AI Search
Google has introduced Device Bound Session Credentials in Chrome 146 for Windows. This security feature cryptographically ties session cookies to a device’s hardware, making it impossible for stolen cookies to be used on a different machine.
Support for macOS has not been announced. The feature was first announced in 2024 and was developed in partnership with Microsoft as an open web standard.
DBSC links a user’s browser session to the device’s security hardware, which is the Trusted Platform Module on Windows and the Secure Enclave on macOS. During session creation, the security chip generates a unique pair of public and private keys.
Since the private key can’t be exported from the device, any session cookie stolen by malware becomes useless elsewhere. Short-lived session cookies are only issued when Chrome can prove to the server that it possesses the corresponding private key. Without this proof, exfiltrated cookies will expire and cannot be used to authenticate the attacker to the target service.
Session cookies function as authentication tokens that let a browser access an online service without requiring the user to log in repeatedly. Malware such as LummaC2, which steals information, targets these cookies because they allow bypassing the login process entirely.
Google points out that once malware has access to a computer, it can read local files and memory where browsers store authentication cookies. They also note that no purely software-based solution can fully prevent the exfiltration of cookies at the operating system level.
DBSC tackles this issue at the hardware level instead of the software level, making any stolen data useless without physical access to the device.
Each DBSC session generates a unique key, which helps prevent websites from linking activity across multiple sessions or different sites on the same device. The protocol only exchanges the per-session public key needed to prove ownership and does not share device identifiers.
Over the past year, Google tested an early version of DBSC across several web platforms, including Okta, and saw a decrease in session theft incidents during that time. The DBSC specification has been published on the W3C website. Websites can support it by adding dedicated registration and refresh endpoints on their backends, which does not require changes to existing frontend code.
DBSC is currently active in Chrome 146 on Windows. Google has not announced a timeframe or a support plan for macOS with a new Chrome release.
The actual Chrome Version is 147
Ghacks is a technology news, analysis, and information website offering daily in-depth coverage of software, AI, gaming, operating systems, privacy, security, and consumer tech.
