Google is pushing the boundaries of security with a new initiative, makingDevice Bound Session Credentials (DBSC) a public beta feature that helps protect users from session cookie theft.
Initially introduced as a prototype in April 2024, the system is now available in the Chrome browser for Windows and ties authentication sessions to a specific device. This means that even if cookies are stolen, an attacker won’t be able to use them on another computer.
According to the head of product management for Google Workspace, DBSC strengthens post-login protection by blocking remote authorization from another device. This association prevents the reuse of cookies to capture the session and improves the integrity of authorization data. The technology is designed to strengthen account protection not only at sign-in, but throughout the entire interaction with the services.
In addition to DBSC, Google announced expanded support for passkey technology, now available to over 11 million Google Workspace enterprise customers. New administrative tools have also been introduced to control key registration and limit their use to hardware tokens only.
At the same time, the company is launching closed testing of a new security signal exchange mechanism: Shared Signals Framework (SSF). This protocol, based on the OpenID standard, is designed to rapidly transfer information about potential incidents between different systems. SSF creates an architecture in which some services (“transmitters“) can promptly notify others (“receivers“) of suspicious activity, allowing them to instantly respond to threats and synchronize protection measures.
Furthermore, Google Project Zero, the division specializing in zero-day vulnerability detection, announced the launch of a pilot initiative called Reporting Transparency. Its goal is to reduce the time between the creation of a fix and its availability for end users. Often, the problem doesn’t occur at the user level, but in companies using external components that don’t have time to integrate the received fix into their own products.The new phase of the vulnerability disclosure process requires information about the issue to be published within a week of being passed on to the developer.
Reports will now include the name of the vendor or project, the name of the product, the date the report was submitted, and the 90-day disclosure deadline. The pilot list already includes two Windows vulnerabilities, a bug in the Dolby Unified Decoder, and three bugs in the Google BigWave project.
Google also plans to use this approach in the Big Sleep project, an experimental AI tool developed in collaboration with DeepMind. Its goal is to use artificial intelligence to automate vulnerability research and accelerate the analysis of potential threats. At the same time, the company emphasizes that no technical details, PoC code, or material that could be useful to attackers will be published until the end of the disclosure period.
This reflects a broader trend at Google: a focus on a proactive, coordinated, and technologically advanced cyber defense model, aimed at minimizing incident response times and increasing transparency across the entire software ecosystem.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
