Overview
- Google’s Device Bound Session Credentials, which entered public availability Thursday, now ship in Chrome 146 for Windows with macOS support planned in a future release.
- DBSC ties each login session to a key stored in the PC’s security chip, using the Trusted Platform Module on Windows so the browser must prove the key is present before a site refreshes access.
- Session cookies let you stay logged in without reentering codes, so infostealer malware that lifts them can sidestep two-factor prompts.
- Websites that adopt DBSC need new registration and refresh endpoints on their backends, while Chrome handles the cryptography and rotates short‑lived cookies in the background.
- In a year of trials with partners such as Okta, Google observed a significant drop in session theft on accounts protected by the new system.