Google has shipped Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, a security feature that cryptographically ties session cookies to a device's hardware (TPM on Windows, Secure Enclave on macOS). Because the private key never leaves the machine, stolen session cookies become useless to attackers almost immediately. The protocol is privacy-preserving — each session uses a distinct key, preventing cross-site tracking. Tested with partners including Okta, DBSC showed a notable drop in session theft. Web developers can adopt it by adding registration and refresh endpoints to their backends, with full specs available via W3C and GitHub. macOS support is planned for a future Chrome release.
Table of contents
Related Articles:Sort: