Google says Chrome's Device Bound Session Credentials feature is now rolling out broadly for personal Google accounts and Google Workspace users to stop attackers from reusing stolen login cookies. The protection cryptographically binds session cookies to a specific device using hardware-backed keys such as TPM on Windows and Secure Enclave on macOS, making stolen cookies far harder to use for account takeover even after multi-factor authentication. Google says it will be enabled by default for Workspace customers and cannot be turned off by admins.
Why it matters: This matters to anyone using Google accounts because session-cookie theft is a common way infostealer malware and phishing campaigns bypass login protections. Users should still remove malware and harden browsers, but this rollout adds an important default defense against account hijacking.
Sergiu Gatlan
2026.05.29
100% relevant
The article establishes a new trackable security development: Google's general-availability rollout of Chrome Device Bound Session Credentials as a concrete mitigation against session-cookie theft and account takeover.
← Back to all stories