Google Workspace Account Security with Passkeys and Device-Bound Credentials.

Credit: Google

Key Takeaway.

• DBSC binds session cookies to the user’s device, making stolen cookies unusable on other devices, even if credentials are compromised.
• Google recommends enabling DBSC with passkeys and context-aware access to safeguard enterprise accounts from phishing and cookie-based attacks.

Google Workspace has introduced a new security layer called Device Bound Session Credentials (DBSC) to help prevent attackers from hijacking accounts using stolen session cookies. The feature is now available in beta for Chrome users on Windows and is part of Google’s effort to strengthen enterprise account security.

How DBSC Enhances Session Security.

DBSC ties session cookies to the specific device used during authentication. When a user logs in, Chrome generates a unique public/private key pair—ideally stored in a Trusted Platform Module (TPM)—and binds the session cookie to this key. This means that stolen cookies cannot be reused from another device, significantly reducing the risk of remote account takeovers.

Google says this approach helps block malware-based attacks that steal session tokens after login, including those that bypass multi-factor authentication (MFA). By binding sessions to devices, attackers lose the value of exfiltrated cookies unless they have full access to the original hardware.

Session cookie theft has become a major threat, especially when targeted at enterprise users or high-profile accounts. Attackers use malware, malicious browser extensions, or man-in-the-middle phishing tools to capture authentication tokens, then reuse them to access services like Gmail, Google Drive, or Microsoft 365 without needing passwords or MFA codes.

By rolling out DBSC, Google is responding to a surge in token theft attacks observed in 2025. The feature aims to reduce account compromise even when login credentials are stolen.

How to Enable and What It Requires.

Workspace administrators can enable DBSC for their organization through Chrome policies or settings. The feature is currently supported on Chrome for Windows operating systems where TPM capabilities are available. Google also recommends combining DBSC with passkeys and context-aware access (CAA) to further reinforce its effect.

As Google rolls out broader support for DBSC, identity platforms like Okta and other browsers, including Microsoft Edge, have expressed interest in participating. Google is also working on open web standards to promote widespread adoption.

Looking Ahead

DBSC represents a shift in how session security is managed. Traditional cookie-based authentication, even when hardened with MFA, remains vulnerable if cookie theft occurs after login. With DBSC, even if attackers steal authentication tokens, they cannot exploit them from another device.

Google plans to extend DBSC to more platforms in the future and advance threat detection via its Shared Signals Framework (SSF), allowing security tools and identity providers to share risk signals in near-real time.