3175x175(CURRENT).thumb.jpg.b05acc060982b36f5891ba728e6d953c.jpg)
Google says that it is introducing three enhancements to help organizations combat cookie and auth token theft, something the company claims is behind 37% of successful account takeovers.
The rise in email-delivered infostealers has made this a massive problem, with attackers finding new ways to snatch the session data that keeps you logged into services. This allows them to bypass even multi-factor authentication and casually walk right into your accounts.
The first enhancement is bringing passkey support to all Google Workspace customers. Google claims this offers benefits like ease of use and stronger security since passkeys are tied to a device and cannot be phished.
Passkey support is now generally available to more than 11 million Google Workspace customers, with expanded admin capabilities to audit enrollment and restrict passkeys to physical security keys.
Next, we have Device Bound Session Credentials (DBSC), now available in open beta, which protects you after you have already signed in. The way it works is: your browser generates a unique public and private key pair when you log in. The private key stays locked down on your machine, ideally in a hardware security chip, while the public key goes to the server. To keep the session alive, the server periodically sends a challenge that only the device with the private key can correctly answer.
Admin console UI for the Google session control section to enable DBSC
Image: Google
If someone steals your session cookie, it is useless on their machine because they do not have that key. At the moment, this feature is only available on Chrome for Windows.
You might remember back in 2023 when tech YouTuber Linus Sebastian had his Linus Tech Tips (alongside the Techquickie sister channel) hacked. The way the attackers were able to gain access was through a malicious file disguised as a PDF in a sponsorship offer email.
After a staff member opened the file, it stole the channel's session tokens, giving the hackers full control to run cryptocurrency scams. DBSC is designed to make that kind of credential theft much harder.
And lastly, the company says that later this year, it will be introducing a shared signals framework (SSF) receiver. This basically means that different security services can talk to each other in a standardized way. If your identity provider detects a problem with your account, it can send a signal to Google to immediately terminate your session.
Hope you enjoyed this news post.
Posted Wednesday 30 July 2025 at 4:04 am AEST (my time).
News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of June): 2,864
RIP Matrix | Farewell my friend
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.