Google Chrome 146 Introduces Device Bound Session Credentials to Block Infostealer Cookie Theft
Google has rolled out Device Bound Session Credentials (DBSC) in Chrome 146, cryptographically binding authentication sessions to hardware-backed keys to render stolen session cookies useless against infostealers.
Google has begun rolling out Device Bound Session Credentials (DBSC) in Chrome 146, a long-anticipated defense against infostealers that harvest session cookies to hijack authenticated web sessions. Announced on April 9 alongside the release of Chrome 147, the feature is now available for Windows users, with macOS support planned for a future release.
DBSC works by cryptographically binding each authentication session to the specific device that initiated it. When a user logs into a supporting website, Chrome generates a unique public/private key pair that is stored in hardware-backed security modules — the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS. Because the private key cannot be exported from the device, any session cookies stolen by malware quickly expire and become useless to attackers, according to Google's Account Security team.
The protocol was developed as an open standard through the World Wide Web Consortium (W3C), in collaboration with Microsoft and the Web Application Security Working Group. Industry stakeholders including Okta provided feedback to ensure broad compatibility. Websites can implement hardware-bound sessions with minimal backend changes, while the browser handles cryptographic protections and automatic cookie rotation, maintaining backward compatibility with existing cookie-based applications.
During early testing of the protocol in 2025, Google observed a significant reduction in session theft for sessions protected by DBSC. The system also minimizes data exposure by sharing only the per-session public key needed for authentication, without leaking device identifiers or enabling cross-site tracking or fingerprinting.
Infostealers have become a dominant threat in the credential theft landscape, with malware families like REMUS, RedLine, and Vidar routinely targeting browser-stored session cookies to bypass multi-factor authentication. By making stolen cookies ephemeral, DBSC directly undermines the business model of these malware-as-a-service operations.
Google's Account Security team is already working on future improvements, including expanding support for federated identity with cross-origin key binding, enabling stronger session registration using pre-existing trusted keys such as mTLS or hardware security keys, and exploring software-based key options to broaden device compatibility, particularly for enterprise use cases.
The rollout of DBSC marks a significant shift in browser-based authentication security, moving from purely software-based cookie protection to hardware-anchored session binding. As infostealers continue to evolve and target session tokens, this approach could become a standard defense across the web ecosystem.