GOOGLE has announced the rollout of new session cookie protections in Chrome to prevent account compromise via stolen authentication cookies. The feature, called Device Bound Session Credentials (DBSC), is available in Chrome 146 for Windows, with macOS users set to receive it in a future browser release.
DBSC binds authentication sessions cryptographically to the user’s device, rendering stolen cookies useless, and relies on hardware-backed security modules to generate a unique public/private key pair, with Chrome issuing short-lived session cookies to prove possession of the private key. According to Google, an early version of the protocol rolled out last year has shown a significant reduction in session theft when DBSC was enabled.
Because each browser session is backed by a different key, websites cannot track users across sessions or sites, and the device does not share identifiers or attestation data to prevent fingerprinting. According to Google, DBSC was built as an open web standard through the W3C process, with Microsoft helping design it, and adoption by Okta and other web platforms has been tested.