Google has rolled out a major security update for Chrome called Device Bound Session Credentials (DBSC). The feature is designed to stop hackers from stealing session cookies, a common technique used to bypass two-factor authentication (2FA).
When you log into a website, your browser stores a session cookie to keep you authenticated. Hackers who steal these cookies can impersonate your session on their own device, effectively bypassing 2FA. DBSC mitigates this by storing session cookies on your device's dedicated security chip-such as a PC's Trusted Platform Module or a Mac's Secure Enclave. These chips encrypt the data, making it nearly impossible for malware to extract the cookies.
The feature has been in beta testing since April and is now rolling out automatically to all Chrome users, including Workspace and Enterprise accounts. DBSC is enabled by default and cannot be disabled by administrators. It is available on Chrome version 146 or later for Windows and version 148 or later for Mac. Users are advised to update Chrome to ensure they have the latest protections.