
Google just shipped one of the most significant browser security features in years: Device Bound Session Credentials (DBSC), now generally available in Chrome 146 for Windows. DBSC cryptographically binds your authentication cookies to your specific device — meaning stolen session cookies become completely useless on any other machine.
This directly addresses the attack technique behind infostealer malware (RedLine, Lumma, Vidar), the Axios supply chain RAT, and every browser token theft attack we've covered this year. Google's internal testing showed DBSC blocked 94% of attempted cookie theft scenarios.
Session cookie theft has become the primary way attackers bypass MFA. Here's how it works today:
This is why we've seen MFA bypassed in the Axios supply chain attack, the CPUID/STX RAT compromise, and thousands of business email compromise incidents. The attacker doesn't need your password or your MFA code — they just need the cookie.
DBSC uses your device's hardware security module — the TPM (Trusted Platform Module) on Windows or the Secure Enclave on macOS — to create a cryptographic binding between the session cookie and your physical device:
Each DBSC session uses a distinct cryptographic key — websites can't correlate your activity across different sessions or sites. No device identifiers or attestation data are shared with the server. DBSC is not a fingerprinting mechanism.
Get-Tpm in PowerShellchrome://device-bound-session-credentials in ChromeDBSC is a powerful new layer, but it's one layer in a defense-in-depth stack:
| Layer | What It Stops | Tool |
|---|---|---|
| Application allowlisting | Malware from executing at all | Privileged Access Management (PAM), WDAC |
| EDR | Malware that bypasses allowlisting | SentinelOne, CrowdStrike, Defender |
| Phishing-resistant MFA | Credential theft via phishing | FIDO2, passkeys |
| DBSC (Chrome 146+) | Stolen cookies used on other devices | Chrome + TPM 2.0 |
| Conditional Access | Authentication from untrusted devices/locations | Entra ID, Okta |
No single control stops everything. Together, they make your Houston business dramatically harder to compromise.
Need help deploying Chrome 146 and verifying DBSC across your fleet? Call 713-571-2390.
Related: Axios Supply Chain Attack | Privileged Access Management | Endpoint Security
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.