Cybercriminals always have an arsenal of ways to target and attack unsuspecting users, both at home and in the workplace. That puts the onus on companies like Google to find methods to thwart the latest types of cyberattacks. In a new blog post published Tuesday, Google reveals some of the threats facing customers and the tools now available to help them protect themselves.
Also: Google Chrome for iOS now lets you switch between personal and work accounts
“First, attackers are intensifying their phishing and credential-theft methods, which drive 37% of successful intrusions,” Google said in its post. “Second, we’ve seen an exponential rise in cookie and authentication-token theft as a preferred method for attackers, with an 84% increase in email-delivered infostealers in 2024 compared to the previous year. That trend has only intensified in 2025.”
OK, those are the threats. Now, how is Google handling them?
Passkeys
First up are passkeys. Designed to replace passwords with a more secure and convenient login method, passkeys offer a few advantages. First, they’re resistant to phishing attacks, as you can’t be tricked into sharing a passkey with a hacker. Second, they’re easier to use, as you authenticate your login with a PIN, a security key, or a biometric method such as a facial or fingerprint scan. Third, each passkey is unique to each website or account.
Also: How passkeys work: Your passwordless journey begins here
Passkeys are now supported across more than 11 million Google Workspace accounts. For IT admins, Google aims to expand this capability by allowing them to audit passkey enrollment and to limit passkeys to physical security keys.
<!–>
Device Bound Session Credentials
Next up is a new type of protection designed to protect you against cookie and authentication-token theft, in which a hacker is able to steal sensitive data stored in a cookie or authentication token. Here, Google has added an option known as Device Bound Session Credentials (DBSC).
Also: How to sync passkeys in Chrome across your PC, Mac, iPhone, or Android
Accessible in the Windows version of Google Chrome, DBSC takes hold after you log in to a site and then binds a session cookie to your device. As such, an attacker is thwarted from using that cookie on a different device, even if they gain access to it.
DBSC offers three advantages, according to Google.
- Enhanced post-authentication protection. This means that only the device on which the cookie was created can access the active session.
- Lower threat of cookie theft. With DBSC, attackers will find it much more difficult to steal a session cookie for use on their own devices.
- Higher session integrity. Even if an attacker is able to steal your login credentials, DBSC works with a technology called context-aware access (CAA) to try to prevent them from accessing your active session.
Currently in open beta, DBSC is already in use among Google Workspace customers. Google said it expects more customers to tap into the enhanced functionality with CAA.
–>
–>
