Google is tightening security across its ads ecosystem, requiring multi-factor authentication (MFA) for API users — a move that could impact how developers and advertisers access and manage accounts.

Driving the news. Google will begin rolling out mandatory MFA for the Google Ads API starting April 21, with full enforcement expected over the following weeks.

The update applies to users generating new OAuth 2.0 refresh tokens through standard authentication workflows.

What’s changing. Users will now need to verify their identity with a second factor — such as a phone or authenticator app — in addition to their password when authenticating.

  • Existing OAuth refresh tokens will continue to work without interruption.
  • New authentications will require MFA by default.
  • Users without 2-step verification enabled will be prompted to set it up.

Why we care. This change affects how you access and manage Google Ads data through APIs and connected tools. While it improves account security and reduces the risk of unauthorized access, it may also require updates to workflows, especially for teams that regularly generate new credentials. Preparing early can help avoid disruptions.

Who’s affected. The change primarily impacts apps and workflows using user-based authentication.

  • User authentication workflows: Will require MFA for new token generation.
  • Service account workflows: Not affected, and recommended for automated or offline use cases.

The requirement also extends beyond the API to tools like Google Ads Editor, Scripts, BigQuery Data Transfer, and Data Studio.

The big picture. As ad platforms handle more sensitive data and automation, security is becoming a bigger priority — especially as API access expands across teams, tools, and integrations.

Yes, but. While the update improves protection against unauthorized access, it may add friction for teams that frequently generate new credentials or rely on manual authentication flows.

The bottom line. Google is making MFA standard for Ads API access, signaling a broader shift toward stricter security across advertising tools and workflows.

Search Engine Land is owned by Semrush. We remain committed to providing high-quality coverage of marketing topics. Unless otherwise noted, this page’s content was written by either an employee or a paid contractor of Semrush Inc.

Anu AdegbolaAnu Adegbola

Anu Adegbola has been Paid Media Editor of Search Engine Land since 2024. She covers paid search, paid social, retail media, video and more.

In 2008, Anu started her career delivering digital marketing campaigns (mostly but not exclusively Paid Search) by building strategies, maximising ROI, automating repetitive processes and bringing efficiency from every part of marketing departments through inspiring leadership both on agency, client and marketing tech side. Outside editing Search Engine Land article she is the founder of PPC networking event – PPC Live and host of weekly podcast PPC Live The Podcast.

She is also an international speaker with some of the stages she has presented on being SMX (US, UK, Munich, Berlin), Friends of Search (Amsterdam, NL), brightonSEO, The Marketing Meetup, HeroConf (PPC Hero), SearchLove, BiddableWorld, SESLondon, PPC Chat Live, AdWorld Experience (Bologna, IT) and more.