Google shipped Chrome 146 with a feature called Device Bound Session Credentials — DBSC for short. Security researchers have been waiting years for something like this. For most business owners, the announcement came and went without a second thought. That is a mistake. DBSC quietly changes how browser sessions work, and understanding it could be the difference between your accounts staying secure and a hacker walking right through your front door.
What Session Theft Actually Is
Every time you log into a website, your browser stores a small file called a session cookie. That cookie is essentially a hall pass. It says, "this device already proved it knows the password — let it in." Websites use that cookie to keep you logged in across page loads, tabs, and hours of work.
The problem is that a stolen cookie works on any machine. A hacker does not need your password. They do not need to break your MFA. They just need to lift the cookie from your browser — through malware, a compromised browser extension, or a man-in-the-middle attack on an unprotected Wi-Fi connection — and paste it into their own browser. The website sees a valid session and waves them through.
This is session hijacking, and it is not a niche attack. It is how the Okta breach of 2022 happened. It is how dozens of GitHub repositories get compromised every month. It is how hackers bypass MFA on Microsoft 365, Google Workspace, and every other platform your business runs on.
How DBSC Fixes This
Device Bound Session Credentials solve the problem by tying your session to a cryptographic key that never leaves your specific device. Here is the plain-English version of how it works.
When you log in to a DBSC-supported site, Chrome generates a unique key pair on your device. The private key lives in your device's Trusted Platform Module chip — a dedicated security processor that physically cannot export the key. The website receives the public key and from that point forward, the session is bound to your hardware. Your login cookie is now useless on any other machine. A hacker who steals it gets nothing.
DBSC does not require a new browser. It does not require new passwords. It does not add friction for your employees. It simply makes stolen cookies worthless.
Why This Matters More for Businesses Than Consumers
Individual consumers face session theft. Businesses face it at scale with far higher stakes. Consider the environments that make businesses especially vulnerable.
Shared computers are common in retail, healthcare, warehouses, and front-desk operations. When multiple employees use the same machine, the attack surface multiplies. A single piece of malware on one shared workstation can harvest active session cookies for every employee who logged in during the shift.
BYOD policies — where employees use personal laptops and phones for work — are now the norm in small and mid-size businesses. Personal devices run older browsers, outdated operating systems, and consumer-grade security software. They are significantly easier to compromise.
Remote work means employees are logging in from home networks, coffee shops, and hotel Wi-Fi. Without a VPN and endpoint protection in place, every one of those sessions is a potential target.
The Bigger Picture: Browser Security Is Now Endpoint Security
Five years ago, endpoint security meant antivirus software and maybe a firewall. Today, your browser is your business. Email, accounting, HR, customer data, cloud storage — it all runs through the browser. Whoever controls the browser session controls the business account.
That is why browser security has to be treated with the same seriousness as your firewall rules and your EDR deployment. A business can have SentinelOne running on every device and still get wiped out because Chrome was running an outdated version with a known session vulnerability that nobody patched.
DBSC is a major step forward. But it only protects you if Chrome is actually updated. And it only protects the sessions of sites that have implemented DBSC on their end — adoption will grow, but it is not universal today.
Five Things to Do Right Now
- Update Chrome immediately on every company device. Chrome 146 or higher is required to benefit from DBSC. Run this check today, not at the next scheduled maintenance window. - Enable automatic updates for Chrome across your organization. Manual update processes create gaps. Every day a device runs an older version is a day that vulnerability exists. - Audit your browser extension inventory. Malicious extensions are one of the primary methods for stealing session cookies. Remove anything not business-critical, and lock down extension installation permissions. - Consider Chrome Enterprise management. Google's free enterprise management tools let you enforce update policies, control extensions, disable risky browser features, and push security configurations to every device from a central console. - Do not wait for websites to implement DBSC. DBSC protects you when both Chrome and the website support it. In the meantime, your other session security layers — MFA, endpoint protection, VPN for remote work — still have to be solid.
What This Means for Your MSP Relationship
A managed service provider that treats browser management as an afterthought is leaving a major attack surface undefended. Browser policy management, enforced updates, extension auditing, and Chrome Enterprise deployment are now core parts of responsible endpoint management — not optional add-ons.
At Norvet MSP, we manage browser security policies as part of every endpoint management engagement. That means Chrome Enterprise enrollment, forced update policies, extension whitelisting, and regular audits of browser configurations across your fleet. We do not wait for your browser to become the breach point.
Google Chrome DBSC is the most significant improvement to browser session security in years. Make sure your business is positioned to take full advantage of it. If you are not sure whether your current MSP is managing your browser policies, that is a gap worth closing today.
Norvet manages your endpoints — including browser security policies. Contact us to learn how we lock down your entire attack surface, from the firewall to the browser tab.
Source Attribution
Article content used with permission from The Technology Press and adapted for Norvet MSP publishing.
View source articleNeed help with Cybersecurity?
Our cybersecurity team helps businesses like yours stay protected with 24/7 threat monitoring, compliance frameworks, and incident response.
