Google has started requiring multi-factor authentication (MFA) for the Google Ads API. The rollout began April 21, 2026 across the API itself, and from May 7, 2026, new transfer configurations on the BigQuery Data Transfer Service for Google Ads also require MFA for individual user authentication. The change affects every workflow that uses user authentication to access Google Ads data through the API, Google Ads Editor, Google Ads Scripts, BigQuery Data Transfer Service, and Data Studio.
The good news for most teams: existing OAuth refresh tokens keep working, and any workflow that uses service accounts is exempt from the new requirement. The harder news: anyone setting up new BigQuery transfers, new Apps Script integrations, or onboarding new team members on Google Ads Editor will hit the MFA prompt. This guide explains what changed, who is affected, and the action plan to keep reporting workflows running.
What changed
Two related rollouts are happening on different dates. Both stem from the same security update.
The change is part of an account-security tightening Google has been rolling out across its developer-facing products. The official announcement on the Google Ads Developer Blog frames it as making "compromised passwords alone not enough to gain access." The May 7 BigQuery-specific date is documented in the BigQuery release notes. The technical impact for marketers and analysts is primarily on the user-authentication workflow.
Who is affected (and who isn't)
The exemptions matter as much as the requirement itself.
Not affected: service accounts. If your BigQuery transfer or Apps Script uses a service account to authenticate, MFA does not apply. Service accounts authenticate with a JSON key, not a username and password, so the second-factor concept does not exist for them. Google explicitly recommends service account workflows for any automated or offline use case.
Not affected: existing OAuth refresh tokens. If you set up your transfer in 2024 or earlier and the refresh token is still valid, it keeps working. You will not be prompted to re-authorize unless you regenerate the token or the existing one expires.
Affected: new user-authentication setups. Anyone setting up a new connection from a Google account (not service account) to Google Ads API, BigQuery DTS, Google Ads Editor, Google Ads Scripts, or Data Studio will be prompted for MFA. If MFA is not yet enabled on that Google account, the user will be asked to enable it before proceeding.
Affected: fresh installs and migrations. If you switch laptops, lose an OAuth token, onboard a new team member who needs Google Ads access, or migrate a script to a new project, you will need to re-authorize. The re-authorization triggers MFA.
What this means for your reporting
For most teams, the practical impact is low if you have already moved to service accounts. For teams still on user authentication, three concrete impacts:
New BigQuery DTS transfers will not complete without MFA. If you start setting up a new transfer from May 7 onward and the user account does not have 2-Step Verification enabled, the setup fails at the auth step. You will need to either enable MFA on that account or switch the transfer to a service account. Our Google Ads to BigQuery automated setup guide walks through both options end to end.
Apps Script integrations against Google Ads need re-auth careful planning. If your Apps Script uses OAuth refresh tokens that are about to expire or need rotation, plan for the MFA prompt during re-authorization. The script itself does not need code changes; the auth flow does.
Data Studio will prompt new connections. Anyone setting up a fresh Google Ads data source in Data Studio after the rollout will see the MFA challenge. Existing data sources continue to refresh normally because they use stored OAuth tokens.
Cross-channel reporting workflows are largely unaffected on the data side. Your existing pipelines from Google Ads, Meta, LinkedIn, and TikTok keep running. We covered the cross-channel reporting setup in detail in our LinkedIn Ads to Google Sheets guide and Meta Ads to Google Sheets guide; the MFA change does not retro-affect any of those existing connections.
Action plan: what to do this week
Five steps to keep your reporting workflows running through the rollout.
- Audit your authentication method. For every Google Ads connection in BigQuery DTS, Apps Script, Google Ads Editor, and Data Studio, determine whether it uses a service account or user authentication. The BigQuery DTS console shows the auth type per transfer in the configuration details.
- Enable MFA on every Google account that touches Google Ads API. Even if you do not need to re-authorize today, enabling MFA in advance avoids surprises the day someone needs to set up a new connection. Check the Security tab of each account's Google settings page for the 2-Step Verification setting.
- Migrate critical pipelines to service accounts. For any production reporting that runs on a schedule, switch from user authentication to a service account. Service accounts are not affected by the MFA requirement and are also more reliable long-term because they do not depend on a specific person's OAuth token. Grant the service account read access to the relevant Google Ads accounts via the Google Cloud IAM page.
- Document the MFA fallback in your team runbook. When a new analyst joins or someone switches devices, the first time they authorize a Google Ads tool will prompt for MFA. Make sure your onboarding doc says "expect a 2FA prompt; have your phone ready."
- Plan onboarding around the rollout. If you have new agency clients or new team members getting access this week, schedule the auth setup in a session where someone with admin access to the Google Workspace can help if MFA needs to be enabled fresh.
For agencies running this across multiple clients, our multi-channel attribution dashboard guide covers patterns that scale auth management across platforms.
Timeline
The rollout is phased. Expect a few weeks of mixed states across accounts before MFA is universal across all Google Ads API access points.
- April 21, 2026. Google Ads API begins enforcing MFA on user-authentication workflows. Rollout extends across all users over the following weeks.
- May 7, 2026. New BigQuery Data Transfer Service configurations for Google Ads require MFA. Existing transfers continue normally.
- Throughout May-June 2026. All Google Ads Editor, Apps Script, and Data Studio user-auth flows complete the rollout.
- Going forward. Treat MFA as the default for any new Google Ads API connection. Reserve user authentication for one-off setups and service accounts for everything automated.
FAQ
Will my existing BigQuery Data Transfer for Google Ads break on May 7?
No. The MFA requirement applies only to new transfer configurations. Existing transfers continue to refresh on their normal schedule because they use already-authorized OAuth refresh tokens. The change is forward-looking only.
Do service accounts need MFA?
No. Service accounts authenticate with a JSON key, not a username and password, so multi-factor authentication does not apply. Google explicitly recommends service accounts for any automated or offline workflow.
What happens if I don't have 2-Step Verification enabled on my Google account?
When you try to set up a new Google Ads API connection or re-authorize an existing one, you will be prompted to enable 2-Step Verification before completing the auth flow. Follow the on-screen instructions in the Security tab of your Google Account settings page.
Does this affect Google Ads Editor users?
Yes for new authorizations. If you install Google Ads Editor on a new device or sign in with a new Google account, you will be challenged with MFA in addition to your username and password. Existing installations with valid tokens continue to work.
Are Apps Script Google Ads integrations affected?
Yes when re-authorizing. The script code itself does not need changes. But when an OAuth refresh token expires or is regenerated, the user authorizing will see the MFA prompt.
Does this affect cross-channel pipelines that pull from Meta, LinkedIn, or TikTok alongside Google Ads?
Only the Google Ads side. Meta, LinkedIn, and TikTok have their own auth flows that are not affected by this Google Ads change. Existing pipelines combining all four platforms keep running because each platform's auth is independent.
Will Looker Studio (now Data Studio) connections break?
Existing Data Studio connections to Google Ads keep refreshing because they use stored OAuth tokens. Only new Google Ads data source setups in Data Studio will trigger the MFA prompt during initial authorization.
Conclusion
The Google Ads API MFA rollout is a security tightening, not a feature change. The data flow through BigQuery, Apps Script, Google Ads Editor, and Data Studio is identical; only the authorization step now requires a second factor. Most reporting pipelines keep running unchanged because existing OAuth tokens are grandfathered and service accounts are exempt. The friction is concentrated on new setups, new team members, and accounts that have not yet enabled 2-Step Verification.
If you maintain Google Ads reporting and want to skip the BigQuery Data Transfer Service setup, start a free Dataslayer trial. Initial OAuth respects your account's MFA; once connected, Dataslayer handles token refresh and multi-account access automatically, so the ongoing rollout stays invisible to your workflow.
