# Google Chrome Implements Device-Bound Session Credentials to Mitigate Session Theft **Google** has officially rolled out **Device Bound Session Credentials (DBSC)** to all Windows users of its **Chrome** web browser, following an open beta testing phase. This security enhancement aims to combat the pervasive threat of session theft, with plans to extend the feature to macOS in future releases.  ## Addressing the Threat of Session Theft Session theft involves the unauthorized extraction of session cookies from a user's web browser, often facilitated by information-stealing malware such as Atomic, Lumma, and Vidar Stealer. These cookies, which can have extended lifespans, allow attackers to access online accounts without needing passwords. Stolen tokens are frequently sold to other cybercriminals, enabling further malicious activities. ## How DBSC Works First announced in April 2024, **DBSC** mitigates this risk by cryptographically tying authentication sessions to a specific device. This is achieved using hardware-backed security modules, such as the Trusted Platform Module (**TPM**) on Windows and the Secure Enclave on macOS, to generate a unique public/private key pair that cannot be exported from the device.  **Google** explains that the issuance of new short-lived session cookies is contingent upon **Chrome** proving possession of the corresponding private key to the server. Since attackers cannot steal this key, any exfiltrated cookies quickly expire and become useless. In cases where a device lacks secure key storage support, **DBSC** seamlessly reverts to standard behavior without disrupting the authentication process. ## Early Success and Future Plans **Google** reports a significant reduction in session theft since the initial launch of **DBSC**, indicating the effectiveness of this countermeasure. The company plans to expand **DBSC** to a wider range of devices and introduce advanced features for better integration with enterprise environments. ## Privacy-Focused Design **Google**, in collaboration with **Microsoft**, designed the **DBSC** standard with privacy in mind, aiming to establish it as an open web standard. The architecture ensures that websites cannot use session credentials to correlate user activity across different sessions or sites on the same device. The protocol is designed to be lean, avoiding the leakage of device identifiers or attestation data beyond the per-session public key required for proof of possession. This minimal information exchange ensures that **DBSC** secures sessions without enabling cross-site tracking or acting as a device fingerprinting mechanism.