Make online sessions more secure (beta)

As an administrator, you can enhance the security of your users' online sessions by implementing Device Bound Session Credentials (DBSC). DBSC is designed to prevent session hijacking, also commonly known as cookie theft. 

This type of cyberattack occurs when an unauthorized party gains control of a user's active web session by stealing the session cookie (a small data file containing the unique session identifier) issued by the website during login. By presenting this stolen cookie, the attacker can impersonate the legitimate user and continue their authenticated session. 

DBSC works by binding a user's session to their specific device, making it difficult for attackers to use stolen cookies on other devices. By using DBSC, you can lower the risk of unauthorized access to user accounts, keeping sensitive user data safe.

Requirements for using DBSC

• The user's device must have a Trusted Platform Module (TPM), which is a standard hardware component that’s already available for most devices running Windows 11, to securely store and process cryptographic data. Users can typically find information about TPM availability in their device's system settings or by consulting the device manufacturer's documentation.
• The user must have Chrome version 136 or above. For details, go to Update Google Chrome.

Note: During the beta phase, session binding secures only a limited selection of Google cookies, meaning that not all cookies for a user will be secured.

Turn on DBSC

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Security > Access and data control > Google Session control.

   Requires having the Security settings administrator privilege.

3. (Optional) To apply the setting only to some users, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

   Group settings override organizational units. Learn more

4. For Device Bound Session Credentials, select Enable DBSC.
5. Click Save. Or, you might click Override for an organizational unit.

   To later restore the inherited value, click Inherit (or Unset for a group).

Potential outcomes of turning on DBSC

After you turn on DBSC, users might experience:

• Session interruptions–If a user's session is valid but the binding process encounters an error, the system requires the user to sign in again. This safeguards the user's account and data.
• Persistent issues–If a user consistently experiences problems with DBSC, they could be signed out often. In such cases, users should contact their administrator for troubleshooting assistance, which might include disabling DBSC for their account. The admin can create a group that is exempt from DBSC, and add the user to that group.