Starting 21 April, Google Ads requires multi-factor authentication when generating new OAuth tokens via the API. Existing tokens still work, but new integrations need MFA enabled.
Existing tokens still work. New ones need MFA. The clock started on 21 April.
Google Ads now requires multi-factor authentication for anyone generating new OAuth 2.0 refresh tokens through the API.
The requirement took effect on 21 April 2026. Existing tokens continue to work without interruption. But any new authentication, whether you are setting up a fresh integration, rotating credentials or connecting a new tool, now requires a second verification factor like a phone or authenticator app.
Why it matters
This is a security tightening that will catch agencies and businesses off guard if they have not prepared. The most common scenario: a marketing team tries to connect a new reporting tool or bid management platform to Google Ads and hits a wall because the Google Account being used does not have two-step verification enabled.
Shared logins are now explicitly prohibited. If your agency has been using a single set of credentials across multiple team members to manage Google Ads API access, that workflow is broken as of this month.
Service account workflows are unaffected. If your integrations use service accounts rather than user-based OAuth, nothing changes. But most small and mid-market businesses use user-based authentication because it is simpler to set up.
What to do about it
Audit which Google Accounts your team uses for API access. Enable two-step verification on every one of them now, before you need to generate a new token under pressure. Set up backup recovery methods so a lost phone does not lock you out of your ad account. If you are using shared credentials, migrate to individual accounts or service accounts.