Google Cloud strives to provide its customers with the strongest security possible. We prioritize protecting your identity, to help keep your account and sensitive information safe.
Multi-factor authentication (MFA), also known as 2-step verification (2SV), is a critical security measure. Accounts that are protected by MFA are 99% less likely to be hacked. Because of this, we are phasing in the requirement that all Google Cloud customers enable MFA for their accounts.
With MFA enabled, along with your password, you must enter a second form of verification, for example, a code sent to your phone or an authenticator app.
Requiring the additional factor makes it much harder for hackers to access your account. Even if your password is stolen, hackers would need to have access to the second factor in addition to your username and password.
If you're using a Google Account and have already enabled MFA, you don't need to take further action, and you won't be affected by this program.
If you're using a third party identity provider (IdP) to manage single sign-on (SSO), you can use the MFA provided by that service.
Scope of MFA enforcement for Google Cloud
When the Google Cloud MFA requirement is enforced for your account, if you don't have MFA enabled, you won't be able to use the following Google Cloud interfaces:
- The Google Cloud console
- The Firebase console
Google Cloud MFA enforcement does not affect service accounts. Only user accounts are affected.
Access to the following interfaces and services is not affected by the Google Cloud MFA enforcement:
Google Workspace, including Gmail, Google Drive, and Google Sheets
YouTube
Your applications running on Google Cloud, including applications secured by Identity-Aware Proxy, are not affected by MFA enforcement. However, if your developers use Google Cloud to manage those applications, for example setting up Compute Engine virtual machines or administering IAP, they won't be able to use the Google Cloud console without enabling MFA when MFA is enforced for their account. In other words, your control plane will be affected by MFA enforcement, but not your data plane.
MFA requirement timeline
The timeline for MFA enforcement for Google Cloud depends on your account type, as shown in the following table.
| Account type | Description | Enforcement start date |
|---|---|---|
| Personal Google Accounts | User accounts you created for your own use, including Gmail accounts, that are used as principals in Google Cloud. | On or after May 12, 2025 |
| Enterprise Cloud Identity accounts (not using SSO) | User accounts with usernames and passwords created and managed by your Google Workspace administrator in Cloud Identity. | During or after Q4 2025 |
| Enterprise accounts using federated authentication | User accounts created and managed by your Google Workspace administrator that use Google Workspace SSO, Cloud Identity SSO, or Workforce Identity Federation. | During or after Q1 2026 |
| Reseller accounts | User accounts created and managed in a Google Cloud reseller domain. End users of the reseller are not affected. | On or after April 28, 2025 |
When the requirement is enforced for your account, you must have MFA enabled to sign in to the Google Cloud console or the Firebase console.
Notification timeline
If you don't have MFA enabled, the Google Cloud console will display a reminder to enable MFA at least 90 days before MFA enforcement takes place. In addition, we will send an email with the MFA requirement reminder at least 90 days before MFA enforcement.
For resellers and their users, the Google Cloud console will display a reminder to enable MFA at least 60 days before MFA enforcement takes place. Similarly, the email reminders will be sent at least 60 days before MFA enforcement.
Enable MFA
You enable MFA on the Security tab of your Google Account settings page. For step-by-step instructions, see Turn on 2-Step Verification.
If you don't see the 2-Step Verification option for your account, your administrator might have disabled it. Contact your administrator for assistance.
Frequently asked questions
This page provides some answers to commonly asked questions about the MFA requirement.
What if I don't have a mobile phone, or I lose my phone?
A mobile phone is not required to use MFA to access your account. You can use any of the following methods to sign into your account:
Prompts. If you are signed into your Google Account on any other device, you can open that window or device to receive a prompt asking you whether it is you signing in. This can be done in a browser or on a tablet, as well as on your phone. For more information, see Sign in with Google prompts.
Use a security key. Before you can use a security key for your second factor, you must acquire you touch the key to provide your second factor. For more information, see Use a security key for 2-Step Verification.
Use an authenticator app. You can set up an authenticator application on a desktop device and use it as a second factor.
Use backup codes. You can create backup codes and use them as your second factor. Backup codes must be stored securely, and can be used only once, so this method should be used only when you have no other method available. For more information, see Sign in with backup codes.
My users already have MFA through my third-party identity provider. Do they have to enable Google MFA?
Organizations using a third-party identity provider (IdP) are not required to use Google MFA if MFA is enabled for their IdP.
What is 2-SV? Is it the same thing as MFA?
Google's MFA implementation is also called 2-SV. This technology adds an additional layer of security for your Google Account by requiring a second factor in addition to your password when you sign in to your account. This helps keep bad actors out, even if they acquire your username and password.
After you enable MFA, when you sign in to your Google Account from a device that has no passkey and is not a trusted device, you'll need both your password and a second form of verification. This helps protect your Google Cloud resources and Google Account from unauthorized access, phishing, malware, and data breaches.
Learn more about how 2-SV works.
Why are you requiring MFA?
Multi-factor authentication (MFA) is a critical security measure that adds an extra layer of protection for your Google Account. By requiring a second form of verification, such as a code from your phone or a security key, MFA makes it significantly harder for unauthorized users to gain access to your account.
How will you implement MFA enforcement?
When your account becomes subject to the MFA requirement, if MFA is not enabled for your account, you won't be able to access the Google Cloud console or the Firebase console.
You'll still be able to sign in to and administer your Google Account, and access other Google services such as Google Workspace and YouTube.
Google Workspace, including Gmail, Google Sheets, and Google Slides, is not affected by this program. However, Google Workspace has a separate MFA requirement. To ensure continued access, we strongly recommend that you learn about upcoming MFA requirements for all the Google products you use.
If I am locked out of my account, how can I enable MFA?
You won't be locked out of your Google Account. You'll still be able to sign in to and administer your Google Account. Only your access to the Google Cloud console and the Firebase console will be affected.
What MFA factors can I use?
Personal Google Accounts and enterprise accounts that use Google as their identity provider (IdP) can use any of the following factors to set up MFA:
- SMS
- Prompts
- Security Keys
- Authenticator apps
- Backup codes
Accounts that use an external IdP can use any MFA factor that is supported by their IdP.
I have passkey on my account. Do I still have to enable MFA?
Yes, accounts with passkey need to have MFA enabled by adding a second authentication factor. If someone gets access to your password, and tries to sign in from a device that doesn't have a passkey configured, Google requests this second factor, preventing unauthorized access.
Can I opt out of the MFA requirement?
Gmail accounts used for Google Cloud can't be opted out.
Exemptions for enterprise accounts and reseller accounts are available for specific use cases where implementing MFA is not feasible. For more information, contact Cloud Customer Care.
Will this affect my ability to use service accounts?
No, service accounts are unaffected by the MFA requirement. Only access for user accounts to the Google Cloud console and the Firebase console are affected.
If you use your Google Account to impersonate a service account, and MFA is enforced for your account, you need to have MFA enabled to sign in to the Google Cloud console.
Will the MFA requirement affect users that access apps and workloads hosted on Google Cloud?
No. Only your access to the Google Cloud console and the Firebase console are affected. The MFA requirement won't affect your data plane, load balancer, applications, or Identity-Aware Proxy.
When will I receive communication about the MFA requirement timeline?
If you don't have MFA enabled, you will see reminders in the Google Cloud console and email to enable MFA at least 90 days before MFA enforcement takes place. Resellers and their users will receive the reminders at least 60 days in advance.
Will the MFA requirement affect Google Workspace users?
Google Workspace users that use the Google Cloud console or the Firebase console will be required to enable MFA to continue using Google Cloud. Access to other Google Workspace capabilities won't be affected by this program.
Google Workspace is implementing a separate requirement to enable 2-SV (MFA) for Google Workspace administrators. Contact your Google Workspace administrator for more information.
I already enabled MFA on my Google Account. Will this affect me?
If you have already enabled MFA on your Google Account, you won't be affected by this program.
You can check whether MFA is enabled for your account by opening the Security tab of your Google Account settings page. The 2-Step Verification setting is displayed in the How you sign in to Google section.
I have a Google Cloud reseller domain. Will my end users be affected by the MFA requirement?
Your end users won't be affected by this program. The MFA requirement applies only to users that are managed in the reseller domain itself. All affected users will be notified in the Google Cloud console and by email at least 60 days before the requirement is enforced.
My question is not answered here. Who can I contact?
If your question is not answered in this document, contact gcp-mfa-enforcement@google.com.
What's next
- Enable 2-SV for your Google Account.
- Set up 2-SV for Google Workspace and Cloud Identity administrators.
- Open your Google Account security settings page.