A new feature aimed at protecting internet users from information stealing malware, or infostealers, has been rolled out in the current version of Google Chrome browser.
Alongside the release of Chrome 147, which includes new security patches, Google announced on April 9 that Device Bound Session Credentials (DBSC) is now publicly available on Chrome 146.
Initially launched in April 2024, DBSC is designed to block infostealers from harvesting session cookie.
The system cryptographically associates authentication sessions to a specific device by generating a unique public/private key pair stored on hardware-backed security modules, such as the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS, so that the pair cannot be exported from the machine.
“Because attackers cannot steal this key, any exfiltrated cookies quickly expire and become useless to those attackers,” said the Google Account Security team in a blog.
The system allows websites to implement hardware-bound sessions with minimal backend adjustments, while the browser automates cryptographic protections and cookie rotation. This ensures backward compatibility, letting apps continue using standard cookies as before.
The protocol also minimizes data exposure, sharing only the per-session public key needed for authentication without leaking device identifiers or enabling cross-site tracking or fingerprinting.
DBSC was developed as an open standard vetted by the World Wide Web Consortium (W3C) in collaboration with Microsoft and the Web Application Security Working Group, with input from industry stakeholders, including feedback from Okta and other platforms to ensure broad compatibility and effectiveness.
After experimenting with an early version of this protocol in 2025, Google observed “a significant reduction in session theft” for sessions protected by DBSC.
The system is now enabled for Windows users on Chrome 146 and Google is looking to expand it to macOS in an upcoming Chrome release.
The Google Account Security team are also working on future improvements, including expanding support for federated identity with cross-origin key binding, enabling stronger session registration using pre-existing trusted keys (e.g. mTLS or hardware security keys), and exploring software-based key options to broaden device compatibility, particularly for enterprise use cases.
Image credit: viewimage / Shutterstock.com
Read now: Chrome Unveils Plan For Quantum-Safe HTTPS Certificates
