@rcombs Google isn't just fighting that on one front, they've been strongly pushing for 2FA for years. They were the first to deploy Security Keys for a reason.

There's been many efforts to try and bind session tokens to devices too. Example: Channel ID. Unfortunately not successful.

The "defense front" you're seeing is trying to detect suspicious actions coming from non legitimate devices. If someone gmail-searches "SSN" and you can detect it's not a real browser, you can issue a challenge.