Google has moved Device Bound Session Credentials (DBSC) to general availability in Chrome on Windows — a significant security upgrade that makes stolen browser session cookies useless to attackers by cryptographically tying them to the specific device they were created on.
The Problem DBSC Solves: Cookie Theft and Session Hijacking
Session cookies are the tokens your browser stores after you log in to a website. They tell the site “this is the authenticated user” so you don’t have to enter your password on every page. The problem is that these cookies have historically been completely portable — if an attacker steals the cookie file from your browser, they can import it into their own browser and instantly access your account, fully authenticated.
This is called a pass-the-cookie attack, and it’s highly effective against multi-factor authentication. Even if you’ve completed MFA to log in, the session cookie that was issued after your MFA challenge can be stolen and reused. MFA only protects the login — not the session that follows.
Infostealer malware families — a rapidly growing category of credential-theft tools — routinely target browser cookie stores for exactly this reason. Stolen cookies from corporate devices are actively traded on criminal marketplaces and used to access business email, cloud services, and internal applications.
How Device Bound Session Credentials Work
DBSC addresses cookie theft by cryptographically binding the session to the specific device it was created on. When a DBSC-protected session is established, Chrome generates a cryptographic key pair on the device. The private key never leaves that device. The server issues a session credential that is mathematically linked to that private key.
If an attacker exfiltrates the session credential and attempts to use it on a different machine, the session is invalid — the private key required to authenticate it does not exist on the attacker’s device. The stolen credential is rendered completely useless.
General Availability: What’s Changed
Google has now moved DBSC from a limited trial to general availability in Chrome on Windows. Key details:
- No user or admin action required: DBSC is active by default. Users and IT administrators do not need to enable or configure anything — it works automatically for websites that support it
- Cannot be disabled: The feature cannot be turned off through Chrome’s Admin console, ensuring consistent protection across managed devices
- Full deployment timeline: Rollout across both rapid and scheduled release channels will take approximately 60 days to complete
- Current scope: DBSC is currently available on Windows only; other platforms are expected to follow
What This Means for Businesses
For organisations using Chrome on Windows — which describes the majority of corporate device fleets in the UK — DBSC represents a meaningful reduction in the risk posed by infostealer malware targeting browser sessions.
However, there are important caveats to keep in mind:
- Website support is required: DBSC only protects sessions on websites that have implemented the DBSC server-side API. Google and other major web platforms are adopting it, but not every site your employees use will support it immediately
- Other attack vectors remain: DBSC protects against cookie theft and replay. It does not protect against keyloggers, password theft, phishing, or malware that executes actions directly on the infected device rather than exfiltrating cookies
- Windows-only for now: Devices running macOS, Linux, or non-Chrome browsers do not yet benefit from DBSC
The Broader Context: Phasing Out Cookie-Based Authentication
DBSC is part of a broader industry shift away from traditional session cookies towards more secure, device-anchored authentication mechanisms. It complements other initiatives like passkeys (which replace passwords entirely with device-bound cryptographic credentials) and the move towards Zero Trust architectures that continuously verify the trustworthiness of sessions rather than relying on a single cookie issued at login.
For IT teams, DBSC is a welcome step forward that arrives with no deployment overhead. It is not, however, a reason to deprioritise other endpoint security controls — a well-configured endpoint security stack remains essential.
BIT Tech IT Solutions helps businesses manage and secure their Windows and Chrome environments. If you’d like to discuss your endpoint security posture, get in touch with our team.
