As someone who frequently works with Google’s advertising tools, I know firsthand how crucial security is. Starting April 21, Google is implementing a mandatory multi-factor authentication (MFA) requirement for its Ads API. This is a significant move towards enhancing security, but it’s one that might need us to rethink our authentication workflows.
Driving the news. Google will gradually enforce mandatory MFA for the Ads API, aiming for complete roll-out just weeks after the initial date. This means we all need to be prepared.
This update directly impacts those of us generating new OAuth 2.0 refresh tokens, as it mandates a more secure authentication process.
What’s changing. We’ll now need to add another step in verifying our identity. This could be in the form of a phone prompt or an authenticator app, alongside the usual password.
Existing OAuth tokens we’re already using will stay unaffected, but for any fresh authentications, MFA will become the default requirement. If we’re not yet using two-step verification, it’s time to set it up.
Why we care. This shift influences how we manage and access our Google Ads data through various APIs and connected tools. While it undeniably enhances security and mitigates unauthorized access risks, it could also require us to adjust existing workflows, especially when generating new credentials often. Preemptive preparation can save us from potential disruptions.
Who’s affected. If your applications or workflows rely on user-based authentication, you’re in for some changes.
User authentication workflows: These will need MFA for new token setups.
Service account workflows: Thankfully, these remain untouched. They’re actually recommended for automated or offline scenarios.
The requirement isn’t limited to the API alone. We’ll also see it in tools like Google Ads Editor, Scripts, BigQuery Data Transfer, and Data Studio.
The big picture. As we lean more heavily on ad platforms for sensitive data and automation, security can’t be pushed aside. This need grows as API access proliferates across various teams, tools, and integrations.
Yes, but. While boosting security against unauthorized intrusions is welcome, we must consider the challenges it introduces. Especially for teams like ours that often create new credentials or depend on manual authentication flows.
The bottom line. Google’s decision to make MFA standard for Ads API access marks a shift towards more stringent security policies across advertising tools and workflows.
Inspired by this post on Search Engine Land.
Leave a Reply