Google has officially launched Device-Bound Session Credentials (DBSC) for Windows users using Chrome 146. This new security feature aims to protect against session hijacking by binding authentication sessions to specific devices. The implementation of DBSC is a crucial step in mitigating the risks of session theft, which often occurs when malicious software extracts session cookies from a user's browser. These cookies, if stolen, could allow unauthorized access to online accounts without the need for passwords.
Google's DBSC employs hardware-backed security modules like the Trusted Platform Module on Windows. These modules generate unique key pairs, ensuring that even if cookies are stolen, they quickly expire and become useless to attackers. This method prevents attackers from using exfiltrated cookies, as they cannot access the private keys required to renew session cookies.
The feature currently supports Windows users, but Google plans to expand its availability to macOS in future updates. Preliminary results show a significant decrease in session theft since the initial rollout, demonstrating the effectiveness of DBSC. In collaboration with Microsoft, Google aims to establish DBSC as an open web standard, ensuring that it remains private by design. This approach prevents websites from tracking user activity across different sessions or sites, addressing privacy concerns.
The introduction of DBSC marks a significant advancement in web security. By preventing session theft, Google enhances user privacy and secures online interactions. As DBSC becomes available on more platforms, it will offer even greater protection against cyber threats.


