Google has officially launched Device-Bound Session Credentials (DBSC) for Chrome users on Windows, marking a significant advancement in the fight against session hijacking. This feature, previously tested in open beta, is part of Chrome version 146 and is set to expand to macOS in future updates. Session hijacking, a prevalent security threat, involves the theft of session cookies from web browsers. These cookies can be stolen through malware such as Atomic, Lumma, and Vidar Stealer, allowing attackers unauthorized access to online accounts without needing passwords.
DBSC addresses this vulnerability by cryptographically binding the authentication session to the user’s device. This is achieved using hardware-backed security modules, such as the Trusted Platform Module on Windows, to create a unique key pair that attackers cannot export. The issuance of session cookies now depends on Chrome proving possession of the private key, making stolen cookies expire quickly and useless to attackers.
If a device lacks secure key storage, DBSC reverts to standard authentication, ensuring a seamless user experience. Early data from Google indicates a reduction in session theft since the implementation of DBSC. This initiative is part of Google's broader strategy to enhance web security and privacy, with plans to make DBSC an open web standard and extend its capabilities for enterprise environments. The design of DBSC ensures user privacy by preventing cross-site tracking and device fingerprinting, further securing online sessions.


