← All articles

Google Chrome rolls out Device Bound Session Credentials to all users, binding cookies to TPM/Secure Enclave against theft

Google has made Device Bound Session Credentials (DBSC) generally available in Chrome, rolling it out to all users to blunt session-cookie theft. First announced in 2024 and in beta since April, DBSC cryptographically binds session cookies to a specific device using the hardware security chip - the TPM on Windows or the Secure Enclave on macOS. Because the public/private keys are generated inside the security chip and never leave it, stolen cookies become useless on any other machine, defeating the infostealer-to-account-takeover pipeline that bypasses MFA. Google frames it as a shift from reactive detection to proactive prevention. The protection is most effective where sites adopt the DBSC server-side protocol.

Check
Confirm managed Chrome fleets are updated to the DBSC-capable release. For your own web properties, evaluate adopting the server-side DBSC protocol to bind user sessions to device hardware.
Affected
Organizations relying on session cookies without device binding remain exposed to infostealer-driven account takeover that bypasses MFA. DBSC only protects sessions where both browser and server support it.
Fix
Roll out DBSC-capable Chrome via policy. Implement the DBSC server-side protocol on high-value web apps. Pair with phishing-resistant MFA and short session lifetimes for defense in depth.