Google Launches DBSC Public Beta: New Feature Binds Sessions to Devices to Combat Cookie Theft
Google is pushing the boundaries of cybersecurity with a bold new initiative: the public beta release of Device Bound Session Credentials (DBSC), a feature designed to shield users from session cookie theft. Originally introduced as a prototype in April 2024, the system is now available in Chrome on Windows and binds authentication sessions to specific devices. This means that even if session cookies are stolen, they cannot be reused on another machine.
According to the Head of Product Management for Google Workspace, DBSC strengthens post-login security by preventing remote authentication attempts from unauthorized devices. This binding mechanism thwarts session hijacking via reused cookies, enhancing the integrity of authentication across the entire user session—not just at the point of login.
Complementing DBSC, Google has expanded support for passkeys, making the technology accessible to over 11 million Google Workspace enterprise customers. New administrative tools have also been introduced, enabling IT teams to manage passkey registration and enforce the use of hardware-based tokens exclusively.
In parallel, Google is launching a closed beta of the Shared Signals Framework (SSF), a new protocol based on the OpenID standard, designed to facilitate real-time exchange of security signals across systems. SSF establishes an architecture where “senders” can promptly notify “receivers” about suspicious activity, enabling instantaneous threat responses and synchronized defense strategies.
Meanwhile, Google’s elite vulnerability research team, Project Zero, has unveiled a pilot initiative titled Reporting Transparency, aimed at narrowing the gap between the discovery of a vulnerability and the delivery of a fix to end users. The root issue often lies not with users but with organizations that rely on third-party components and fail to integrate patches promptly. The new disclosure phase will publish information about the vulnerability within a week of reporting it to the vendor.
Future transparency reports will detail the affected vendor or project, product name, report submission date, and the 90-day disclosure deadline. Already on the pilot list are two Windows vulnerabilities, a flaw in the Dolby Unified Decoder, and three bugs in Google’s BigWave project.
Google also plans to apply this approach to its experimental initiative Big Sleep—an AI-powered vulnerability discovery tool developed in collaboration with DeepMind. The aim is to harness artificial intelligence to automate the detection of security flaws and accelerate threat analysis. The company emphasizes that no technical specifics, proof-of-concept code, or materials that could assist attackers will be published until the disclosure period has fully elapsed.
Together, these efforts reflect a broader strategic shift within Google—toward a proactive, coordinated, and technologically sophisticated model of cyber defense, one that prioritizes swift incident response and greater transparency across the software ecosystem.