Google Enhances Device Security with New Features
Date: July 30, 2025
Author: Ravie Lakshmanan
Tags: Device Security / AI Security
Introduction of Device Bound Session Credentials
Google has recently rolled out a new security feature known as Device Bound Session Credentials (DBSC), now available in open beta. This innovative addition is aimed at protecting users from session cookie theft attacks, a common vulnerability that could allow unauthorized access to personal accounts.
What is DBSC?
Initially introduced as a prototype in April 2024, the DBSC feature is designed to tighten security by binding authentication sessions specifically to the device used for login. This means that even if an attacker manages to steal session cookies, they cannot use them to access a victim’s account from a different device. Andy Wen, senior director of product management at Google Workspace, emphasizes that this enhancement secures user accounts after they log in, effectively linking a session cookie—a small file that tracks user information—to the device from which the user authenticated.
Strengthening Session Integrity
The primary objective of DBSC extends beyond just securing login sessions; it significantly complicates the process for cybercriminals attempting to reuse stolen session cookies. By enhancing session integrity, users can feel more confident that their accounts remain protected against potential intrusion attempts.
Expanded Security Measures
In addition to DBSC, Google has announced broader support for passkey features. This functionality is now available to over 11 million Google Workspace customers, providing expanded administrative controls for auditing passkey enrollment and restricting access to only those using physical security keys. These additional measures fortify account security and simplify the user experience, ensuring safer online interactions.
Introducing the Shared Signals Framework
Further enhancing their security offerings, Google is also set to introduce a Shared Signals Framework (SSF). Currently in closed beta, this framework will enable select customers to exchange vital security signals in nearly real-time using the OpenID standard. Wen describes the framework as a robust communication system where “transmitters” can swiftly notify “receivers” about significant security events. This immediate sharing of information allows for coordinated responses to security threats, making real-time vigilance more manageable.
Google Project Zero Takes Action
In another significant development, Google Project Zero, the company’s dedicated team focused on identifying zero-day vulnerabilities, has initiated a trial policy called Reporting Transparency. This policy aims to address what is known as the upstream patch gap—a delay that occurs when a fix is available but hasn’t yet been implemented by downstream users.
Addressing the Upstream Patch Gap
To mitigate this issue, Google plans to publicly disclose the details of any vulnerability reported within a week after informing the relevant vendor. Information shared will comprise the vendor or open-source project involved, the product affected, the date of the report, and the expiration date of the 90-day disclosure deadline. This move is intended to prompt quicker actions on patches and potentially reduce the risks linked to delayed updates.
Transparency in Vulnerability Reporting
According to Tim Willis of Project Zero, the main aim of this new initiative is to minimize the upstream patch gap while increasing transparency in vulnerability management. By providing early notifications about reported vulnerabilities, downstream developers can monitor potential issues that may impact their users more effectively. This proactive approach seeks to enhance the response times to security threats, aiming for faster implementation of necessary security patches.
Conclusion
Google’s ongoing commitment to improving device security is evident through these recent advancements, including DBSC, passkey support, and the Shared Signals Framework. With the added layer of transparency from Project Zero’s new policy, the tech giant is taking proactive steps to better safeguard users against the ever-evolving landscape of cybersecurity threats. As these features roll out, users can expect strengthened defenses and an overall improved security experience.
