Google Security Blog

Device Bound Session Credentials (DBSC) is now entering public availability for Windows users on Chrome 146, with macOS support coming soon. DBSC combats session theft by cryptographically binding authentication sessions to a specific device using hardware-backed security modules like TPM (Windows) and Secure Enclave (macOS). A unique public/private key pair is generated that cannot be exported, making exfiltrated cookies useless to attackers since new short-lived cookies require proof of the private key. The protocol is privacy-preserving by design, using per-session distinct keys to prevent cross-site tracking. Developed as an open W3C standard with input from Microsoft, Okta, and others, DBSC shifts session security from reactive detection to proactive prevention. Future work includes federated identity support, advanced registration capabilities, and software-based keys for devices without secure hardware.

Google Online Security Blog: Protecting Cookies with Device Bound Session Credentials