Google introduced Device Bound Session Credentials (DBSC) in Chrome 146 for Windows to cryptographically bind session cookies to hardware-backed keys, blocking info-stealing malware from reusing stolen credentials. macOS support will arrive in a future Chrome release, and testing with partners like Okta showed a decline in session theft by infostealers such as LummaC2. #DeviceBoundSessionCredentials #LummaC2
Keypoints
- Chrome 146 on Windows enables DBSC to tie session cookies to hardware-backed keys (TPM).
- macOS will receive the same protection in a forthcoming Chrome release using the Secure Enclave.
- Private keys are generated by the device security chip and cannot be exported, making exfiltrated cookies unusable off-device.
- Browsers must prove possession of the private key to obtain short-lived session cookies, preventing reuse by attackers.
- DBSC was developed as an open standard with Microsoft, tested with partners like Okta, and has W3C specs and implementation guides on GitHub.