Google boosts Workspace security with new measures to combat account hijacking

In a significant move to strengthen cybersecurity for its enterprise users, Google has unveiled a trio of new measures designed to protect Google Workspace accounts from one of the fastest-growing digital threats: cookie and authentication token theft. According to the company, this type of theft is behind nearly 37% of successful account takeovers, a concerning statistic that has driven the need for stronger, more resilient defenses.

The threat largely stems from infostealing malware, often delivered via seemingly harmless email attachments. These malicious tools silently extract session data — the digital credentials that allow users to remain logged in to services without repeatedly entering passwords. Once compromised, attackers can bypass even multi-factor authentication, effectively gaining full control of the account with minimal resistance.

To counter this growing threat, Google is rolling out three major enhancements aimed at reinforcing user authentication and session integrity across the Workspace platform, which serves more than 11 million organizations globally.

The first key update is the broader implementation of passkeys for all Google Workspace users. Unlike traditional passwords, passkeys are cryptographic keys bound to a specific device. They cannot be phished, guessed, or reused elsewhere. This makes them a far more secure alternative to standard login methods. Google notes that passkeys also streamline the login experience, reducing friction for users while increasing protection. Administrators now have access to advanced tools within the Google Admin Console, allowing them to monitor passkey enrollment and enforce policies that limit authentication to physical security keys where necessary.

The second security upgrade comes in the form of Device Bound Session Credentials (DBSC), now available in open beta. This system adds a new layer of protection after a user has signed in, securing their session from the inside out. The mechanism works by generating a unique pair of public and private cryptographic keys upon login. While the public key is transmitted to Google's servers, the private key remains securely stored on the user’s device—ideally within a hardware security chip. To maintain an active session, the server periodically issues cryptographic challenges that can only be answered by the device holding the private key. This ensures that even if a hacker manages to extract the session cookie, it becomes useless without access to the original device.

Currently, DBSC is only supported on Google Chrome for Windows, but its implications for account security are already notable. Google references high-profile breaches such as the 2023 hack of Linus Tech Tips and its affiliated channels, which were compromised after an employee opened a fake sponsorship proposal disguised as a PDF file. That file silently harvested session tokens, giving the attackers full access to the channel, which they used to broadcast cryptocurrency scams. Had DBSC been in place, such an attack would likely have failed.

The final piece of Google’s new security initiative involves the upcoming introduction of a Shared Signals Framework (SSF) receiver, expected later this year. SSF is a standardized communication protocol that allows various identity and security systems to share real-time information. If a user’s identity provider detects suspicious activity or compromise, it can send an automated signal to Google, prompting it to immediately terminate the affected session. This level of interoperability across platforms and services is seen as critical in rapidly detecting and responding to security threats before they escalate.

These developments represent a major step in Google's broader effort to harden its ecosystem against increasingly sophisticated cyberattacks. As hackers evolve their tactics, targeting not just passwords but session tokens and device credentials, the need for smarter, device-based authentication methods becomes more urgent.