Remember the Mandiant X account breach in 2023? No MFA on a critical account. That’s a textbook example of why this isn’t just a “good idea.” It’s non-negotiable.
Google accounts without 2-Step Verification are hanging fruit for phishing, credential stuffing, and session hijacking. For cloud admin accounts, it’s the single most important control you have. If you aren’t doing this, you’re leaving the door wide open.
This isn’t rocket science. It’s foundational. Go to your Google Workspace Admin console, navigate to Security > Authentication > 2-Step Verification, and enforce it for all users. Set a grace period if you must, but make it mandatory.
Require 2-Step Verification for all users in Google Workspace.
The fix
# Admin Console → Security → Authentication → 2-Step Verification
# Set enforcement: ON for all users
# Allow: Security keys (preferred), Authenticator app
# Disallow: SMS verification
Reference: CIS GCP Foundations Benchmark 1.1