GOOGLE has made Device Bound Session Credentials (DBSC) generally available to all Windows users of its Chrome browser, months after testing began in open beta, with expansion to macOS planned in a future Chrome release. The public rollout currently covers Windows users on Chrome 146, as the company positions DBSC to curb session theft by cryptographically binding an authentication session to a specific device.
DBSC uses hardware-backed security modules—such as the TPM on Windows and the Secure Enclave on macOS—to generate a unique per-device key pair; new short‑lived session cookies are issued only when Chrome can prove possession of the private key to the server. If a device lacks secure key storage, DBSC falls back to standard behaviour without disrupting authentication.
The company says it has observed a significant reduction in session theft since launch and notes that DBSC architecture is private by design and not intended as a cross-site tracking or device fingerprinting mechanism. According to Google, the feature was developed with Microsoft to help establish an open web standard for DBSC.