New account hijacking defences for Google Workspace and Chrome

Google has released a series of technological measures to mitigate phishing and credential theft attacks, which the technology giant said are intensifying currently.

The first is the general availability of passkeys for Google Workspace, to authenticate users securely without passwords.

Passkeys is a Fast Identity Online (FIDO) standard supported by multiple vendors.

They are tied to a user’s deivce, and cannot be handed over in phishing attacks; as passkeys are unique and generated for each particular website or service, they cannot be re-used either in credential stuffing attacks.

Passkeys are also quick and easy to use, Google said, requiring users only to unlock their devices through PINs, or through biometrics such as fingerprints or facial recognition.

Google also released its Device Bound Session Credentials (DBSC) feature as an open beta for the Microsoft Windows version of its Chrome web browser version 136 or newer.

DBSC was announced last year, and aims to stop hijacking of session cookies.

It works by the user’s web browser generating a secure private digital key that’s stored in for example a Trusted Platform Module (TPM) or Secure Enclave on the device; this key is then used to cryptographically sign session credentials.

Servers then bind the login session to the user’s DBSC public key, enabling the browser to prove possession of the private key, by signing a challenge or a token when sending a request.

If an attacker copies a session cookie through, for example, an infostealer, it cannot be used since the server requires valid cryptographic proof that’s tied to a user’s device.

DBSC also ensures that only the originating device can access an active session, and users can be required to use the feature for particular apps, for added security.

Google is starting up a closed beta to share security insights, through the Shared Signals Framework (SSF) standard developed by the OpenID Foundation.

The company will build an SSF receiver for Google Workspace, to ingest Continuous Access Evalation Profile (CAEP) signals transmitted from security platforms.

The signals will provide information to receivers about significant events, which in turn is aimed at facilitating a coordinated response to security threats, Google said.