Google has officially introduced Device-Bound Session Credentials (DBSC) for Chrome users on Windows. This new feature is designed to combat session theft, a common cyber threat that involves the unauthorized exfiltration of session cookies. These cookies can be stolen through malware attacks that leverage information-stealing software like Atomic, Lumma, and Vidar Stealer. Once stolen, these cookies can provide attackers with access to online accounts without needing passwords, enabling them to sell these tokens for profit.

DBSC aims to thwart such threats by linking the authentication session to a specific device using cryptographic keys. This is achieved through hardware-backed security modules, such as the Trusted Platform Module on Windows. These modules generate a unique public-private key pair that remains on the device, preventing attackers from using stolen cookies. Even if cookies are exfiltrated, they quickly become useless as they expire without the corresponding private key.

This feature is currently available for Windows users with Chrome 146, and Google plans to expand it to macOS soon. The company has already observed a marked decrease in session theft since DBSC's launch. Google, in collaboration with Microsoft, aims to establish DBSC as an open web standard. The protocol is designed to protect user privacy, ensuring that session credentials cannot be used to track user activity across sessions or websites.

DBSC also maintains traditional authentication methods if a device does not support secure key storage, ensuring seamless user experience. As Google continues to refine this technology, further expansions and integrations with enterprise environments are anticipated.