**Google** says the **Chrome** Device Bound Session Credentials (DBSC) security feature is now generally available and is rolling out to all users to prevent account takeovers. Available in beta since April, DBSC was first announced in 2024 as a way to cryptographically bind session cookies to a specific device, preventing hackers from using such stolen cookies to bypass multi-factor authentication (MFA) and hijack users' accounts. ### How DBSC Works DBSC works by cryptographically linking user sessions to the hardware, such as their computer's security chip (e.g., the Trusted Platform Module (TPM) on **Windows** and the Secure Enclave on **macOS**). Since the unique public/private keys used to encrypt and decrypt sensitive data are generated by the security chip, they cannot be stolen, preventing attackers from using stolen session cookies. "DBSC fundamentally changes the web's capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention, ensuring that successfully exfiltrated cookies cannot be used to access users' accounts," **Google** said in April. "DBSC strengthens account security after users are logged in and helps bind a session cookie — small files used by websites to remember user information — to the device a user authenticated from. Even if malware was present on the user's device, DBSC reduces the risk of session theft and makes it meaningfully more difficult for malicious actors to exploit stolen session cookies," it added this week.  The feature is now rolling out to all **Google Workspace** customers, Workspace Individual subscribers, and users with personal **Google** accounts. **Google** added that it will be enabled by default for all **Google Workspace** customers upon rollout and that administrators cannot disable it. ### Past Abuses and Mitigation In the past, threat actors have abused the undocumented **Google** OAuth "MultiLogin" API endpoint to generate new authentication cookies after stolen ones expired. The **Lumma** and **Rhadamanthys** information-stealing malware operations have also claimed that they could restore expired **Google** authentication cookies stolen in attacks to gain access to infected users' **Google** accounts. At the time, **Google** advised customers to remove malware from their devices and recommended enabling **Chrome's** Enhanced Safe Browsing security mode to defend against phishing and malware attacks. However, the new Chrome Device Bound Session Credentials (DBSC) security feature should effectively block malicious actors from abusing such stolen cookies, as they will not have access to the cryptographic keys required to use them.