Google Enables DBSC Security Feature to Fight Session Hijacking

Google has officially rolled out the DBSC security feature for Chrome on Windows, strengthening protections against session hijacking and account takeover attacks for Google Workspace users.

Previously available as a beta capability, Device Bound Session Credentials (DBSC) is now generally available and enabled by default. The feature is designed to reduce the growing threat of stolen session cookies, which attackers commonly abuse to bypass login protections after a user successfully authenticates.

Session cookies are small browser files that keep users signed in to websites and cloud platforms. However, cybercriminals increasingly target these cookies using infostealer malware because stolen session data can provide direct access to corporate accounts without requiring passwords or multifactor authentication.

How the DBSC Security Feature Works

The DBSC security feature binds a session credential directly to the device used during authentication. As a result, even if an attacker steals the session cookie, it becomes significantly harder to reuse it on another system.

Google introduced the technology to counter modern malware campaigns that focus on browser session theft instead of credential phishing alone.

The feature works silently in the background inside the Chrome browser on Windows devices. Additionally, organizations do not need to manually deploy or configure the protection because it is automatically enabled for all supported Google Workspace environments.

Security teams can also combine DBSC with Context-Aware Access (CAA) policies for stronger identity validation and device-based access control.

Google Expands Protection Against Cookie Theft

Session hijacking attacks have become a major concern across enterprise environments. Over the past year, multiple cybercriminal groups have used stolen browser tokens to infiltrate cloud services, collaboration platforms, and administrative accounts.

Consequently, browser-level protections are becoming increasingly important for enterprise security strategies.

Google confirmed that administrators can monitor DBSC binding activity through audit logs available inside the Workspace security investigation tools. These logs help organizations track authentication events tied to protected sessions.

Meanwhile, the rollout applies to:

• Google Workspace customers
• Workspace Individual subscribers
• Personal Google account users

The deployment began on May 25, 2026, and Google expects the feature rollout to continue gradually over the next several weeks.

Security Industry Pushes Toward Device-Bound Authentication

The launch of the DBSC security feature reflects a broader industry shift toward device-bound authentication models. Traditional session management methods often rely heavily on reusable browser tokens, which remain attractive targets for attackers.

By linking authentication sessions directly to trusted hardware, companies can limit the effectiveness of malware-driven session theft campaigns.

Cybersecurity experts believe this approach will become more common as infostealer malware continues evolving. Furthermore, device-bound security controls may help organizations reduce risks tied to remote work, unmanaged endpoints, and cloud identity abuse.

Organizations using Chrome and Google Workspace should review their browser security policies and monitor authentication logs closely as attackers continue shifting toward session-based compromise techniques.