Google strives to provide its customers with the strongest security possible. We prioritize protecting your identity, to help keep your account and sensitive information safe.
Multi-factor authentication (MFA) is a critical security measure. Accounts that are protected by MFA are 99% less likely to be hacked. Because of this, we are phasing in the requirement that all Google Cloud customers enable MFA for their accounts.
With MFA enabled, when you enter your password, you are prompted to enter a second form of verification, for example, a code sent to your phone or an authenticator app.
Requiring the additional factor makes it much harder for hackers to access your account. Even if your password is stolen, hackers would need to have access to the second factor in addition to your username and password.
If you have already enabled MFA for your account, you don't need to take further action, and you won't be affected by this program. You can check whether MFA is enabled for your account by opening the Security tab of your Google Account settings page. The *2-Step Verification setting is displayed in the How you sign in to Google section.
MFA requirement timeline
The timeline for MFA enforcement depends on your account type, as shown in the following table.
| Account type | Description | Enforcement start date |
|---|---|---|
| Personal Google Accounts | User accounts you created for your own use, including Gmail accounts. | On or after May 12, 2025 |
| Enterprise Cloud Identity accounts (not using SSO) | User accounts with usernames and passwords created and managed by your Google Workspace administrator in Cloud Identity. | During or after Q3 2025 |
| Enterprise accounts using federated authentication | User accounts created and managed by your Google Workspace administrator that use Google Workspace SSO, Cloud Identity SSO, or Workforce Identity Federation. | During or after Q4 2025 |
| Reseller accounts | User accounts created and managed in a Google Cloud reseller domain. End users of the reseller are not affected. | On or after April 28, 2025 |
When the requirement is enforced for your account, you must have MFA enabled to sign in to the Google Cloud console, the Google Cloud CLI, or the Firebase console.
Notification timeline
If you don't have MFA enabled, the Google Cloud console will display a reminder to enable MFA at least 90 days before MFA enforcement takes place. In addition, we will send an email with the MFA requirement reminder at least 90 days before MFA enforcement.
For resellers and their users, the Google Cloud console will display a reminder to enable MFA at least 60 days before MFA enforcement takes place. Similarly, the email reminders will be sent at least 60 days before MFA enforcement.
Enable MFA
You enable MFA on the **Security** tab of your Google Account settings page. For step-by-step instructions, see Turn on 2-Step Verification. If you don't see the 2-Step Verification option for your account, your administrator might have disabled it. Contact your administrator for assistance.
Frequently asked questions
This page provides some answers to commonly asked questions about the MFA requirement.
My users already have MFA through my third-party identity provider. Do they have to enable Google MFA?
Organizations using a third-party identity provider (IdP) are not required to use Google MFA if MFA is enabled for their IdP.
What is 2-SV? Is it the same thing as MFA?
Google's MFA implementation is also called 2-SV. This technology adds an additional layer of security for your Google Account by requiring a second factor in addition to your password when you sign in to your account. This helps keep bad actors out, even if they acquire your username and password.
After you enable MFA, when you sign in to your Google Account from a device that has no passkey and is not a trusted device, you'll need both your password and a second form of verification. This helps protect your Google Cloud resources and Google Account from unauthorized access, phishing, malware, and data breaches.
Learn more about how 2-SV works.
Why are you requiring MFA?
Multi-factor authentication (MFA) is a critical security measure that adds an extra layer of protection for your Google Account. By requiring a second form of verification, such as a code from your phone or a security key, MFA makes it significantly harder for unauthorized users to gain access to your account.
Who will you enforce MFA for?
All Google Cloud users that use the Google Cloud console, the Google Cloud CLI or Firebase will be required to enable MFA.
What is the deadline for enabling MFA?
The deadline for enabling MFA depends on your account type. See MFA requirement timeline for details.
How will you implement MFA enforcement?
When your account becomes subject to the MFA requirement, if MFA is not enabled for your account, you won't be able to access the Google Cloud console, the gcloud CLI, or the Firebase console.
You'll still be able to sign in to and administer your Google Account, and access other Google services such as Google Workspace and YouTube.
Google Workspace, including Gmail, Google Sheets, and Google Slides, is not affected by this program. However, Google Workspace has a separate MFA requirement. To ensure continued access, we strongly recommend that you learn about upcoming MFA requirements for all the Google products you use.
If I am locked out of my account, how can I enable MFA?
You won't be locked out of your Google Account. You'll still be able to sign in to and administer your Google Account. Only your access to the Google Cloud console, the gcloud CLI, and the Firebase console will be affected.
How do I enable MFA?
You enable MFA on the **Security** tab of your Google Account settings page. For step-by-step instructions, see Turn on 2-Step Verification. If you don't see the 2-Step Verification option for your account, your administrator might have disabled it. Contact your administrator for assistance.
I don't see the 2-step Verification option on my account settings page. What do I do?
First, make sure you are on the Security settings page. If you still don't see an option to enable 2-step verification, your Google Workspace administrator might have disabled it. Contact your Google Workspace administrator for assistance.
What MFA factors can I use?
Personal Google Accounts and enterprise accounts that use Google as their identity provider (IdP) can use any of the following factors to set up MFA:
- SMS
- Prompts
- Security Keys
- Authenticator apps
Accounts that use an external IdP can use any MFA factor that is supported by their IdP.
I have passkey on my account. Do I still have to enable MFA?
Yes, accounts with passkey need to have MFA enabled by adding a second authentication factor. If someone gets access to your password, and tries to sign in from a device that doesn't have a passkey configured, Google requests this second factor, preventing unauthorized access.
Is MFA required for my Gmail account?
You must enable MFA for your personal Google Account, which can be used to access your Gmail account.
Can I opt out of this requirement?
For personal Google Accounts, there is no opt-out option. Opt-out programs for enterprise accounts are under review.
Will this affect my ability to use service accounts?
No, service accounts are unaffected by the MFA requirement. Only access for user accounts to the Google Cloud console, the gcloud CLI, and Firebase are affected.
If you use your Google Account to impersonate a service account, and MFA is enforced for your account, you need to have MFA enabled to sign in to the Google Cloud console and the gcloud CLI.
Will the MFA requirement affect users that access apps and workloads hosted on Google Cloud?
No. Only your access to the Google Cloud console, the gcloud CLI, and Firebase are affected. The MFA requirement won't affect your data plane, load balancer, applications, or Identity-Aware Proxy.
When will I receive communication about the MFA requirement timeline?
If you don't have MFA enabled, you will see reminders in the Google Cloud console and email to enable MFA at least 90 days before MFA enforcement takes place. Resellers and their users will receive the reminders at least 60 days in advance.
Will the MFA requirement affect Google Workspace users?
Google Workspace users that use the Google Cloud console, the Google Cloud CLI, or Firebase will be required to enable MFA to continue using Google Cloud. Access to other Google Workspace capabilities won't be affected by this program.
Google Workspace is implementing a separate requirement to enable 2-SV (MFA) for Google Workspace administrators. Contact your Google Workspace administrator for more information.
I already enabled MFA on my Google Account. Will this affect me?
If you have already enabled MFA on your Google Account, you won't be affected by this program.
You can check whether MFA is enabled for your account by opening the Security tab of your Google Account settings page. The 2-Step Verification setting is displayed in the How you sign in to Google section.
I have a Google Cloud reseller domain. Will my end users be affected by the MFA requirement?
Your end users won't be affected by this program. The MFA requirement applies only to users that are managed in the reseller domain itself. All affected users will be notified in the Google Cloud console and in email at least 60 days before the requirement is enforced.
My question is not answered here. Who can I contact?
If your question is not answered in this document, contact gcp-mfa-enforcement@google.com.
What's next
- Enable 2-SV for your Google Account.
- Set up 2-SV for Google Workspace and Cloud Identity administrators.
- Open your Google Account security settings page.