enforcing security defaults for those who haven't enabled MFA or rolled out their conditional access policies.

Corporate stakeholders want to better understand the risk calculus of their technology stacks, answering the lingering question: Are we a target? CISA is working with technology manufacturers to encourage them to develop products that are secure by design, shifting the burden from the user to the companies and manufacturers who are best equipped to understand and safeguard risks.

The push to shift the responsibility for security in technology products and services to manufacturers and vendors is a significant development in the ongoing effort to ensure products are secure by design and default. This is a positive step towards enhancing the security of cloud services for all users.

Key Points:

• Deadline: End of 2025
• Scope: All Google Cloud accounts, including privileged users
• Rollout: Phased, throughout 2025
• MFA methods: Includes passkeys, biometrics, and other options
• AWS' MFA mandate will be enforced starting in mid-2024
• AWS requires root users to enable MFA to sign in to the AWS Management Console starting in mid-2024
• Google is putting itself ahead of AWS' plans by mandating MFA for some accounts before the end of this year
• Microsoft has enabled security defaults for all new Azure AD customers and is enforcing security defaults for those who haven't enabled MFA or rolled out their conditional access policies
• CISA is working with technology manufacturers to encourage them to develop products that are secure by design, shifting the burden from the user to the companies and manufacturers who are best equipped to understand and safeguard risks.
• Federal cyber authorities are pushing to shift the responsibility for security in technology products and services to manufacturers and vendors.

1. Given the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) assertion that multifactor authentication (MFA) reduces the risk of hacks by 99%, the requirement for MFA by Google Cloud accounts is vital to ensuring privacy and cloud security against cyber threats.
2. Google's phased rollout of MFA for all Google Cloud accounts, including privileged users, signifies industry-wide acknowledgement that the responsibility for security in technology products and services should be shared with manufacturers and vendors.
3. As phishing attacks pose a constant threat to cybersecurity, the adoption of MFA and secure-by-default tactics like Google's MFA mandate in cloud services can cater to industry vulnerabilities, reducing the chances of unauthorized access due to weak passwords or phishing attempts.

Read also: