Google is working on removing support for third-party cookies in Google Chrome. Cookies continue to be of use, for instance to save preference or as session cookies.
In an effort to make cookies more resilient to attacks, especially stealing, Google started to integrate Device Bound Session Credentials into Chromium.
The main idea here is to bind cookies to a specific device so that attackers who steal it cannot use them.
One of the main threats of cookie stealing is that malware actors may access accounts online without authentication.
Google explains how the feature works:
By binding authentication sessions to the device, DBSC aims to disrupt the cookie theft industry since exfiltrating these cookies will no longer have any value. We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices.
Note: the feature is still in a prototype stage in Chrome. Google said in April 2024 that it is experimenting with protecting Google accounts in Chrome Beta currently.
How to enable Device Bound Session Credentials in Chrome
Google Chrome users may enable the feature in their browser already. It is an experimental feature at this stage, which means that it needs to be enabled separately.
Device Bound Session Credentials
Enables Google session credentials binding to cryptographic keys that are practically impossible to extract from the user device. This will mostly prevent the usage of bound credentials outside of the user device. – Mac, Windows, Linux
Here is how that is done:
- Load chrome://flags/#enable-bound-session-credentials in the browser’s address bar.
- Change the status of the flag to enabled.
- Restart Google Chrome.
The security feature is enabled automatically at this point. You can revert the change at any time by changing the status to Default.