Multi Factor Authentication for Google Cloud – Mandatory in 2025

Google is going to be making Multi Factor Authentication, or MFA, mandatory for all accounts on Google Cloud.  It will be rolling out in a phased approach through 2025. 

There is tons of information here but we thought some background information from a cybersecurity expert at a Google Cloud Premier Partner might be helpful.

Why Mandatory?

Put simply, Multi Factor Authentication stops an enormous percentage of cyber attacks with account compromises dead in their tracks.  And when I say enormous, MFA is the #1 way to protect your accounts, hands down.

Don’t believe me?  Here’s Google’s stats: 

In October of 2021, Google forced Gmail and YouTube users to add Multi Factor Authentication protection.   

Then, in February of 2022, Google reported, “Since last year’s initiative, we’ve successfully auto-enabled 2SV for over 150 million people, and we’ve also required it for over 2 million of our YouTube creators. As a result of this effort, we have seen a 50% decrease in accounts being compromised among those users.” (source: https://blog.google/technology/safety-security/reducing-account-hijacking/)

And Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), did a presentation called “Always Enable MFA” and stated that MFA stops over 99% of account compromises, https://www.youtube.com/watch?v=gj14IzfpFXs.

What is Multi Factor Authentication?

I define Multi Factor Authentication, also called MFA, as requiring additional information or “Factors” when you login beyond just a username and password.

Of course, that definition can be a little simplistic.  For example, with your bank ATM, they don’t use username and passwords.  Instead use “something you have” and “something you know”, specifically a Bank Card and your Pin.

There are a lot of different “factors” that can be used.  If you are interested in more of a deep dive, check out “The ‘Must-Know’ Secrets to Mastering Multi-Factor Authentication!” presentation I did for Google:

Part 1

Part 2

What is Two Step Verification or 2SV?

Two Step Verification, also called 2SV, is Google’s brand name for their implementation of Multi Factor Authentication.  2SV is a very robust and complete implementation of MFA.

How Do I Set Up 2SV?

To set up 2SV for your Google Account, you will go to https://myaccount.google.com/security and login.  From there, Google will walk you through all the steps.

When setting up 2SV, you can set up multiple factors.  You really MUST set up two of them to protect you in the event of problems so you have a backup factor but I recommend setting up all four of these factors for Google 2SV in this order:

  1. Security Key – You can purchase these Security Keys on Amazon and I recommend the Yubico brand, https://www.yubico.com/store/.  Security Keys are a physical item you use with NFC or plug into your computer’s USB port while physically touching the key.  The physical touch allows you to leave the key plug in but hackers can’t activate it because they can’t touch it.  These keys are the strongest security available with 2SV.
  2. Google Authenticator – This is a free app you can use on your smart phone that syncs with your account and after that can provide a code that rotates every minute as an additional login factor.  It’s what cybersecurity experts would call a One Time Time-Based Password (OTTP).
  3. Device Push – When you have a Google Account on your smart phone, you can also use a device push where you can trigger your device to ask you to confirm your login.
  4. Backup Codes – These are a list of codes that work just like using the Google Authenticator but they each only work once.  Print them and store them in a safe place!

These four methods have an excellent balance of usability and security.  And if you are wondering what are the two minimum factors, you should use the Google Authenticator and Backup Codes.

What if I Use an Identity Provider such as Duo or Okta?

Good question!  You’ll need to discuss with the provider how they can support MFA and follow their instructions.  Google has stated that it “will be working closely with identity providers to ensure there are standards in place for a smooth hand-off.” This phase of the roll-out is projected towards the end of 2025.

What about Protecting High Profile Individuals?

Google’s Advanced Protection Program safeguards users with high visibility and sensitive information from targeted online attacks. We recommend it for all of your executive and financial staff especially.

What Extra Steps Should Google Administrators Take?

As administrators with elevated access, you should make sure you are following the best practices for Google Administrators.  This Google support article provides a concise list of security best practices for administrator accounts  https://support.google.com/a/answer/9011373

Need More Help?

Dito finds too many organizations spend too much time and money on discovery and assessments for cybersecurity that do not lead to success in improving their security because they identify too many issues without a good way to get started.

Don’t let perfection get in the way of progress!  Dito offers a quick discovery sessions with the goal to identify gaps and deliver a prioritized list of key items to streamline and improve your cybersecurity to give you focused, proven, and actionable recommendations.

Have questions or would like to schedule a Google Cloud Security consultation? Request a call with one of our experts.

Recent Posts

Webinar Replays

Recent Posts

Transformation happens here.

© 2024 Dito | All Rights Reserved | Privacy Policy
info@ditoweb.com
(855) 937-3486

Services
Accelerators
Company
Go to Top