Google Ads API introduces mandatory two-factor authentication

To enhance the protection of confidential data and prevent unauthorized access to advertising accounts, Google is introducing new security requirements. Starting April 21, 2026, the use of the Google Ads API will require mandatory multi-factor authentication (MFA / 2-Step Verification).

TL;DR

The requirement applies to users generating new OAuth 2.0 refresh tokens through the standard user authentication flow. The changes also affect Google Ads Editor, BigQuery Data Transfer Service, and other related tools. Workflows using Service Accounts remain unchanged.

Overview and Rationale

The implementation of MFA (two-factor authentication) adds a critical layer of security beyond standard password protection. For mid-sized and large marketing teams, this significantly reduces the risk of account breaches, especially when managing substantial advertising budgets.

Key Updates

• Scope: Applies only to newly generated OAuth 2.0 refresh tokens
• Existing tokens: Will remain valid and do not require immediate reauthorization
• Exceptions: Workflows based on Service Accounts are not affected
  → This reinforces Google’s recommendation to use Service Accounts for automated systems and offline integrations

Platforms and Tools Affected

In addition to direct API usage, the new security requirements will apply to:

• Google Ads Editor — when refreshing sessions or adding new accounts
• Google Ads Scripts — for scripts requiring user authentication
• BigQuery Data Transfer Service — when setting up Google Ads data imports
• Looker Studio (formerly Data Studio) — for report visualization via Google Ads connectors

How to Check and Enable MFA

Marketing system administrators and media buyers are advised to verify account security settings in advance:

• Check status: Go to the Security tab of your Google Account
• Enable MFA: Under “How you sign in to Google”, ensure 2-Step Verification is enabled
• Enterprise restrictions: If the option is unavailable, it may be restricted at the organization level (Google Workspace). In this case, contact your IT department to update security policies

Troubleshooting

If you encounter issues during the transition:

• 2SV option unavailable: Contact your system administrator to request access
• Verification error: If you see “Google couldn’t verify this account belongs to you”,
  → Revisit security settings
  → Enable 2-Step Verification (if possible)
  → Wait 5–10 minutes for system synchronization
  → Retry the login process

Recommendation for Enterprises

To ensure uninterrupted operation of automated reports and scripts, it is recommended to transition to a Service Accounts architecture, which provides greater stability for system integrations without requiring manual authentication steps.

Read this article in Ukrainian.