Google Chrome’s Device-Bound Session Credentials Now GA to Block Account Takeovers
Cybersecurity NewsArchived May 30, 2026✓ Full text saved
Google has officially moved Device Bound Session Credentials (DBSC) to general availability in the Chrome browser on Windows, delivering a powerful defense against one of the most persistent threats in modern cybersecurity session cookie theft. Previously available in beta for Google Workspace users, DBSC is now enabled by default across all Workspace customers, Individual subscribers, […] The post Google Chrome’s Device-Bound Session Credentials Now GA to Block Account Takeovers appeared first
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Google Chrome’s Device-Bound Session Credentials Now GA to Block Account Takeovers
By Guru Baran
May 30, 2026
Google has officially moved Device Bound Session Credentials (DBSC) to general availability in the Chrome browser on Windows, delivering a powerful defense against one of the most persistent threats in modern cybersecurity session cookie theft.
Previously available in beta for Google Workspace users, DBSC is now enabled by default across all Workspace customers, Individual subscribers, and personal Google accounts.
Session cookies are small files websites use to remember authenticated users, but they’ve long been a lucrative target for threat actors. Malware families like infostealer trojans routinely harvest these cookies to hijack active sessions, bypassing multi-factor authentication entirely, a technique known as a pass-the-cookie attack.
DBSC directly counters this threat by cryptographically binding a session cookie to the specific device the user authenticated from. Even if malware successfully exfiltrates a cookie from the compromised endpoint, that cookie becomes essentially useless on any other machine. This significantly raises the operational cost for attackers relying on stolen session tokens to maintain persistent access.
Google has further amplified DBSC’s defensive value by integrating it with Context-Aware Access (CAA). Organizations leveraging both capabilities can enforce more granular access policies based on device attributes, user behavior, and environmental signals, adding an additional layer of verification beyond initial authentication.
Workspace administrators can now monitor DBSC binding events directly through the security investigation tool’s audit logs, enabling security teams to detect anomalies and track session integrity across their environment.
Notably, DBSC requires no administrative action to enable; it is active by default and cannot be disabled through the Admin console.
Rollout Timeline and Availability
Google began a gradual rollout on May 25, 2026, covering both Rapid Release and Scheduled Release domains, with full feature visibility expected within 60 days. The feature is broadly available to:
All Google Workspace customers
Workspace Individual subscribers
Users with personal Google accounts
DBSC represents a meaningful architectural shift in post-authentication security. Rather than relying solely on perimeter controls or MFA at login, it extends trust verification throughout the session lifecycle.
For enterprise security teams, this reduces exposure to credential-based lateral movement and post-exploitation persistence techniques commonly used by advanced threat actors.
Security teams are encouraged to review audit logs within the Google Admin console to baseline normal DBSC binding behavior and flag any deviations that may indicate active session hijacking attempts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Veeam Backup & Replication Tool Vulnerability Enables Privilege Escalation Attacks
Oracle Critical Security Update – Patch for 35 New Vulnerabilities Across Products
How Top CISOs Increase Risk Visibility for Zero Critical Incidents
Microsoft Warns Public Release of Zero-Day Details Before Vendor Coordination
MiniUpdate RAT Uses Azure-Hosted C2 Domains for Targeted Espionage Campaigns
Latest News
Cyber Security
Palo Alto Networks PAN-OS Authentication Vulnerability Bypass Exploited in the Wild
Technology
Post-quantum cryptography is not the future. It is your current reality.
Cyber Security News
Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges
Cyber Security News
JINX-0164 Threat Actor Using LinkedIn Social Engineering to Deploy Custom macOS Malware
Cyber Security News
Attackers Abuse Trusted Developer Tooling to Exfiltrate Source Code and Secrets