We're excited to announce that Device Bound Session Credentials (DBSC) are now available in Chrome 145 on Windows, offering a new way to protect users from cookie theft.
Session cookies have long been a target for attackers. Stealing cookies allows an attacker to impersonate a user and gain access to their accounts. DBSC helps secure user sessions by binding them to the device they're on. It cryptographically binds authentication sessions to a device by creating a public/private key pair on the device. Chrome on Windows protects these keys in hardware using the Trusted Platform Module (TPM).
With DBSC, you can verify that a user is on the same device throughout their session by requesting proof that the browser still possesses the private key. This makes it significantly harder for attackers to use stolen cookies, because they typically won't have access to the private key on the user's device.
How DBSC works
DBSC is designed for straightforward integration. When a user logs in, you can
initiate DBSC by serving the Secure-Session-Registration HTTP response header.
This header tells the browser to call a registration endpoint on your site with
the public key for the session. Your registration endpoint should then store
this public key and respond with session configuration to establish the bound
session.
Once the session is bound, when a bound cookie is set to expire, Chrome will contact a refresh endpoint that you provide. On this endpoint, you can challenge the browser to prove it still possesses the private key associated with the session. If the challenge is successful, you can issue a fresh cookie to authenticate other requests. If it fails, for example if an attacker is trying to use a stolen cookie on a different device without access to the TPM, you can deny the request.
This protocol requires no changes to your authentication flows outside of these two endpoints.
To learn more about implementing DBSC, see the Device Bound Session Credentials developer guide.