Skip to main content

Google Workspace working to counter cookie theft with passkeys, more

Avatar for Abner Li  | Jul 29 2025 - 7:00 am PT
4 Comments

Google says “attackers are intensifying their phishing and credential theft methods” with an “exponential rise in cookie and authentication token theft as a preferred method.” Google wants to combat this “cookie theft,” especially for Workspace users.

Cookie theft involves malware getting onto a user’s device and exfiltrating “authentication cookies from browsers on the device to remote servers.” This can bypass two-factor authentication.

To counter, Google recommends passkey adoption, which is now “generally available to more than 11 million Google Workspace customers.” Admins can passkey audit enrollment and restrict to physical security keys. Compared to passwords, they cannot be “guessed, stolen, or forgotten.” 

  • Phishing resistance: Passkeys are inherently more phishing-resistant because users cannot be tricked into handing over passkeys to a malicious actor.
  • Ease of use: Signing in with passkeys is as simple as unlocking your device, such as using a PIN or biometrics such as a fingerprint or facial recognition.
  • Strong security: Unlike passwords that are often re-used, each passkey is unique and generated for each specific website or service.

Google says “signing in with passkeys is 40% faster than passwords for Workspace users.”

Advertisement - scroll for more content

To date, we have millions of users across enterprises, nonprofits, and educational institutions benefiting from using passkeys.

Meanwhile, Google also wants to combat cookie theft with Device Bound Session Credentials. Last year, the company started open development, with the goal of making it a web standard. 

DBSC “helps bind a session cookie — small files used by websites to remember user information — to the device a user authenticated from.” This is available in Chrome for Windows, with only the originating device able to access the active session. Some Workspace customers are already using it to protect their end users.

Google’s other effort to reduce cookie theft is the Shared Signals Framework (SSF). 

This framework acts as a robust system for “transmitters” to promptly inform “receivers” about significant events, facilitating a coordinated response to security threats.

Add NewGeekGuide as a preferred source on Google Add NewGeekGuide as a preferred source on Google

FTC: We use income earning auto affiliate links. More.

You’re reading NewGeekGuide — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow NewGeekGuide on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out NewGeekGuide on YouTube for more news:

Comments

Guides

Google Workspace

Google Workspace

Author

Avatar for Abner Li Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com