Google Workspace combats advanced account hijacking techniques through these straightforward adjustments
Google has announced significant changes to its Workspace account security, aiming to reduce the risk of account takeover and better protect organizations from attacks.
The tech giant has introduced several new features to enhance the security of its productivity suite. Among these changes, Google Workspace now offers a feature called Device Bound Session Credentials (DBSC) to mitigate cookie token theft, a method that accounted for 37% of successful account takeovers in 2024.
One of the key changes is the rollout of passkey support to over 11 million Google Workspace accounts. Passkeys, cryptographic authentication keys tied to a device, are more secure than passwords and immune to phishing. This new feature simplifies login and enhances security, giving admins the ability to audit passkey enrollments and restrict usage to specific types, such as physical security keys.
Google Workspace has also introduced DBSC in open beta. This hardware-backed security mechanism protects sessions after sign-in by generating a unique cryptographic key pair on the user's device. The private key remains locked on the device while the public key is stored server-side. Periodic challenges from the server must be answered by the device holding the private key to validate session activity, preventing attackers from hijacking logged-in sessions even if they steal cookies or tokens.
To further improve security, Google is planning to introduce a shared signals framework (SSF) in a closed beta phase. SSF will enable enhanced communication of security signals between services and tools, helping organizations better detect, evaluate, and respond to potential threats and account takeover attempts by sharing security-relevant information securely across systems.
These enhancements collectively strengthen defense against phishing, credential theft, and session hijacking by improving both sign-in security and ongoing session validation. They also give administrators better oversight and control over authentication methods, making it easier for security teams to evaluate and improve the overall security posture of their organization.
Google's steps to increase Workspace account security will help create a seamless login experience for users while also adding an extra layer of security against phishing. By addressing the year-on-year increase in successful account takeovers and the 84% increase in email-delivered infostealers, Google's changes will better protect organizations from email-delivered infostealers and the potential for stolen cookies to be used to hijack sessions and takeover accounts.
[1] Google Workspace Security Blog: https://workspaceupdates.googleblog.com/2025/03/improving-security-for-everyone.html [2] TechCrunch: https://techcrunch.com/2025/03/01/google-workspace-security-updates/ [3] ZDNet: https://www.zdnet.com/article/google-workspace-improves-security-with-passkeys-dbsc-and-shared-signals-framework/ [4] The Verge: https://www.theverge.com/2025/03/01/22966558/google-workspace-security-updates-passkeys-dbsc-shared-signals-framework [5] CNET: https://www.cnet.com/tech/services-and-software/google-workspace-security-updates-include-passkeys-dbsc-and-shared-signals-framework/
- In an effort to bolster security for its productivity suite, Google Workspace has introduced Device Bound Session Credentials (DBSC) and passkey support to mitigate risks associated with phishing and account takeovers.
- To maintain the security of its technology offerings, Google is also planning to introduce a shared signals framework (SSF) for enhanced communication of security signals between services, bolstering cybersecurity measures and reducing the risk of account takeovers.
