Google: Schedule set for multi-factor authentication for online accounts
Google announced it in November and now the timetable for the forced switch to multi-factor authentication for Google accounts has been set.
(Image: Tada Images / Shutterstock)
Multi-factor authentication (MFA) provides better protection against phishing or the direct use of access data from data leaks. Google announced an MFA requirement for online accounts with the company in November. It has now set the timetable.
In an article on Google's cloud, the company discusses the changes and details. According to the article, accounts protected with MFA have a 99% chance of not being cracked, which is why the company is gradually introducing the requirement for all cloud accounts to have MFA enabled.
MFA activation requirement: schedule is set
Reseller accounts are the first to be affected. Google will enforce the use of MFA for these accounts from April 28, 2025. However, reseller customer accounts are not yet affected. Private Google accounts, such as those for Gmail, will receive MFA activation from May 12 this year. Cloud identity accounts for companies that are used without single sign-on (SSO) will follow in the third quarter of the year. And finally, corporate accounts with federated authentication will be available in the fourth quarter of 2025 or even later.
Videos by heise
Google also wants to inform those affected about this change in good time. A reminder will be displayed in the Cloud Console at least 90 days before the enforced MFA and an email will be sent to those affected. Resellers and their users will receive these messages 60 days before the target date. Private customers currently receive a notification email, regardless of whether they have already activated 2FA or not. This contains a link to the security settings in the Google account. There, under "2-factor authentication", the use can be recognized –, for example, whether it has already been activated and which second factors have been stored, such as passkeys and security keys, authenticator apps or telephone numbers specified for this purpose.
The change affects access to the Google Cloud Console, the gcloud CLI and the Firebase Console. Signing in to your Google account and using Workspace or YouTube is still possible, even without MFA enabled, the company explains. Although Google Workspace, including Google Sheets and Presentations, are exempt from this change, separate MFA requirements apply. Google recommends that all users activate MFA now and urgently inform themselves about the upcoming two-step verification requirements for all Google products they use. However, at least for private users, there seems to be no way around it. For enterprise customers, however, Google is looking into whether there will be a "deactivation program" for the MFA requirement. Further details can be found in the FAQ section of the article linked above.
At the beginning of last November, Google announced that users of the Google Cloud Platform (GCP) would need another code in addition to their password and user name to log in. The purpose of introducing MFA was to curb account takeovers. However, the company only gave a very rough timetable, which has now been specified.
(dmk)
