Google has the security community humming with its recent announcement of Device Bound Security Credentials (DBSC) for Chrome. This new security feature is in Beta now with a planned roll-out later in 2024.
In this blog, we’ll cover:
What is Google Chrome DBSC?
The idea behind DBSC is simple. It aims to tie certain authentication and access tokens (like session cookies) to a given issuing device. Using the Trusted Platform Modules (TPMs) that are built into many desktops and laptops, security teams will be able to lock an authenticated session to a website user’s device. (TPMs are security devices inside your computer. They make it harder for criminals to steal secrets your computer uses to secure your communications.) In short, it will make it more difficult for cybercriminals to leverage stolen session cookies to carry out session hijacking attacks.
How Google DBSC aims to prevent cookie theft
There’s no question – Google’s DBSC is a good idea. Here at SpyCloud, we have the world’s largest database of proof showing just how bad the session hijacking problem is today. In 2023 alone, we recaptured 20+ billion stolen cookie records from the criminal underground, with the average malware infection log touting 2,000+ cookies per device. We are big fans of anyone and anything that shares our mission of disrupting cybercrime. This step forward by Google is a welcome newcomer to this fight.
That being said, much like token binding, it’s not a perfect solution, and we expect the road to reaping the potential benefits to take a while.
Chrome DBSC requirements and implementation
DBSC will take some time to roll out. Google’s data shows that DBSC will work on about 60% of Windows computers when it launches and will require both browser and application implementation upgrades. Users wanting to implement DBSC will need to have Windows or Linux operating systems and the Google Chrome browser. It is unclear when DBSC will be supported on Mac devices and mobile devices.
History teaches us that technology innovations like Google Chrome DBSC don’t happen overnight and often take many years to become widespread. Informed by the past timelines of things like complex passwords, 2FA, MFA, FIDO, and passkeys, we are hopeful that initial adoption will occur in 2025. Broad implementation with mass coverage of consumer devices may happen by 2030. If competing standards appear or website owners are slow to implement necessary software changes, the adoption timeline could stretch further into the future.
What you can already be doing to prevent stolen cookies from being used against you by cybercriminals
As we mentioned, DBSC testing and implementation is going to be a process. Until then and as things change, make sure you have proper session hijacking prevention measures in place today.
Keep in mind that Google DBSC won’t get rid of cookies, it will just make them harder to compromise. We can expect bad actors to adapt to this, as they have with existing sidestepping techniques for other new authentication technology.
In its release announcement, Google says, “DBSC will help keep users more secure against cookie theft.” This is great progress, but there aren’t any silver bullets in security. Criminals with infostealers on victim devices will still be able to use cookies to further their ill intent. Chrome DBSC makes things better by narrowing time windows, but it won’t solve the problem of session hijacking.