Chrome 146 ships hardware-bound session cookies to neuter infostealer theft

Chrome 146 on Windows now enforces Device Bound Session Credentials (DBSC), tying authenticated browser sessions to a private key that lives inside the device’s TPM and cannot be exported. When a session refreshes, Chrome must prove possession of that key to the server before short-lived cookies are reissued, so any cookie an infostealer lifts off disk or memory expires almost immediately and is useless on the attacker’s machine. macOS support, backed by the Secure Enclave, is slated for a later release.

The move is a direct response to commodity stealers like LummaC2, which have industrialized session cookie harvesting to bypass passwords and MFA entirely. Google’s position is blunt: once malware is resident on a host, software alone cannot stop cookie exfiltration, so the trust anchor has to move into hardware. A year of co-piloting with Okta and others reportedly cut session theft events meaningfully.

DBSC was developed jointly with Microsoft as an open W3C specification, with per-session keys to prevent cross-site correlation and a minimal handshake that exposes only the public key. Sites adopt it by adding registration and refresh endpoints on the backend, leaving existing frontends untouched — a relatively low-friction path that nonetheless requires server-side work before users see the benefit on any given service.