Log In Get Started
Stock Markets April 9, 2026 02:45 PM

Google Rolls Out Device-Bound Session Credentials to Curb Cookie Theft

Chrome 146 on Windows gains hardware-tied session protection as broader platform support and standards work continue

By Caleb Monroe
Google Rolls Out Device-Bound Session Credentials to Curb Cookie Theft

Google has made Device Bound Session Credentials (DBSC) available to Windows users running Chrome 146, a measure designed to stop session theft by tying authentication sessions to a device's hardware-backed security. macOS support is planned for a forthcoming Chrome release. DBSC leverages platform-secured keys so session cookies cannot be used after being exfiltrated from another machine, and Google says early deployments already show a sizable drop in theft of protected sessions. The company is advancing DBSC as an open web standard and is working on additional features and wider device compatibility.

Key Points

  • DBSC is now publicly available for Windows users on Chrome 146; macOS support is planned for a forthcoming release.
  • The feature binds authentication sessions to device-specific hardware keys - TPM on Windows and Secure Enclave on macOS - preventing exported cookies from being reused elsewhere.
  • Google advanced DBSC as an open web standard through the W3C, collaborated with Microsoft, and ran Origin Trials with web platforms including Okta.

Google announced Thursday that Device Bound Session Credentials, or DBSC, are now publicly available for users on Windows who run Chrome 146, with support for macOS scheduled for an upcoming release.

The initiative targets so-called session theft, a form of account compromise in which malware infiltrates a device and extracts session cookies from the browser. According to Google, infostealer families such as LummaC2 obtain these credentials, which attackers then use to access accounts without needing the account password.

Google emphasized that once malware has gained access to a machine, no dependable software-only defense exists on any operating system to stop cookie exfiltration. DBSC seeks to address that gap by cryptographically binding an authentication session to the physical device where it originated, using security functions that are backed by hardware.

On Windows, DBSC relies on the Trusted Platform Module, while on macOS the approach uses the Secure Enclave. In both cases the platform generates a unique public/private key pair that cannot be exported from the device. Under DBSC, servers issue new short-lived session cookies only after Chrome demonstrates possession of the corresponding private key - effectively ensuring the session token is valid only on the device where the key pair resides.

Google reported that sessions protected by DBSC experienced a notable reduction in session theft during an early rollout of the protocol. The company designed DBSC through the World Wide Web Consortium process as an open web standard and worked with Microsoft in developing that standard. Web platform providers including Okta participated in two Origin Trials of the mechanism over the past year.

Looking ahead, Google said further work on DBSC will emphasize several areas. The company plans to pursue protections for federated identity by using cross-origin bindings, expand registration capabilities to allow DBSC sessions to be tied to pre-existing trusted key material, and increase device compatibility. The roadmap includes enabling software-based keys for devices that do not include dedicated secure hardware.

Context and scope

DBSC is intended to reduce the risk that stolen session cookies can be reused on other machines by making session tokens bound to non-exportable keys stored in hardware security modules. The changes apply at the browser and web authentication level and require both client-side platform support and server-side acceptance of the DBSC-bound sessions.

Risks

  • Google states there is no reliable software-only method to stop cookie exfiltration once malware is on a machine - this underscores continued vulnerability for devices lacking hardware-backed protections.
  • Broader device compatibility is not yet universal; devices without dedicated secure hardware will need software-based key approaches, which Google plans to develop.
  • Adoption by web services and integration into authentication flows is necessary for protection to be effective; until server-side support is widespread some sessions will remain unprotected.

More from Stock Markets

Panama President Seeks to Ease Strain with China After Rise in Ship Inspections Apr 9, 2026 GSK Withdraws Application for Leucovorin Calcium After FDA Approval Apr 9, 2026 S&P Moves CoreWeave Outlook to Positive, Keeps B+ Rating; Assigns B to Proposed Senior Notes Apr 9, 2026 xAI Finance Chief Anthony Armstrong Departs Amid Senior-Level Exits Apr 9, 2026 Moody's Raises IAMGOLD Rating After Debt Cuts and Cote Gold Reaches Full Production Apr 9, 2026