Google has officially rolled out Device-Bound Session Credentials (DBSC) for Chrome 146 on Windows, marking a pivotal move in safeguarding user sessions from online threats. This feature was initially tested in an open beta and is now available to the public, with plans to expand to macOS in future updates. Session theft, a persistent security threat, involves attackers stealing session cookies to gain unauthorized access to online accounts. These cookies, often harvested by malware like Atomic, Lumma, and Vidar Stealer, can be sold and used for further cyberattacks.
DBSC addresses this issue by cryptographically linking authentication sessions to specific devices. It employs hardware-backed security modules such as the Trusted Platform Module on Windows to create a unique key pair that cannot be exported. As a result, even if session cookies are stolen, they quickly expire, rendering them useless to cybercriminals. If a device lacks secure key storage, DBSC reverts to the standard authentication process without disruption.
Google reports a significant decline in session theft incidents since the introduction of DBSC, highlighting its effectiveness. The company aims to extend this security measure to a broader range of devices and enhance its integration with enterprise environments. Developed in collaboration with Microsoft, DBSC is designed to be a private and lean protocol, ensuring session security while preventing cross-site tracking and device fingerprinting. The move underscores Google's commitment to creating an open web standard that prioritizes user privacy and security.


