Google introduced Device-Bound Session Credentials with Chrome 146 for Windows. This security feature cryptographically ties session cookies to a device's hardware, making it impossible for stolen cookies to be used on a different machine.

Support for macOS has not yet been announced. This feature was first announced in 2024 and developed as an open web standard in collaboration with Microsoft.

How Does DBSC Work in Chrome 146?

DBSC ties a user's browser session to the device's security hardware; this is the Trusted Platform Module on Windows and the Secure Enclave on macOS. When a session is created, the security chip generates a unique pair of public and private keys.

Since the private key cannot be exported from the device, any session cookie stolen by malware becomes useless elsewhere. Short-lived session cookies are only issued when Chrome can prove it possesses the corresponding private key to the server. Without this proof, leaked cookies will expire and cannot be used by an attacker to authenticate to the target service.

Why Are Session Cookies a Major Target for Malware?

Session cookies function as authentication tokens that allow a browser to access an online service without requiring the user to log in continuously. Malware like LummaC2, which steals information, targets these cookies because they allow the login process to be completely bypassed.

Google states that when malware gains access to a computer, it can read the local files and memory where browsers store authentication cookies. It also emphasizes that a purely software-based solution cannot completely prevent cookie leakage at the operating system level.

DBSC addresses this issue not at the software level but at the hardware level, ensuring that stolen data becomes useless without physical access.

DBSC Privacy, Testing Process, and Adoption

Each DBSC session generates a unique key, which helps prevent websites from linking multiple sessions or activities across different sites on the same device. The protocol exchanges the public key required to prove ownership per session and does not share device identifiers.

Over the past year, Google has tested an early version of DBSC on various web platforms, including Okta, and during this time observed a decrease in session theft incidents. The DBSC specification has been published on the W3C website. Websites can support this by adding special registration and renewal endpoints that do not require changes to their existing frontend code.

DBSC is currently active in Chrome 146 on Windows. Google has not announced a timeline or support plan for a new Chrome version for macOS.