Google Cloud will enforce re-authentication for critical IAM and billing actions starting July 2025, strengthening security for sensitive administrative tasks.
 |
| Google Cloud will implement password or MFA re-authentication for sensitive console-level actions from July 2025, marking a major upgrade in cloud security policy. Image: CH |
MOUNTAIN VIEW, USA — June 14, 2025:
Google Cloud has announced a sweeping upgrade to its account security protocols, introducing mandatory re-authentication for certain high-risk administrative tasks starting in July 2025. The update will require users of the Google Cloud Console—who authenticate via Google Cloud Identity—to either re-enter their password or complete multi-factor authentication (MFA) when making changes to critical IAM policies and billing configurations.
The new requirement applies to actions such as modifying access controls at the organization, folder, or project level, as well as adjusting billing assignments and associations. These steps correspond to key API operations that could significantly impact cloud operations and access privileges.
This security enhancement comes in response to the increasing sophistication of cyber threats and aims to reduce the risk of unauthorized access or accidental misconfigurations within enterprise cloud environments. It will not apply to programmatic users, federated external identities via Workforce Identity pools and SSO, or service accounts.
Google emphasizes that the transition requires no immediate user action. The enhanced security policy will be automatically enforced beginning July 2025. The company has published a user guide to assist customers in understanding and preparing for the upcoming change.
“By requiring an additional identity check for sensitive operations, we’re adding an essential layer of protection for critical Google Cloud resources,” Google said in its notice to users.
This move reinforces Google Cloud’s broader commitment to zero trust architecture and secure-by-default design, ensuring that mission-critical enterprise systems are safeguarded against internal and external threats.