Google has announced the general availability of Device Bound Session Credentials (DBSC) in the Chrome browser on Windows. This new feature is designed to combat session cookie theft, a prevalent threat in the cybersecurity landscape.
What are Device-Bound Session Credentials?
Initially launched in beta for Google Workspace users, DBSC is now active by default for all Workspace customers, Individual subscribers, and personal Google accounts. Session cookies, which websites use for user authentication, have been a target for cybercriminals using strategies like pass-the-cookie attacks to bypass multi-factor authentication.
DBSC counters this threat by binding a session cookie to the specific device used during authentication. This ensures that even if a cookie is stolen through malware, it cannot be used on another device, increasing the difficulty for attackers who rely on such tokens to maintain unauthorized access.
Integration with Context-Aware Access
Google has enhanced the effectiveness of DBSC by integrating it with Context-Aware Access (CAA). This allows organizations to enforce more precise access policies by considering device attributes, user behavior, and environmental factors, adding another security layer beyond initial authentication.
Administrators can monitor binding events through Google’s security investigation tool’s audit logs, helping security teams detect anomalies and ensure session integrity. This functionality is automatically enabled and cannot be disabled via the Admin console.
Rollout and Impact on Security
The rollout began on May 25, 2026, for both Rapid Release and Scheduled Release domains, with full visibility anticipated within 60 days. The feature is available to all Google Workspace customers, Workspace Individual subscribers, and personal Google account holders.
DBSC represents a shift in post-authentication security by extending trust verification throughout the session lifecycle, reducing exposure to credential-based lateral movement and persistence techniques. Security teams are advised to review audit logs in the Google Admin console to establish a baseline for normal DBSC binding behavior and identify potential session hijacking attempts.
For ongoing updates, follow us on Google News, LinkedIn, and X.
