Multi-factor authentication requirement for Google Cloud
Google Cloud strives to provide its customers with the strongest securitypossible. We prioritize protecting your identity, to help keep your account andsensitive information safe. To help keep this commitment, Google is phasing inthe requirement that all Google Cloud customers enablemulti-factor authentication (MFA) for their accounts.
MFA, also known as2-step verification (2SV), is an important securitymeasure. In addition to your password, MFA requires another proof of identity,known as anauthentication factor, to successfully sign in to an account.Requiring an additional factor makes it much harder for your account to becompromised by hackers. Even if your password is stolen, hackers still need anadditional factor to be able to access your account.
If you're using a Google Account and have alreadyenabled MFA,you don't need to take further action. You can check whether MFA is enabled foryour account by opening theSecurity tab of yourGoogle Account settings page. The2-Step Verification setting is displayed in theHow you sign in to Google section.
Note: Accounts with passkeys still must enable MFA and add an authenticationfactor. If someone gets access to your password, and tries to sign in from anuntrusted device thatdoesn't have a passkey configured, Google requests this second factor,preventing unauthorized access.If you're using a third-party identity provider (IdP) to manage single sign-on(SSO) in to Google Cloud, you can use the MFA provided by that IdP tocomply with Google Cloud's MFA requirement.
If you have questions that aren't answered in this document, contactCloud Customer Care.
Timelines for MFA enforcement
The timeline for MFA enforcement for Google Cloud depends on your accounttype, as shown in the following table.
| Account type | Description | Enforcement start date |
|---|---|---|
| Personal Google Accounts | User accounts you created for your own use, including Gmail accounts, that are used asprincipals in Google Cloud. | On or after May 12, 2025 |
| Enterprise Cloud Identity accounts (not using SSO) | User accounts with usernames and passwords created and managed by your Google Workspace administrator in Cloud Identity. | During or after Q4 2025 |
| Enterprise accounts using federated authentication | User accounts created and managed by your Google Workspace administrator that use Google Workspace SSO,Cloud Identity SSO, or Workforce Identity Federation. | During or after Q1 2026 |
| Reseller accounts | User accounts created and managed in a Google Cloud reseller domain. End users of the reseller are not affected. | On or after April 28, 2025 |
If you don't have MFA enabled, the Google Cloud console displays reminders toenable MFA at least 90 days before, and leading up to MFA enforcement. Inaddition, an email is sent with an MFA requirement reminder at least 90 daysbefore MFA enforcement.
For resellers and their users, the Google Cloud console displays reminders toenable MFA at least 60 days before, and leading up to MFA enforcement.Similarly, an email reminder is sent at least 60 days before MFA enforcement.
When the requirement is enforced for your account, you must have MFA enabled tosign in to the Google Cloud console or the Firebase console.
Scope of MFA enforcement
When the Google Cloud MFA requirement is enforced for your account, if youdon't have MFA enabled, you won't be able to use the following Google Cloudinterfaces:
Google Cloud MFA enforcement doesn't affect service accounts. Only useraccounts are affected. However, if you use your Google Account to impersonate aservice account, and MFA is enforced for your account, you must have MFA enabledto sign in to the Google Cloud console.
Access to the following interfaces and services isnot affected by theGoogle Cloud MFA enforcement:
Google Workspace, including Gmail, Google Drive, Google Sheets,and Google Slides. However, Google Workspace has a separate MFArequirement. Contactyour Google Workspace administratorfor more information.
YouTube.
Your applications and workloads running on Google Cloud, includingapplications secured by Identity-Aware Proxy (IAP), aren't affected by MFAenforcement. However, your developers won't be able to use theGoogle Cloud console to manage those applications. In other words, yourcontrol plane is affected by MFA enforcement, but not your data plane.
Opt out of MFA enforcement
Gmail accounts used for Google Cloud can't be opted out of the MFArequirement.
Exemptions for enterprise accounts and reseller accounts are available forspecific use cases where implementing MFA is not feasible. For more information,contactCloud Customer Care.
Enable MFA for Google Accounts
You can enable MFA, also known as2-step verification (2SV), on theSecurity tab of yourGoogle Account settings page. For step-by-step instructions, see Turn on 2-Step Verification.
If you don't see the2-Step Verification option for your account, your administrator might have disabled it. Contact your administrator for assistance.
Additional factors for Google Accounts
Personal Google Accounts and enterprise accounts that use Google as theiridentity provider (IdP) can use any of the following additional factors withGoogle Cloud:
Authenticator apps: you can set up an authenticator application, such asGoogle Authenticator,orAuthy, on your mobile or desktop device to act asyour second factor.
Backup codes: you can create backup codes and use them as your secondfactor. Backup codes must be stored securely, and can be used only once, sothis method should be used only when you have no other method available. Formore information, seeSign in with backup codes.
Google Prompts: if you are signed into your Google Account on anotherdevice, you can receive a prompt on that device asking you whether it is yousigning in. You can confirm that it's you in a browser, on a tablet, or yourphone. For more information, seeSign in with Google prompts.
Physical security key: you can touch a physical security key to provideyour second factor. For more information, seeUse a security key for 2-Step Verification.
SMS codes: you can use a code sent to your phone number as a secondfactor. Before you can use SMS as a second factor, your phone number must beassociated with your Google Account.
Enable MFA for third-party identity providers
Refer to your third-party IdP's documentation to learn how to enable MFA.
Recover account access if a factor is lost or stolen
SeeFix common issues with 2-Step verificationfor steps to recover your account.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.