MFA, also known as 2-step verification (2SV), is an important security measure. In addition to your password, MFA requires another proof of identity, known as an authentication factor, to successfully sign in to an account. Requiring an additional factor makes it much harder for your account to be compromised by hackers. Even if your password is stolen, hackers still need an additional factor to be able to access your account.
If you're using a Google Account and have already enabled MFA, you don't need to take further action. You can check whether MFA is enabled for your account by opening the Security tab of your Google Account settings page. The 2-Step Verification setting is displayed in the How you sign in to Google section.
If you're using a third-party identity provider (IdP) to manage single sign-on (SSO) in to Google Cloud, you can use the MFA provided by that IdP to comply with Google Cloud's MFA requirement.
If you have questions that aren't answered in this document, contact Cloud Customer Care.
Timelines for MFA enforcement
The timeline for MFA enforcement for Google Cloud depends on your account type, as shown in the following table.
| Account type | Description | Enforcement start date |
|---|---|---|
| Personal Google Accounts | User accounts you created for your own use, including Gmail accounts, that are used as principals in Google Cloud. | On or after May 12, 2025 |
| Enterprise Cloud Identity accounts (not using SSO) | User accounts with usernames and passwords created and managed by your Google Workspace administrator in Cloud Identity. | During or after Q2 2026 |
| Enterprise accounts using federated authentication | User accounts created and managed by your Google Workspace administrator that use Google Workspace SSO, Cloud Identity SSO, or Workforce Identity Federation. | On or after September 1, 2026 |
| Reseller accounts | User accounts created and managed in a Google Cloud reseller domain. End users of the reseller are not affected. | On or after April 28, 2025 |
If you don't have MFA enabled, the Google Cloud console displays reminders to enable MFA at least 90 days before, and leading up to MFA enforcement. In addition, an email is sent with an MFA requirement reminder at least 90 days before MFA enforcement.
For resellers and their users, the Google Cloud console displays reminders to enable MFA at least 60 days before, and leading up to MFA enforcement. Similarly, an email reminder is sent at least 60 days before MFA enforcement.
When the requirement is enforced for your account, you must have MFA enabled to sign in to the Google Cloud console or the Firebase console.
Scope of MFA enforcement
When the Google Cloud MFA requirement is enforced for your account, if you don't have MFA enabled, you won't be able to use the following Google Cloud interfaces:
The Firebase console
Google Cloud MFA enforcement doesn't affect service accounts. Only user accounts are affected. However, if you use your Google Account to impersonate a service account, and MFA is enforced for your account, you must have MFA enabled to sign in to the Google Cloud console.
Access to the following interfaces and services is not affected by the Google Cloud MFA enforcement:
Google Workspace, including Gmail, Google Drive, Google Sheets, and Google Slides. However, Google Workspace has a separate MFA requirement. Contact your Google Workspace administrator for more information.
YouTube.
Your applications and workloads running on Google Cloud, including applications secured by Identity-Aware Proxy (IAP), aren't affected by MFA enforcement. However, your developers won't be able to use the Google Cloud console to manage those applications. In other words, your control plane is affected by MFA enforcement, but not your data plane.
Enable MFA for Google Accounts
You can enable MFA, also known as 2-step verification (2SV), on the Security tab of your Google Account settings page. For step-by-step instructions, see Turn on 2-Step Verification.
If you don't see the 2-Step Verification option for your account, your administrator might have disabled it. Contact your administrator for assistance.
Additional factors for Google Accounts
Personal Google Accounts and enterprise accounts that use Google as their identity provider (IdP) can use any of the following additional factors with Google Cloud:
Authenticator apps: you can set up an authenticator application, such as Google Authenticator, or Authy, on your mobile or desktop device to act as your second factor.
Backup codes: you can create backup codes and use them as your second factor. Backup codes must be stored securely, and can be used only once, so this method should be used only when you have no other method available. For more information, see Sign in with backup codes.
Google Prompts: if you are signed into your Google Account on another device, you can receive a prompt on that device asking you whether it is you signing in. You can confirm that it's you in a browser, on a tablet, or your phone. For more information, see Sign in with Google prompts.
Physical security key: you can touch a physical security key to provide your second factor. For more information, see Use a security key for 2-Step Verification.
SMS codes: you can use a code sent to your phone number as a second factor. Before you can use SMS as a second factor, your phone number must be associated with your Google Account.
Enable MFA for third-party identity providers
Refer to your third-party IdP's documentation to learn how to enable MFA.
Recover account access if a factor is lost or stolen
See Fix common issues with 2-Step verification for steps to recover your account.
Cloud Identity: extend the deadline for MFA enforcement
Organizations that use Cloud Identity and existed before the MFA requirement can enable a one-time, 90-day extension to the MFA requirement at the organization level in the Google Cloud console.
To do so, principals with the
Organization Administrator
(roles/resourcemanager.organizationAdmin) role must complete the following
steps:
In the Google Cloud console, go to the Organizations page.
Select your organization.
In the 2-Step Verification notification, click Extend by 90 days, and then confirm the extension.
After the extension expires, the MFA requirement is enforced.
Opt out non-privileged users from MFA enforcement
You can opt non-privileged users out of MFA at the organization level in the Google Cloud console.
Principals with the
Organization Administrator
(roles/resourcemanager.organizationAdmin) role can do this by completing the
following steps:
In the Google Cloud console, go to the Organizations page.
Select your organization.
Disable Require 2-Step Verification.
After an organization has opted out of MFA, most accounts no longer require another factor of authentication to use the Google Cloud console. The following account types, however, still need MFA enabled at the account level:
Gmail accounts used for Google Cloud.
Privileged users who perform sensitive actions.
Sensitive actions and MFA opt-out
Accounts that perform sensitive actions—known as privileged users—can't be fully opted out of MFA, even when the organization has the Require 2-Step Verification setting disabled. While they can still perform most tasks in the Google Cloud console after their organization is opted out from MFA, they are prevented from performing sensitive actions until MFA is enabled for their account. This helps to prevent sensitive actions from being initiated by bad actors due to credential theft.
The following Google Cloud actions are considered sensitive actions:
Billing assignment changes
IAM allow policy changes at the organization, folder, or project level
The MFA requirement for sensitive actions is in the process of rolling out across Google Cloud accounts. The rollout is expected to be complete in 2026.
Opt back in to MFA
If you choose to opt in to MFA again, a minimum 30-day grace period takes place
before the MFA requirement is enforced.