May 28, 2026
Prevent account takeovers with Device Bound Session Credentials (DBSC), now generally available in the Chrome browser for Windows
Previously available in beta, Device Bound Session Credentials (DBSC) in the Chrome browser on Windows is now generally available and enabled by default for Google Workspace users.
DBSC strengthens account security after users are logged in and helps bind a session cookie — small files used by websites to remember user information — to the device a user authenticated from. Even if malware was present on the user’s device, DBSC reduces the risk of session theft and makes it meaningfully more difficult for malicious actors to exploit stolen session cookies.
With this change to general availability, Workspace admins no longer need to take action to enable DBSC in the Admin console. Organizations can also bolster protections with more granular account attributes when using DBSC together with context-aware access (CAA). To monitor DBSC binding events, admins can view the audit logs available in the security investigation tool.
,%20now%20generally%20available%20in%20the%20Chrome%20browser%20for%20Windows%20-%205212.png) |
| An example of the audit log and log details for a DBSC event in the admin console |
Getting started
- Admins: This feature is ON by default for all Google Workspace customers, and there is no administrator control to disable it.
- End users: There is no end user setting for this feature.
Rollout pace
- Rapid Release and Scheduled Release domains: Gradual rollout (up to 60 days for feature visibility) started on May 25, 2026
Availability
- Available to all Google Workspace customers, Workspace Individual subscribers, and users with personal Google accounts
Resources
- Google Workspace Admin Help: Prevent cookie theft with session binding