SecurityWeek • 4w
Google Chrome Implements Device Bound Session Credentials DBSC to Combat Token Theft
Google has transitioned Device Bound Session Credentials (DBSC) from beta to General Availability (GA) for Chrome on Windows. This architectural update mitigates session cookie theft and authentication token exfiltration, common vectors used by adversaries to bypass Multi-Factor Authentication (MFA) and execute account takeovers. By cryptographically binding session tokens to a specific hardware device, DBSC prevents stolen cookies from being reused on unauthorized machines, effectively neutralizing "pass-the-cookie" attacks. The feature is now enabled by default for all Google Workspace customers and Individual subscribers.