Google has introduced a new security feature called Device Bound Session Credentials in Chrome 146 for Windows, aimed at stopping malware from stealing session cookies.
This protection is not yet available on macOS, but support is expected in a future release.
The system works by tying a user’s session directly to their device using hardware-based security. On Windows, it uses the Trusted Platform Module, while macOS will rely on the Secure Enclave. These chips generate unique encryption keys that never leave the device, making it much harder for attackers to misuse stolen data.
With this setup, even if malware manages to grab a session cookie, it becomes useless without access to the device’s private key. Google explains that new session cookies are only issued when Chrome proves it holds the correct private key. Without it, stolen cookies expire quickly and cannot be reused.
Session cookies normally act as login tokens that allow users to stay signed in without repeatedly entering their credentials. Because of this, they are a common target for infostealer malware, which can extract them from browser memory or local files. Google notes that such malware has become more advanced in recent years, making traditional software-based protections less effective.
The new DBSC system is designed with privacy in mind. Each session uses a separate key, preventing websites from linking user activity across sessions or tracking devices. It also limits the amount of information shared, using only what is necessary to confirm that the device holds the correct key.
Google tested an early version of this feature with several partners, including Okta, and reported a noticeable drop in session theft incidents. The company worked with Microsoft and others in the industry to develop DBSC as an open web standard.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Websites can adopt this added layer of security by updating their backend systems with new registration and refresh endpoints, while still keeping compatibility with existing frontends. Developers can find more details in Google’s documentation, along with official specifications published through the World Wide Web Consortium.
