Google says the Chrome Device Bound Session Credentials (DBSC) security feature is now generally available and is rolling out to all users to prevent account takeovers.

Available in beta since April, DBSC was first announced in 2024 as a way to cryptographically bind session cookies to a specific device, preventing hackers from using such stolen cookies to bypass multi-factor authentication (MFA) and hijack users’ accounts.

DBSC works by cryptographically linking user sessions to the hardware, such as their computer’s security chip (e.g., the Trusted Platform Module (TPM) on Windows and the Secure Enclave on macOS).