As an administrator, you can enhance the security of your users' online sessions by implementing Device Bound Session Credentials (DBSC). DBSC is designed to prevent session hijacking, also commonly known as cookie theft.
This type of cyberattack occurs when an unauthorized party gains control of a user's active web session by stealing the session cookie (a small data file containing the unique session identifier) issued by the website during login. By presenting this stolen cookie, the attacker can impersonate the legitimate user and continue their authenticated session.
DBSC works by binding a user's session to their specific device, making it difficult for attackers to use stolen cookies on other devices. By using DBSC, you can lower the risk of unauthorized access to user accounts, keeping sensitive user data safe.
Requirements for using DBSC
- The user's device must have a Trusted Platform Module (TPM), which is a standard hardware component that’s already available for most devices running Windows 11, to securely store and process cryptographic data. Users can typically find information about TPM availability in their device's system settings or by consulting the device manufacturer's documentation.
- The user must have Chrome version 136 or above. For details, go to Update Google Chrome.
Turn on DBSC
Before you begin: If needed, learn how to apply the setting to a department or group.
-
Sign in with an administrator account to the Google Admin console.
If you aren’t using an administrator account, you can’t access the Admin console.
-
Go to Menu
Security > Access and data control > Google Session control.
Requires having the Security settings administrator privilege.
-
(Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how
Group settings override organizational units. Learn more
- For Device Bound Session Credentials, select Enable DBSC.
-
Click Save. Or, you might click Override for an organizational unit.
To later restore the inherited value, click Inherit (or Unset for a group).
Potential outcomes of turning on DBSC
After you turn on DBSC, users might experience:
- Session interruptions–If a user's session is valid but the binding process encounters an error, the system requires the user to sign in again. This safeguards the user's account and data.
- Persistent issues–If a user consistently experiences problems with DBSC, they could be signed out often. In such cases, users should contact their administrator for troubleshooting assistance, which might include disabling DBSC for their account. The admin can create a group that is exempt from DBSC, and add the user to that group.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
