Bottom Line: Google binds session cookies cryptographically to the device’s security chip, rendering stolen cookies worthless on other computers and blocking infostealer malware.
On May 25, 2026, Google rolled out the Device Bound Session Credentials (DBSC) feature globally for Chrome, which cryptographically binds session cookies to the security chip of computers, thereby blocking cookie-based account takeovers.
Device Bound Session Credentials bind authentication cookies to the device hardware: When signing in to compatible web services, the Chrome browser no longer generates a simple session cookie. Instead, it creates an asymmetric key pair through a special HTTP protocol. On Windows systems, this key pair is generated and stored in the Trusted Platform Module (TPM); on macOS, in the Secure Enclave. The private key never leaves the hardware module and therefore cannot be extracted even if the operating system is completely compromised.
The web server periodically requests the browser to cryptographically prove ownership of the private key before issuing new short-lived session cookies. If a cookie is copied to a foreign device, it cannot provide this proof — access is denied and the session becomes invalid. This also blocks the practice of criminal networks renewing stolen authentication cookies through the Google OAuth MultiLogin endpoint.
The rollout began on May 25, 2026, and is scheduled to complete within a maximum of 60 days. The technology is designed to counter specialized infostealer malware such as LummaC2 and Rhadamanthys, which systematically extract browser cookie databases and deploy the stolen data on their own systems to gain unauthorized account access — without needing to enter passwords or two-factor codes. With DBSC, stolen cookies become useless on foreign devices in the shortest time.
For Google Workspace customers, Workspace individual subscribers, and private Google account holders, DBSC is being activated gradually. The concept was developed in 2024, with beta testing running since spring 2026 on Windows.
Source: www.it-daily.net · Published June 1, 2026
Lumi AI News — AI-assisted curation according to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.8.