BotBeat
...
← Back

> ▌

Google / AlphabetGoogle / Alphabet
PRODUCT LAUNCHGoogle / Alphabet2026-04-06

Google Chrome Introduces Device Bound Session Credentials on Windows to Combat Cookie Theft

Key Takeaways

  • ▸Device Bound Session Credentials use public/private key cryptography to bind user sessions to specific devices, making stolen cookies unusable on other devices
  • ▸Private keys are protected by hardware-based security (TPM) on Windows, providing strong cryptographic protection against extraction
  • ▸Integration requires only two new endpoints (registration and refresh) with minimal changes to existing authentication flows
Source:
Hacker Newshttps://developer.chrome.com/blog/dbsc-windows-announcement↗

Summary

Google has announced the availability of Device Bound Session Credentials (DBSC) in Chrome 145 on Windows, a new security feature designed to protect users from cookie theft and account compromise. DBSC works by cryptographically binding authentication sessions to a specific device through a public/private key pair, with the private keys secured in hardware using the device's Trusted Platform Module (TPM). This approach makes it significantly harder for attackers to misuse stolen cookies, as they would need access to the private key stored on the user's device to maintain a valid session.

The implementation is designed for ease of integration, requiring minimal changes to existing authentication workflows. Website developers can enable DBSC by serving a Secure-Session-Registration HTTP response header during user login, which prompts the browser to register the session's public key. When a bound cookie expires, Chrome contacts a refresh endpoint where servers can verify the browser still possesses the corresponding private key. If verification fails—such as when an attacker attempts to use a stolen cookie on a different device—the server can deny the request, effectively preventing unauthorized access.

  • The feature is now live in Chrome 145 on Windows and helps address a long-standing attack vector where stolen session cookies allow account impersonation

Editorial Opinion

Device Bound Session Credentials represent a meaningful step forward in session security, addressing one of the web's persistent vulnerabilities by leveraging hardware-backed cryptography available on modern devices. The low-friction implementation approach—requiring only two lightweight endpoints—removes a major barrier to adoption that has plagued previous session-binding proposals. However, the feature's initial Windows-only availability may limit its effectiveness until similar implementations arrive on macOS and Linux, where a significant portion of web users operate.

AI HardwareCybersecurityPrivacy & Data

More from Google / Alphabet

Google / AlphabetGoogle / Alphabet
INDUSTRY REPORT

AI Systems Failing at Fact-Checking, Still Wrong 45-60% of the Time, WIRED Analysis Shows

2026-07-05
Google / AlphabetGoogle / Alphabet
UPDATE

Google Cloud Strengthens Agentic AI Security with Enhanced VPC Service Controls

2026-07-05
Google / AlphabetGoogle / Alphabet
RESEARCH

Stanford Researchers Use Multi-Agent AI and Reinforcement Learning to Improve HIP Kernel Generation for AMD GPUs

2026-07-04

Comments

Suggested

IBMIBM
RESEARCH

IBM Unveils Nanostack Architecture, Claims World's First Sub-1 Nanometer Chip Technology

2026-07-05
IstotaIstota
PRODUCT LAUNCH

Istota: Open-Source Personal AI Operating System Launches with Privacy-First Design

2026-07-05
Google / AlphabetGoogle / Alphabet
UPDATE

Google Cloud Strengthens Agentic AI Security with Enhanced VPC Service Controls

2026-07-05
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us