Google Chrome Introduces Device‑Bound Session Credentials to Thwart Cookie Theft
What Happened – Chrome 146 ships Device‑Bound Session Credentials (DBSC), a hardware‑backed mechanism that ties authentication sessions to a specific device’s TPM (Windows) or Secure Enclave (macOS). The private key never leaves the device, forcing short‑lived cookies that cannot be reused if exfiltrated.
Why It Matters for TPRM –
- Reduces the risk of credential‑theft attacks that target third‑party SaaS applications accessed via Chrome.
- Limits the exposure window for compromised cookies, protecting downstream data flows in supply‑chain relationships.
- Demonstrates a vendor‑driven mitigation that can be required in third‑party security contracts.
Who Is Affected – Enterprises that rely on Chrome for web‑based SaaS, ERP, CRM, and other cloud services; vendors delivering web applications to Chrome users.
Recommended Actions –
- Verify that critical SaaS providers support DBSC or equivalent hardware‑bound session controls.
- Update internal browser baselines to Chrome 146+ for Windows (and later macOS releases).
- Adjust third‑party risk questionnaires to include questions on session‑credential protection mechanisms.
Technical Notes – DBSC uses TPM‑generated asymmetric keys; the browser proves possession of the private key before the server issues a new cookie. Cookies are short‑lived and cannot be refreshed without the device‑bound key, rendering stolen cookies useless. No device identifiers are transmitted, preserving privacy. Source: Help Net Security