How passkeys and Device Bound Session Credentials can help
To empower users and customers against identity-based attacks, we’ve introduced two critical innovations developed in close partnership with the wider security community: passkeys and Device Bound Session Credentials (DBSC). These advancements are designed to significantly strengthen account security and prevent account takeovers.
We highly recommend that all Workspace customers, especially those with high-value users such as IT administrators and business leaders, implement these controls.
Use passkeys for a simpler, more secure sign-in
We have made passkeys generally available to all 11 million Workspace organizations and billions of Google consumer users. Passkeys represent a fundamental shift away from passwords, offering a simpler and inherently more secure sign-in experience.
Unlike traditional passwords that can be guessed, stolen, and forgotten, passkeys are unique digital credentials cryptographically tied to your device. They use the robust FIDO2 technology, the same underlying standard used in hardware security keys like our Titan Security Key, and the added convenience of using a device you already own, such as an Android phone or a Windows laptop.
While absolute security remains an elusive goal, from the perspective of account takeover and phishing attacks, passkeys and security keys virtually eliminate these password-based threats. As a founding member and steadfast supporter of the FIDO Alliance, we are encouraged by the growing industry adoption of FIDO technology.
Disrupt cookie theft with Device Bound Session Credentials
We are also addressing the use of infostealers to exfiltrate session cookies, allowing attackers to bypass password and 2FA controls and access victim accounts from their own devices.
In addition to Mandiant’s M-Trends 2025 report, IBM’s 2025 X-Force Threat Intelligence Index observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year.
In close collaboration with the Chrome team, we are adding a powerful addition to our security arsenal, now in beta: Device Bound Session Credentials (DBSC). DBSC are designed to disrupt cookie theft by creating an authenticated session that is cryptographically bound to a specific device. This innovative approach can significantly mitigate the risk of exfiltrated cookies being used to access accounts from an unauthorized device.
DBSC introduces a new API that enables servers to establish an authenticated session bound to a device. When a session is initiated, the browser generates a unique public-private key pair. The private key is securely stored using hardware-backed storage, such as a Trusted Platform Module (TPM), when available.
The browser then issues a regular session cookie. It is crucial to note that throughout the session’s lifetime, the browser periodically proves possession of the private key and refreshes the session cookie.
This mechanism allows the cookie’s lifetime to be set short enough to render stolen cookies largely useless to attackers. While DBSC currently operates with Chrome and Workspace, numerous server providers, identity providers (IdPs) like Okta, and other browsers such as Microsoft Edge, have expressed strong interest in adopting DBSC to protect their users from cookie theft.
A combined approach for enhanced security
Combined, passkeys and DBSC can empower organizations to significantly strengthen account security and prevent account takeovers. Both of these security controls are readily available to all Workspace customers, and we strongly advocate for their implementation, particularly for your most critical users such as IT administrators and business leaders.
More information is available on how your organization can start using passkeys and implementing DBSC.
