Google has officially moved Device Bound Session Credentials (DBSC) to general availability in the Chrome browser on Windows, delivering a powerful defense against one of the most persistent threats in modern cybersecurity session cookie theft.
Previously available in beta for Google Workspace users, DBSC is now enabled by default across all Workspace customers, Individual subscribers, and personal Google accounts.
Session cookies are small files websites use to remember authenticated users, but they’ve long been a lucrative target for threat actors. Malware families like infostealer trojans routinely harvest these cookies to hijack active sessions, bypassing multi-factor authentication entirely, a technique known as a pass-the-cookie attack.
DBSC directly counters this threat by cryptographically binding a session cookie to the specific device the user authenticated from. Even if malware successfully exfiltrates a cookie from the compromised endpoint, that cookie becomes essentially useless on any other machine. This significantly raises the operational cost for attackers relying on stolen session tokens to maintain persistent access.
Google has further amplified DBSC’s defensive value by integrating it with Context-Aware Access (CAA). Organizations leveraging both capabilities can enforce more granular access policies based on device attributes, user behavior, and environmental signals, adding an additional layer of verification beyond initial authentication.
Workspace administrators can now monitor DBSC binding events directly through the security investigation tool’s audit logs, enabling security teams to detect anomalies and track session integrity across their environment.
Notably, DBSC requires no administrative action to enable; it is active by default and cannot be disabled through the Admin console.
Rollout Timeline and Availability
Google began a gradual rollout on May 25, 2026, covering both Rapid Release and Scheduled Release domains, with full feature visibility expected within 60 days. The feature is broadly available to:
- All Google Workspace customers
- Workspace Individual subscribers
- Users with personal Google accounts
DBSC represents a meaningful architectural shift in post-authentication security. Rather than relying solely on perimeter controls or MFA at login, it extends trust verification throughout the session lifecycle.
For enterprise security teams, this reduces exposure to credential-based lateral movement and post-exploitation persistence techniques commonly used by advanced threat actors.
Security teams are encouraged to review audit logs within the Google Admin console to baseline normal DBSC binding behavior and flag any deviations that may indicate active session hijacking attempts.