Google Rolls Out Device Bound Session Credentials in Chrome 146 for Windows to Prevent Session Theft

Google has made Device Bound Session Credentials (DBSC) generally available for all Windows users of Chrome 146 to mitigate session theft. The feature was previously tested in an open beta and is now enabled by default, with macOS support planned for a future Chrome release. DBSC ties authentication sessions to a user's device, preventing attackers from hijacking active sessions even if credentials are stolen. No specific CVE IDs, attack vectors, or quantified impacts were disclosed in the announcement. The rollout is currently limited to Windows platforms running Chrome 146.