Google’s AI-Powered Security Now Blocks Suspicious Activity Automatically
Account takeovers are on the rise — and one of the sneakiest methods attackers use isn’t cracking passwords, but stealing cookies and authentication tokens. Google says this single tactic is behind 37% of successful account breaches, making it one of the most dangerous threats facing organizations today.
Thanks to a surge in info-stealer malware delivered through phishing emails, hackers can now silently extract session data from infected devices. This lets them bypass even multi-factor authentication (MFA) and gain full access to corporate accounts — all without ever knowing your password.
To fight back, Google is rolling out three major security enhancements for Google Workspace, designed to stop attackers in their tracks, even after they’ve stolen your login session.
1. Passkeys for All Workspace Users — No Phishing Possible
The first line of defense: passkeys.
Now available to over 11 million Google Workspace customers, passkeys replace traditional passwords with cryptographic keys tied directly to your device. Unlike passwords or 2FA codes, passkeys can’t be phished — because there’s nothing to trick you into entering on a fake login page.
When you sign in with a passkey, your device proves your identity using a secure key pair, often stored in a hardware security chip or physical security key (like a YubiKey).
Google has also expanded admin controls, allowing IT teams to:
- Monitor passkey enrollment across the organization
- Enforce the use of physical security keys only for higher-risk roles
This makes it easier to adopt phishing-resistant authentication at scale — a critical step for enterprise security.
2. Device-Bound Session Credentials (DBSC): Your Session, Locked to Your Device
Even if you log in securely, attackers can still hijack your session by stealing cookies or tokens from your browser. That’s where Device-Bound Session Credentials (DBSC) comes in.
Now in open beta, DBSC adds a powerful layer of protection after you’ve signed in. Here’s how it works:
- When you log in, your browser generates a unique public-private key pair
- The private key stays securely on your device — ideally in a hardware security module
- The server uses the public key to send periodic “challenges”
- Only your device can respond correctly — proving it’s still you
If a hacker steals your session cookie but tries to use it from another machine? They fail the challenge. The session becomes useless.
This feature is currently available on Chrome for Windows, and it’s designed to stop attacks like the one that hit Linus Tech Tips in 2023 — when a malicious file disguised as a PDF stole active session tokens and led to a high-profile YouTube channel takeover.
With DBSC, even if malware grabs your cookie, the attacker can’t reuse it.
3. Shared Signals Framework (SSF): Security Tools That Talk to Each Other
Coming later this year, Google is introducing the Shared Signals Framework (SSF) receiver — a new way for security systems to collaborate in real time.
Here’s the idea: if your identity provider, endpoint protection, or email security tool detects a compromised device or suspicious behavior, it can send a trusted signal directly to Google.
That signal can trigger an immediate session termination, logging you out of Google Workspace even if you’re still “active” — stopping an attack before data is exfiltrated.
This interoperability means your entire security stack works as a unified system, not isolated tools.
Google is building SSF on open standards, encouraging other vendors to adopt the framework and create a safer ecosystem for everyone.
Why These Updates Matter for Businesses
Together, these three enhancements tackle account takeovers at multiple stages:
- Before login: Passkeys stop phishing
- After login: DBSC protects active sessions
- During an attack: SSF enables real-time response
And the best part? Many of these features work in the background, with minimal disruption to users.
Google emphasizes that security shouldn’t slow people down — it should make them safer without them noticing, until it’s needed.
Recommended actions for admins:
- ✅ Encourage or enforce passkey adoption
- ✅ Enable DBSC in the Admin Console for pilot users
- ✅ Review third-party app access and phishing training policies
Final Thoughts: A New Era of Post-Login Security
For years, the focus has been on securing the login moment. But Google’s latest updates recognize a harsh reality: the real danger often comes after you’ve already signed in.
With passkeys, DBSC, and SSF, Google is shifting from password-centric security to device-aware, session-hardened protection — a smarter, more resilient approach for the modern threat landscape.
And while no system is immune, these upgrades make it dramatically harder for attackers to succeed.
Because in today’s world, protecting your password isn’t enough — you also need to protect your session.
