Google said Chrome’s Device Bound Session Credentials security feature is now generally available and is rolling out to all users to help prevent account takeovers by blocking stolen session cookies from being reused.
KEY FACTS
- Feature DBSC binds session cookies to a device.
- Protection Stolen cookies cannot be used without the linked cryptographic keys.
- Rollout It is reaching Google Workspace customers, Workspace Individual subscribers and personal Google account users.
- Default setting It will be enabled by default for Workspace customers and administrators cannot disable it.
The feature was available in beta since April and was first announced in 2024 as a way to stop attackers from using stolen cookies to bypass multi-factor authentication and hijack accounts. The Google Workspace update said the feature links a session to hardware such as the Trusted Platform Module on Windows or the Secure Enclave on macOS.
Google said the keys used for the protection are generated by the security chip and cannot be stolen. That design is meant to keep attackers from reusing cookies even if malware has already reached a device and exfiltrated session data.
The company has previously warned that threat actors abused the undocumented Google OAuth MultiLogin API endpoint to generate new authentication cookies after stolen ones expired. It also said malware crews claimed they could revive expired Google authentication cookies to regain access to compromised accounts.
WHY IT MATTERS
The rollout adds another layer of defense after login, when stolen cookies have often been used to bypass other protections. For users and administrators, the change could reduce the risk of account takeover even if credentials or cookies are exposed.