29.05.2026
3 min
171
Google has started rolling out its new Device Bound Session Credentials (DBSC) security feature, designed to protect users from one of the most common account takeover techniques. The technology is now available to users with personal Google accounts, Google Workspace customers, and Workspace Individual subscribers.
First announced in 2024, the feature entered beta testing in April this year. Its primary goal is to render stolen session cookies virtually useless to attackers.
DBSC works by cryptographically binding an active user session to a specific device. To achieve this, it relies on hardware security technologies such as the Trusted Platform Module (TPM) on Windows systems and Secure Enclave on Apple devices. These components generate unique cryptographic keys that cannot be stolen alongside browser data.
According to Google, this approach shifts security from simply detecting attacks to actively preventing them. Even if malware manages to steal session cookies, attackers will be unable to use them on another device without access to the corresponding cryptographic keys.
“DBSC fundamentally changes the web’s ability to defend against this threat, shifting the paradigm from reactive detection to proactive prevention by ensuring that successfully exfiltrated cookies cannot be used to gain access to users’ accounts,” Google said.
The company added that the new system strengthens account security after users have already signed in. Session cookies, which websites use to maintain logins and remember user preferences, are now tied directly to the device used for authentication. This significantly reduces the risk of session hijacking, even if the device has been compromised by malware.
Once the rollout is complete, DBSC will be automatically enabled for all Google Workspace customers. Organization administrators will not have the option to disable the feature.
The need for this type of protection became increasingly clear after cybercriminals began abusing Google’s undocumented OAuth MultiLogin API endpoint. The endpoint allowed attackers to generate fresh authentication cookies even after previously stolen session cookies had expired.
At the same time, operators behind the widely used information-stealing malware families Lumma and Rhadamanthys claimed they were able to restore expired Google authentication cookies stolen during attacks. This capability enabled threat actors to regain access to victims’ Google accounts even after the original cookies were no longer valid.
In response to these threats, Google previously advised users to remove malware from infected devices and enable Chrome’s Enhanced Safe Browsing mode for additional protection against phishing and malicious software.
With the introduction of DBSC, Google is adding another layer of defense. Because authentication sessions are tied to cryptographic keys stored on a user’s device, attackers who steal cookies will be unable to use them without access to the corresponding hardware-backed keys.
