- Google is making changes to its Workspace account security
- Passkey support has been rolled out to reduce phishing effectiveness
- DBSC and SSF will mitigate cookie token theft and improve security tool communication
Google Workspace is upping its defenses against account takeover following a year-on-year in successful attacks.
The company says 37% of account takeovers use phishing or credential theft as an attack vector, and there was an 84% increase in email-delivered infostealers in 2024 over the previous year, with the most common method being cookie and authentication token theft.
To mitigate this, Google is making three changes to Workspace productivity suite to reduce the risk of account takeover and better protect organizations from attacks.
Seamless account security
Firstly, Google has rolled out passkey support to over 11 million Google Workspace accounts, making them more phishing resistant than ever and making it easier for customers to log in.
Google has also expanded Admin access to passkey tools allowing them to audit passkey enrollment and restrict passkeys to certain formats such as physical security keys.
Secondly, Google Workspace now offers Device Bound Session Credentials (DBSC) in open beta. DBSCs are a hardware backed security mechanism that uses a cryptographic key paired to the user’s device.
Each time session cookies are refreshed, Google Chrome verifies it is definitely the user in control of the account by verifying the private key kept in secure storage on the user’s device. This significantly mitigates the potential for stolen cookies to be used to hijack sessions and takeover accounts, which is fast becoming one of the most successful methods for account takeover.
Finally, Google will soon be introducing a shared signals framework (SSF) receiver in closed beta. This will allow platforms to communicate in near real-time about new security signals, such as increased risk for a particular account. Additionally, SSF will also allow organizations to share key user information such as device types between security solutions.
Overall, Google’s steps to increase Workspace account security will help create a seamless login experience for users while also adding an extra layer of security against phishing, as well as cookie and authentication token theft.
Moreover, the additional controls for admins and the soon-to-come inclusion of SSF will make it easier for security teams to evaluate and improve the overall security posture of their organization.
