Google Chrome's new DBSC feature ties sessions to devices via hardware security, preventing cookie theft and enhancing online protection. Learn how it works.
© E. Vartanyan
Google has introduced a new security feature in Chrome for Windows that could significantly change how user data is protected online. This technology, called Device Bound Session Credentials (DBSC), debuted in Chrome version 146.
The innovation essentially ties user sessions to specific devices. Instead of storing authorization data solely in cookies, it adds an extra layer of protection through cryptographic keys generated at the hardware security level—like via the TPM module in Windows.
A key aspect of DBSC is that the private key never leaves the device and cannot be exported. Even if an attacker gains access to cookie files, they won't be able to use them on another device. This makes traditional session-stealing attacks practically useless. For websites, adopting this technology doesn't require major changes. Developers can implement specific mechanisms for registering and updating sessions, while maintaining the usual cookie workflow. The browser handles most encryption and protection tasks.
Currently, this feature is available in Chrome 146 for Windows, with a macOS version expected in the coming weeks. If widely adopted, this technology could become a significant step in combating account theft and raising overall online security standards.