Google has quietly shipped one of the more meaningful browser security updates, and chances are you’ll never notice it’s there, which, I think, is the entire point.
Device Bound Session Credentials, or DBSC, is now available in Chrome on Windows for all Google Workspace users, including Individual subscribers and users with personal accounts. The feature is enabled by default, so that you don’t have to fiddle with any settings.
What is DBSC and why does it matter?
Every time you log into a website, your browser stores a small file called a session cookie for subsequent visits, so you don’t have to provide your credentials every time you load a new page.
The problem, however, is that if your device is affected by any type of malware, it can steal those cookies and send them to an attacker, who can then use them to access your accounts, without ever needing your password. They can even bypass two-factor authentication.
This type of attack is more common than most people realize, and the sad part is that it works even on accounts with relatively stronger security settings. The good news is that DBSC addresses this by tying the session cookie to the specific device the browser created it on.
An added security layer in the background
So, even if malware copies the session details or cookie and passes it along to someone else, the information becomes unusable outside the device it was created on. The added security layer works silently in the background as you continue going about your day on Chrome.
DBSC, in my opinion, is a part of a broader industry push to phase out traditional session cookies entirely. The World Wide Web Consortium already has an open specification for this that has existed for about three years now, and Microsoft has been quietly equipping Edge with the same standard.
