The cyber security community has reacted positively to Googles 4 November announcement that it will begin to enforce multifactor authentication (MFA) for millions of Google Cloud users worldwide during 2025, with the move being described as a significant step forward in securing the wider digital ecosystem.The enhanced policies, announced earlier this week by Google Cloud vice-president of engineering Mayank Upadhyay, will see mandatory MFA rolled out to every user who currently signs in with just a password.We will be implementing mandatory MFA for Google Cloud in a phased approach that will roll out to all users worldwide during 2025. To ensure a smooth transition, Google Cloud will provide advance notification to enterprises and users along the way to help plan MFA deployments, said Upadhyay.Weve been strong advocates for our MFA system for over a decade, and were here to help you with this important security upgrade. At Google, we understand that you need flexibility and control when implementing new security measures. Thats why were rolling out mandatory MFA in phases, he added.The first phase, beginning this month, will see Google begin to target unprotected users with more reminders and information on MFA in their Google Cloud Console, specifically targeting the 30% of service users not already enrolled. This guidance will push organisations towards raising awareness and planning for MFA, as well as providing advice on testing processes and enablement.From early 2025, Google will begin to require MFA for all new and existing users who sign in with a password, with notifications and guidance on this appearing throughout the Google Cloud Console, Firebase Console, gCloud, and other platforms. Those that wish to continue to use these tools will have no option but to enrol in MFA at this time.Finally, by this time next year, MFA requirements will have been extended to all users who federate authentication into Google Cloud. There will be a number of options available to meet this requirement organisations may choose to enable MFA with their primary identity provider prior to accessing Google Cloud, and work is ongoing to ensure there are standards and procedures in place to make this easier. Or users may wish to add extra layers of MFA through their Google accounts, if they prefer to use Googles own system.Introducing mandatory MFA for cloud services is very much an idea whose time has come, and Google is not the only cloud giant to be making such moves earlier in 2024,Microsoft announced it was introducing such a policy in the wake of a number of high-profile cyber attacks involving its users, and it has been in force across Azure since the beginning of October.Meanwhile, open source community giant GitHub, which brought in compulsory MFA for select developers and projects in 2023, said it has seen an opt-in rate of 95% across code contributors who received the MFA requirement, and a 54% uplift in MFA adoption among all active contributors to projects that it hosts.Mike Britton, CIO atAbnormal Security, said Googles move was long overdue: [MFA]I believe that software vendors should provideMFA and other core security services like SSO to their customers as part of their standard baseline offering. We shouldnt be monetising basic security capabilities and features in our product unless those features are cost prohibitive to provide without additional subscription fees, which is often not the case.Patrick Tiquet, vice-president of security and compliance atKeeper Security,The multi-step plan, starting with console reminders and advancing to full enforcement, prioritises user adoption and minimises operational disruption with gradual transition to ease users intoMFA paving the way for smoother implementation and stronger compliance.However, organisations usingGoogleCloudwill also need to plan for implementation within their workforce. Employee training about the importance ofMFAwill be critical and tools like a password manager can facilitate adoption by securely storing and fillingMFAcodes.Anna Collard, senior vice-president of content strategy and evangelist at security training specialistKnowBe4, also praised Googles new policy, but said that MFA alone was no silver bullet.Effective security relies on a layered defence approach that combines multiple strategies to protect assets and data. Not allMFAquality is equal either, for example phishing-resistantMFA, such as those enabled by FIDO are a much better option than text-based or push-basedMFA, she said.Read more about MFA and identityThe Security Think Tank considers best practices in identity and access management and how can they be deployed to enable IT departments to combat cyber-attacks, phishing attacks and ransomware.Not every MFA technique is effective in combating phishing attacks. Enterprises need to consider new approaches to protect end users from fraudulent emails.Traditional MFA provides benefits but tests users patience. Explore how invisible MFA can make it easier to access resources and reduce MFA fatigue.