Google Workspace Introducing Passkeys to Counter Cookie Theft, Featuring Additional Measures
Google is taking significant strides to combat cookie theft and enhance security for its Workspace users by introducing two innovative technologies: passkeys and Device Bound Session Credentials (DBSC).
Passkeys are replacing traditional passwords with cryptographic credentials that are uniquely tied to a user's device. Unlike passwords, passkeys are immune to guessing, theft, and leaks through phishing, as they are never transmitted or stored on servers. Instead, they utilize FIDO2 standard technology, similar to hardware security keys, but with the convenience of devices users already own, such as Android phones or Windows laptops. This results in simpler and more secure sign-ins, as passkeys are unique per website or service, resistant to phishing, and faster to use (40% faster than passwords reported) [1][3].
Device Bound Session Credentials (DBSC) aim to secure session cookies, which are commonly targeted in cookie theft attacks. DBSC binds session cookies cryptographically to the specific device that authenticated the user. This means even if malware steals cookies from the browser, the stolen cookie cannot be reused from another device, effectively blocking unauthorized session hijacking. DBSC is currently supported in Chrome on Windows and is already deployed with some Workspace customers to protect end-user sessions [2][3].
By combining passkeys and DBSC, Google is providing layered protections that significantly reduce the risk of account takeovers caused by cookie theft and credential phishing, particularly for high-value users like IT admins and business leaders in Google Workspace environments [1][3].
Additional measures include Google's Shared Signals Framework (SSF), which facilitates rapid coordinated security responses to detect and mitigate threats across systems, further strengthening Workspace security [3].
Last year, Google initiated the open development of Device Bound Session Credentials with the goal of making it a web standard. Google also recommends passkey adoption for Google Workspace customers, which is now available to over 11 million users [2].
Google's efforts to combat cookie theft and enhance security for Workspace users demonstrate a commitment to providing robust and secure solutions for its users. With the adoption of passkeys and DBSC, Google is raising the security baseline, eliminating password vulnerabilities, and securing session cookies, thereby combating cookie theft and credential phishing threats for Workspace users.
References:
[1] Google Security Blog: Protecting your users from account takeover [2] Google Developers Blog: Device Bound Session Credentials: The future of browser security [3] Google Workspace Updates: New ways to protect your users from account takeover
- Google's implementation of passkeys and Device Bound Session Credentials (DBSC) in Google Workspace is a testament to their dedication towards enhancing cybersecurity, particularly in the realms of data-and-cloud-computing and technology.
- By combining passkeys and DBSC, Google is effectively leveraging technology to provide robust security solutions, effectively combating cookie theft and credential phishing threats, and elevating the security baseline for Workspace users.
