Google’s New Security Features to Combat Cookie and Token Theft
In a proactive move to enhance digital security, Google has announced three key improvements aimed at helping organizations thwart the theft of cookies and authentication tokens. According to the tech giant, these types of theft are responsible for approximately 37% of successful account takeovers.
The increasing prevalence of email-delivered infostealers poses a significant challenge, as cybercriminals devise innovative strategies to capture session data, thereby gaining unauthorized access to user accounts. This tactic enables them to bypass even robust multi-factor authentication systems, allowing them to breach accounts with relative ease.
Introduction of Passkey Support
The first major enhancement involves the rollout of passkey support for all Google Workspace users. This feature not only simplifies the user experience but also significantly strengthens security protocols. Passkeys are tied to individual devices, making them resistant to phishing attacks.
Passkey support is now generally available to more than 11 million Google Workspace customers, with expanded admin capabilities to audit enrollment and restrict passkeys to physical security keys.
Device Bound Session Credentials (DBSC)
The second enhancement is the introduction of Device Bound Session Credentials (DBSC), which is currently available in open beta. This feature protects users even after they have logged in. Here’s how it works: upon login, the browser generates a unique pair of public and private keys. The private key remains securely stored on your device, ideally within a hardware security module, while the public key is sent to the server. To maintain an active session, the server issues periodic challenges that only the device containing the private key can respond to correctly.
This advanced security measure means that even if an attacker manages to steal your session cookie, it would be rendered ineffective on their device due to the lack of access to the private key. Currently, DBSC is exclusively available on Chrome for Windows users.
Enhanced Security through Shared Signals Framework
Looking ahead, Google plans to introduce a Shared Signals Framework (SSF) receiver later this year. This innovative feature will allow different security services to communicate in a standardized manner. Should an identity provider identify a potential issue with your account, it can promptly notify Google to terminate your session, thus minimizing the risk of unauthorized access.
Such advancements in security measures are particularly relevant in light of recent high-profile incidents, including the hacking of Linus Tech Tips in 2023. The breach occurred after an employee unwittingly opened a malicious file masquerading as a PDF linked to a sponsorship email, which subsequently compromised the channel’s session tokens. DBSC and other newly implemented features aim to significantly reduce the likelihood of similar credential thefts in the future.
Leave a Reply