Overview
- Google's Device Bound Session Credentials, which entered public availability Thursday on Chrome 146 for Windows, targets cookie-based account takeovers.
- Session-cookie theft lets attackers skip two-factor codes because the cookie shows 2FA was already completed, so DBSC blocks reuse of those tokens on another machine.
- The browser creates a non‑exportable key in the PC’s security chip and must prove it holds that key before the server issues short‑lived cookies, and sites enable this by adding registration and refresh endpoints.
- Next up is macOS support in a coming Chrome release, with planned additions for federated sign‑ins, stronger first‑time registration, and possible software keys for devices without secure hardware.
- In tests over the past year with industry partners, Google says DBSC reduced session‑theft incidents for protected sessions by a significant amount.