In a context where cyber threats are constantly evolving, Google is deploying a new feature in Chrome 146 to enhance the security of web sessions. This feature, called Device Bound Session Credentials (DBSC), aims to counteract online account hijacking attempts using an innovative approach. Discover how this technology promises to further secure your online browsing.
Key Takeaways
- Chrome 146 introduces Device Bound Session Credentials to protect web sessions against cookie theft.
- This technology cryptographically ties a session to the originating device, making stolen cookies unusable elsewhere.
- DBSC follows the W3C standardization process and could expand to other systems and devices in the future.
Infostealers and their evolution
In recent years, infostealers, those malicious software designed to steal information, are no longer limited to retrieving passwords and personal data. They now target session cookies present in browsers, allowing access to accounts without additional authentication. This bypass method has become a major concern in the cybersecurity landscape.
DBSC: a new security approach
With the introduction of Device Bound Session Credentials, Google offers an innovative solution to combat this threat. By cryptographically associating a web session with the device on which it is initiated, Chrome 146 uses the TPM under Windows to generate a pair of public and private keys. The private key, crucial for session extension, remains accessible only on the originating device, thus preventing its use by attackers on other devices.
This mechanism does not alter the user experience when connecting to a site. Servers simply need to adjust their procedures to verify that Chrome indeed holds the expected key before renewing the session. This strategy effectively limits the impact of stolen cookies, which quickly become obsolete without the associated private key.
An open and collaborative protocol
DBSC is not limited to Chrome and is part of a collaborative effort with the Web Application Security Working Group of the W3C. Google is working closely with Microsoft and other stakeholders to standardize this protocol. Before its deployment on Windows, several tests were conducted with partners like Okta to ensure its effectiveness in real-world environments.
The goal is to make this technology accessible to other systems, including macOS, and to adapt it to enterprise environments, where Single Sign-On (SSO) solutions are commonly used. A future extension to devices without a dedicated hardware module is also envisioned, thus expanding the possibilities of using DBSC.
Future prospects for web session security
In 2026, web session security continues to be an area of innovation and study. Initiatives like Device Bound Session Credentials reflect the commitment of major tech companies to enhance user protection against increasingly sophisticated cyber threats. With the growing digitization of services and online interactions, the challenge is to ensure robust security while maintaining a smooth user experience. The continued adoption of standardized protocols, supported by cross-sector collaborations, will play a crucial role in the evolution of cybersecurity.