Google has officially launched a major security upgrade to protect users from session hijacking. Starting with Chrome version 146 for Windows users, Device Bound Session Credentials (DBSC) is now publicly available.
This new feature aims to stop malware from stealing web cookies and using them to bypass passwords and multi-factor authentication. Support for macOS users will arrive in an upcoming Chrome release.
Session theft happens when a user accidentally downloads malware, such as the LummaC2 infostealer. Once on a device, this malware quietly copies existing session cookies from the browser’s local files and memory.
Attackers then send these stolen cookies to their own servers, allowing them to access user accounts without ever needing a password. Hackers frequently bundle and sell these active session tokens on dark web forums to other cybercriminals.
Because traditional defenses rely on detecting the theft after it happens, persistent hackers often slip past security measures.
How Device Binding Works
DBSC shifts the defense strategy from reactive detection to proactive prevention. It works by cryptographically locking your web session to the specific physical device you are using.
To do this, Chrome uses hardware-backed security modules like the Trusted Platform Module (TPM) on Windows or the Secure Enclave on macOS.
These chips generate a unique public and private key pair that cannot be exported or copied off the machine.
When a website issues a new, short-lived session cookie, it now requires Chrome to prove it holds the corresponding private key.
Since remote hackers cannot steal the physical hardware key, any cookies they manage to exfiltrate quickly expire and become completely useless.
Web developers can adopt this by adding specific registration endpoints to their backends, while the browser handles the complex cryptography automatically.
This means everyday users will not notice any changes to their browsing experience, but their accounts will be significantly safer.
Prioritizing User Privacy
Google designed this protocol with strict privacy rules to ensure it cannot be abused for tracking. Every single web session gets its own distinct key.
This stops websites from using the security credentials to connect a user’s activity across different sites on the same device.
The system also limits the data shared with servers, ensuring it does not leak device identifiers or act as a digital fingerprint.
The feature was built as an open web standard through the W3C, featuring collaboration from industry leaders like Microsoft and Okta.
Google has already seen a massive drop in session theft during early testing phases over the past year.
Google plans to expand DBSC capabilities for complex enterprise networks. Upcoming updates will secure Single Sign-On (SSO) processes, ensuring the initial device binding stays intact across different identity providers.
Developers are also working to bind sessions to existing trusted materials like hardware security keys or mTLS certificates. Finally, Google is actively exploring software-based keys to protect older devices that lack dedicated security chips.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
