Google has made its Chrome Device Bound Session Credentials (DBSC) security feature generally available, rolling it out to all users to prevent attackers from taking stolen session cookies and bypassing multi-factor authentication.
The next time a hacker steals a session cookie, Chrome will be built to deny them the shortcut.
Google says its Chrome Device Bound Session Credentials (DBSC) security feature is now generally available and is rolling out to all users to prevent account takeovers.
The protection was already in beta since April. but the shift from limited testing to an all-user rollout is the point many security teams have been waiting for. DBSC was first announced in 2024 as a way to cryptographically bind session cookies to a specific device—closing the door on a well-known attack path where stolen cookies are used to get past multi-factor authentication (MFA).
Session cookies are small files websites use to remember user information after you log in. In a traditional setup, that cookie—once exfiltrated—can sometimes be replayed. DBSC changes the rules by linking user sessions to the hardware itself. Google says it works by cryptographically binding sessions to a computer’s security chip. including the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS.
That detail matters. Google says the unique public/private keys used to encrypt and decrypt sensitive data are generated by the security chip. Those keys can’t be stolen, so attackers can’t use stolen session cookies to unlock the same account session.
In April. Google described DBSC as a shift away from trying to catch fraud after the fact: “DBSC fundamentally changes the web’s capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention. ensuring that successfully exfiltrated cookies cannot be used to access users’ accounts. ” Google said at the time.
Google reiterated the same core idea this week: “DBSC strengthens account security after users are logged in and helps bind a session cookie — small files used by websites to remember user information — to the device a user authenticated from. Even if malware was present on the user’s device. DBSC reduces the risk of session theft and makes it meaningfully more difficult for malicious actors to exploit stolen session cookies. ” it added.
The rollout also spells out who gets the protection. Google says DBSC is now rolling out to all Google Workspace customers, Workspace Individual subscribers, and users with personal Google accounts.
For Workspace customers, it will be enabled by default during the rollout—and administrators can’t disable it.
Chrome’s move lands in the middle of a threat landscape that has shown persistence in stealing and reusing authentication. In the past. threat actors have abused the undocumented Google OAuth “MultiLogin” API endpoint to generate new authentication cookies after stolen ones expired. Malware operations including Lumma and Rhadamanthys have also claimed they could restore expired Google authentication cookies stolen in attacks to gain access to infected users’ Google accounts.
When DBSC was first discussed, Google advised customers to remove malware from their devices and recommended enabling Chrome’s Enhanced Safe Browsing security mode to defend against phishing and malware attacks.
DBSC doesn’t remove the need for that baseline hygiene. But it targets a specific moment attackers often rely on: the period after a user is already logged in.
There’s a simple sequence at the heart of the change. Chrome binds the session to device-generated cryptographic keys. those keys aren’t extractable in the way attackers need. and—because of that—stolen cookies can’t be used to reach the same account session. In other words, the theft can still happen, but the payoff is designed to disappear.
Google Chrome DBSC Device Bound Session Credentials session cookie theft protection account takeovers MFA security chip TPM Secure Enclave Google Workspace
So does this mean my cookies get deleted or nah?
Good. I hate when hackers just paste a session cookie and pretend it’s them. But I’m guessing the “security chip” thing means only new laptops? Like my old Windows is gonna be screwed?
Wait, I thought MFA already blocked cookie replays?? Like if they steal it, MFA should still ask you to verify, right? Unless Google is saying MFA is pointless without this feature which… kinda wild.
This sounds great but also I don’t trust it, because what if it breaks logins when you switch devices or reinstall Chrome. And “cryptographically bound to your hardware” like… does that mean the browser will keep pinging my TPM/Secure Enclave and tracking me more? I saw something similar and it ended up being annoying.