Defending against account takeovers from today’s top threats with passkeys and DBSC

Over the past year, defenders have been facing heightened pressure on two fronts. First, attackers are intensifying their phishing and credential theft methods, which drive 37% of successful intrusions. Second, we’ve seen an exponential rise in cookie and authentication token theft as a preferred method for attackers, with an 84% increase in email-delivered infostealers in 2024 compared to the previous year. That trend has only intensified in 2025.

Today, we’re sharing three enhancements in account security to help organizations mitigate these types of attack vectors.

1. Passkey support is now generally available to more than 11 million Google Workspace customers, with expanded admin capabilities to audit enrollment and restrict passkeys to physical security keys. 

2. Device Bound Session Credentials (DBSC) is now available in open beta to bolster protections after sign-in. 

3. Later this year, we will introduce a shared signals framework (SSF) receiver in a closed beta for select customers and partners to evaluate and provide feedback. 

These advancements can meaningfully enhance account security, marking a major step forward in defending against account takeovers for Google Workspace customers. Let’s take a closer look.

An easier and more secure way to sign in

Passkeys are a passwordless sign-in method that can offer users a convenient and secure authentication experience across websites and apps. Unlike passwords, which can be guessed, stolen, or forgotten, passkeys are unique digital credentials tied to a user’s device. Here are some of the benefits of passkeys:

• Phishing resistance: Passkeys are inherently more phishing-resistant because users cannot be tricked into handing over passkeys to a malicious actor.

• Ease of use: Signing in with passkeys is as simple as unlocking your device, such as using a PIN or biometrics such as a fingerprint or facial recognition.

• Strong security: Unlike passwords that are often re-used, each passkey is unique and generated for each specific website or service.

Signing in with passkeys is 40% faster than passwords for Workspace users. To date, we have millions of users across enterprises, nonprofits, and educational institutions benefiting from using passkeys.

“We realized, as always in security, you have to keep moving, keep improving,” said Odi Iancu, Executive Director of Enterprise Systems & Cloud Platforms at Wake Forest University. “But we have the tools available to us in Google Workspace for Education Plus to improve our security posture even further by moving to phishing-resistant second factor, leveraging security keys and passkeys.” 

To learn more about Wake Forest University’s experience with Google Workspace, read their customer story.

Securing your account after sign-in

To further enhance account defenses after sign-in, we are adding an innovative protection to our security arsenal: Device Bound Session Credentials (DBSC). Available in the Chrome browser on Windows, DBSC strengthens security after you are logged in and helps bind a session cookie — small files used by websites to remember user information — to the device a user authenticated from. 

Device Bound Session Credentials (DBSC) provides:

• Enhanced post-authentication protection: Helps ensure only the originating device can access the active session.

• Reduced risk of cookie theft: Makes it meaningfully harder for stolen session cookies to be exploited on other devices by malicious actors.

• Strengthened session integrity: Helps bolster protections further with more granular account attributes when used together with context-aware access (CAA), even if an attacker obtains login credentials after the initial login.

Some of our customers have already begun using DBSC to protect their Workspace users, with more customers looking forward to leveraging the expanded functionality with context-aware access (CAA).

Securing user accounts when a change in risk is detected

While passkeys and DBSC make it markedly more difficult for bad actors to gain unauthorized account access, being able to secure user accounts when a change in risk has been detected is essential. To that end, we are developing a receiver to consume security signals from security partners. The Shared Signals Framework (SSF) is an OpenID standard designed to enable platforms to exchange crucial security signals in near real-time. This framework acts as a robust system for "transmitters" to promptly inform "receivers" about significant events, facilitating a coordinated response to security threats.

Beyond threat detection and response, signal sharing also allows for the general sharing of different properties, such as device or user information, further enhancing the overall security posture and collaborative defense mechanisms. We intend to expand this beta program to identity and endpoint security partners, as well as to customers in the coming months. For more details, learn more about becoming a partner in this article.

Next steps

Token theft has emerged as a substantial compromise threat, making the evaluation and implementation of Device Bound Session Credentials (DBSC) a crucial priority for customers. To enhance security and prevent account takeovers stemming from phishing and infostealers, we recommend customers enable passkeys and DBSC immediately. Additional information and implementation specifics can be found in the resources below:

• Passkeys: Sign in with a passkey instead of a password 

• DBSC: Make online sessions more secure (beta) 

To learn more about Workspace and a safer way to work, read our latest blog post on enterprise security and explore our complete suite of offerings on our web page.