COMMENTARY: Google announced earlier this month that it will enforce mandatory multifactor authentication (MFA) for all Google Cloud users by the end of 2025. According to Google, 70% of its users already have MFA enabled, an encouraging stat, but this new mandate promises to usher all Google Cloud customers into a new era of improved cybersecurity.
Starting early next year, Google will begin requiring MFA for all new and existing Cloud users who use a password to sign in. The next phase of the roll-out will see Google extend this MFA requirement to all users who federate authentication into Google Cloud by the end of 2025.
As an industry, we should applaud this move by Google – it’s a requirement that’s long overdue. After all, MFA has become a foundational security function that has proven essential in protecting both organizations and individual users against the rise of phishing and credential-based attacks. It’s a simple way to substantially minimize risk – by adding an extra layer of verification, MFA reduces the risk of unauthorized account access even if passwords are compromised.
I’m a firm believer that MFA should be 100% mandatory for all software and platform providers – especially for email, which continues to be the primary vector through which threat actors are launching advanced attacks.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
So, if MFA is such a critical security function, why has it taken major vendors like Google until now to make it a requirement?
Many providers have historically been hesitant to enforce measures like MFA because of the perceived effort it takes to turn it on. While large enterprises have robust teams of security experts that can easily roll out and support MFA solutions, smaller businesses and the average consumer may not have the same level of technical know-how. This kind of friction can slow adoption, which has led many providers to make added security steps like MFA entirely optional.
However, Google’s MFA mandate signals a shift in this thinking. In today’s threat landscape, where attacks are getting more sophisticated by the day, we can’t afford to run our cloud applications without fundamental protection. At this point, MFA has become table stakes, and other platform providers like Microsoft are wise to follow Google’s footsteps. For example, Amazon Web Services earlier this week announced a ramp-up to its mandatory MFA program. Others will follow.
I also believe that software vendors should provide MFA to their customers for free, as part of their standard baseline offering. Too many companies charge a premium for turning on basic security features like logging and single sign-on, and I commend Google for making its authenticator available to customers at no additional cost. Ethically speaking, vendors shouldn’t monetize basic security capabilities unless those features are truly cost-prohibitive to offer without additional subscription fees – and that’s rarely the case.
Cautions for organizations and users
While expanding the use of MFA will undoubtedly improve security postures at many organizations, it’s not a silver bullet. Threat actors are constantly evolving their tactics to work around defensive measures, and MFA is no exception. With more MFA solutions in place, we’ll likely see attackers respond by using more MFA bypass techniques like session hijacking, launching MFA fatigue attacks, and exploiting single sign-on.
This means that organizations should implement a layered security strategy – one that absolutely includes MFA, but also incorporates products that offer added visibility and unified control across the cloud application ecosystem.
Ultimately, Google Cloud’s MFA enforcement represents a positive move for the cyber industry as it will rally more organizations, more users – and hopefully, more providers – around enhanced security for their cloud applications. And when MFA gets used in conjunction with additional security strategies, organizations and users are in the best possible position to keep their accounts safe.
Mike Britton, chief information security officer, Abnormal Security
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.