Google has officially made Device Bound Session Credentials (DBSC) generally available for the Chrome browser on Windows.
This architectural upgrade delivers a robust defense mechanism against one of the most pervasive threats in the modern cybersecurity landscape: session cookie theft and token exfiltration.
Previously restricted to beta testing for Google Workspace environments, DBSC is now active by default across all Workspace tiers, Individual subscriptions, and personal Google accounts.
This marks a meaningful shift in post-authentication security, extending trust verification throughout the entire session lifecycle rather than relying solely on perimeter controls at login, Google said.
Google Chrome’s DBSC Now Available
Threat actors continuously target session cookies to bypass multi-factor authentication (MFA) and conditional access policies. Malware strains, particularly infostealer Trojans, routinely harvest these small authentication files from compromised endpoints.
Once exfiltrated, attackers inject the stolen cookies into their own browsers to hijack active web sessions.
This pass-the-cookie attack technique grants unauthorized access to sensitive corporate networks and cloud infrastructure without ever requiring the user’s plaintext credentials or an active MFA token.
DBSC neutralizes this attack vector by fundamentally changing how session trust is validated. The technology cryptographically binds a session cookie to the specific physical device used during the initial authentication phase.
If an infostealer successfully extracts a session cookie from a compromised Windows machine, the token is rendered functionally useless on any external hardware.
By tethering the session to the origin endpoint, DBSC drastically increases operational costs and complexity for advanced threat actors who rely on stolen tokens for initial access or lateral movement.
Google has amplified the defensive posture of DBSC by integrating it with Context-Aware Access (CAA). Organizations leveraging both capabilities can enforce highly granular, zero-trust access policies based on precise device attributes, behavioral analytics, and environmental signals.
Workspace administrators also gain enhanced visibility into post-authentication security. DBSC binding events are natively recorded in the security investigation tool’s audit logs.
Security teams are strongly encouraged to review these logs to establish baselines for normal binding behavior and proactively flag deviations that may indicate active session hijacking attempts.
Google began a gradual rollout of DBSC on May 25, 2026, encompassing both Rapid Release and Scheduled Release domains. Full feature visibility is anticipated within a 60-day window. The feature is broadly available to the following groups:
- All Google Workspace customers
- Workspace Individual subscribers
- Users with personal Google accounts
Notably, enterprise security teams do not need to take administrative action to deploy this protection. DBSC operates by default at the browser level and intentionally lacks an off switch in the Admin console.
This ensures universal protection against session hijacking, significantly reducing enterprise exposure to post-exploitation persistence techniques commonly leveraged by advanced persistent threats (APTs).
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
