Google says the Chrome Device Bound Session Credentials (DBSC) security feature is now generally available and is rolling out to all users to prevent account takeovers.
Available in beta since April, DBSC was first announced in 2024 as a way to cryptographically bind session cookies to a specific device, preventing hackers from using such stolen cookies to bypass multi-factor authentication (MFA) and hijack users’ accounts.
DBSC works by cryptographically linking user sessions to the hardware, such as their computer’s security chip (e.g., the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS).
Since the unique public/private keys used to encrypt and decrypt sensitive data are generated by the security chip, they cannot be stolen, preventing attackers from using stolen session cookies.
“DBSC fundamentally changes the web’s capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention, ensuring that successfully exfiltrated cookies cannot be used to access users’ accounts,” Google said in April.
“DBSC strengthens account security after users are logged in and helps bind a session cookie — small files used by websites to remember user information — to the device a user authenticated from. Even if malware was present on the user’s device, DBSC reduces the risk of session theft and makes it meaningfully more difficult for malicious actors to exploit stolen session cookies,” it added this week.
The feature is now rolling out to all Google Workspace customers, Workspace Individual subscribers, and users with personal Google accounts.
Google added that it will be enabled by default for all Google Workspace customers upon rollout and that administrators cannot disable it.
In the past, threat actors have abused the undocumented Google OAuth “MultiLogin” API endpoint to generate new authentication cookies after stolen ones expired.
The Lumma and Rhadamanthys information-stealing malware operations have also claimed that they could restore expired Google authentication cookies stolen in attacks to gain access to infected users’ Google accounts.
At the time, Google advised customers to remove malware from their devices and recommended enabling Chrome’s Enhanced Safe Browsing security mode to defend against phishing and malware attacks.
However, the new Chrome Device Bound Session Credentials (DBSC) security feature should effectively block malicious actors from abusing such stolen cookies, as they will not have access to the cryptographic keys required to use them.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
