Make online sessions more secure (beta)

As an administrator, you can enhance the security of your users' online sessions by implementing Device Bound Session Credentials (DBSC). DBSC is designed to prevent session hijacking, also commonly known as cookie theft. 

This type of cyberattack occurs when an unauthorized party gains control of a user's active web session by stealing the session cookie (a small data file containing the unique session identifier) issued by the website during login. By presenting this stolen cookie, the attacker can impersonate the legitimate user and continue their authenticated session. 

DBSC works by binding a user's session to their specific device, making it difficult for attackers to use stolen cookies on other devices. By using DBSC, you can lower the risk of unauthorized access to user accounts, keeping sensitive user data safe.

Requirements for using DBSC

  • Currently, DBSC is available only on Chrome browser for Windows devices.
  • The user's device must have a Trusted Platform Module (TPM), which is a standard hardware component that’s already available for most devices running Windows 11, to securely store and process cryptographic data. Users can typically find information about TPM availability in their device's system settings or by consulting the device manufacturer's documentation.
  • The user must have Chrome version 136 or above. For details, go to Update Google Chrome.
Note: During the beta phase, session binding secures only a limited selection of Google cookies, meaning that not all cookies for a user will be secured.

Turn on DBSC

Before you begin: If needed, learn how to apply the setting to a department or group.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Security > Access and data control > Google Session control.

    Requires having the Security settings administrator privilege.

  3. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

    Group settings override organizational units. Learn more

  4. For Device Bound Session Credentials, select Enable DBSC.
  5. Click Save. Or, you might click Override for an organizational unit.

    To later restore the inherited value, click Inherit (or Unset for a group).

Potential outcomes of turning on DBSC

After you turn on DBSC, users might experience:

  • Session interruptions–If a user's session is valid but the binding process encounters an error, the system requires the user to sign in again. This safeguards the user's account and data.
  • Persistent issues–If a user consistently experiences problems with DBSC, they could be signed out often. In such cases, users should contact their administrator for troubleshooting assistance, which might include disabling DBSC for their account. The admin can create a group that is exempt from DBSC, and add the user to that group.

Enforce DBSC with Context-Aware Access

Limited to desktop web apps and not applicable for mobile apps or APIs

You can further enhance security by requiring users to have DBSC to access specific Google Workspace apps. Users attempting to access protected apps without a DBSC-bound session will be denied access. This security measure is configured through Context-Aware Access.

To set up DBSC enforcement:

  1. Turn on DBSC for the users that you want to protect. For the steps, go to Turn on DBSC.
  2. Follow the instructions to create a custom access level in Allow access to apps only from DBSC-bound sessions.
  3. Assign the access level to the apps you want to be accessed only by DBSC-bounded sessions in monitor mode to simulate enforcement without blocking user access. 
  4. After assessing the impact, assign access levels in active mode to enforce access only by DBSC-bound sessions. For details, go to Deploy Context-Aware Access.

DBSC enforcement is not immediate, which means that after a user signs in, there is a grace period before enforcement is applied. This design accommodates potential temporary binding issues. Once bound, the system periodically checks if users accessing the specified apps have DBSC-bound sessions. Any reauthentication will reset this grace period, and DBSC will not be enforced during that reauthentication.


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
6550699999246423677
true
Search Help Center
true
true
true
true
true
73010
false
false
false
false