## Chrome Fortifies Session Security with DBSC **Google** is bolstering **Chrome's** security with the introduction of Device Bound Session Credentials (DBSC) in version 146, initially for Windows users. This enhancement aims to neutralize the threat of infostealer malware by preventing the exploitation of stolen session cookies. Support for macOS is slated for a future release.  The DBSC system works by establishing a cryptographic link between a user's session and their device's hardware, leveraging the Trusted Platform Module (TPM) on Windows and, in the future, the Secure Enclave on macOS. This ensures that the private keys necessary to decrypt sensitive session data remain securely locked within the hardware. Since the unique public/private keys for encrypting and decrypting sensitive data are generated by the security chip, they cannot be exported from the machine. This prevents the attacker from using stolen session data because the unique private key protecting it cannot be exported from the machine. "The issuance of new short-lived session cookies is contingent upon **Chrome** proving possession of the corresponding private key to the server," **Google** stated in its announcement. Without this key, any exfiltrated session cookie becomes immediately invalid. ### How DBSC Works A session cookie acts as a long-lived authentication token, created server-side based on username and password. Attackers often target these cookies using specialized malware, like **LummaC2**, to bypass traditional authentication methods.  *Browser-server interaction in the context of the DBSC protocol source: Google* "Crucially, once sophisticated malware has gained access to a machine, it can read the local files and memory where browsers store authentication cookies. As a result, there is no reliable way to prevent cookie exfiltration using software alone on any operating system," **Google** explained. The DBSC protocol is designed with privacy in mind. Each session is backed by a distinct key, preventing websites from correlating user activity across sessions or sites. The protocol minimizes information exchange, requiring only the per-session public key for proof of possession and avoiding the leakage of device identifiers. ### Industry Collaboration In testing with platforms like **Okta**, **Google** observed a significant reduction in session theft incidents. **Google** collaborated with **Microsoft** to develop DBSC as an open web standard, incorporating feedback from the web security community. Websites can implement DBSC by adding dedicated registration and refresh endpoints to their backends, ensuring compatibility with existing frontends. Developers can find implementation details in **Google's** guide and specifications on the World Wide Web Consortium (W3C) website, with an explainer available on GitHub.