Google is bringing new user protection capabilities to Chrome, in the form of Device Bound Session Credentials (DBSC), new technology that binds browser authentication sessions to the device to fight cookie theft.
Developed in the open by the Web Incubator Community Group (WICG) and expected to become an open standard, DBSC relies on authentication with a private key to keep users’ sessions secure.
Small pieces of code created by visited websites and stored on devices, cookies improve users’ browsing experience, but operate as bearer-token schemes and can be abused to compromise web accounts.
Authentication cookies are created after the login and, if stolen, allow threat actors to bypass two-factor authentication and gain immediate access to the victims’ accounts.
Cookies are typically harvested using information-stealing malware that the web browsers cannot protect their users against, and, once stolen, can be used even if the malware is detected and removed.
With DBSC, the session between the server and the browser is associated with a pair of public and private keys that are stored safely on the device. Throughout the session’s lifetime, the server periodically checks for the private key, to ensure it is still on the same device.
“We think this will substantially reduce the success rate of cookie theft malware. Attackers would be forced to act locally on the device, which makes on-device detection and cleanup more effective, both for anti-virus software as well as for enterprise managed devices,” Google says.
DBSC provides websites with an API to control the lifetime of such keys and the protocol to check for proof of possession. Each session has its own private key and the website should not be able to determine whether two keys are from the same device.
“At sign-in, the API informs the browser that a session starts, which triggers the key creation. It then instructs the browser that any time a request is made while that session is active, the browser should ensure the presence of certain cookies. If these cookies are not present, DBSC will hold network requests while querying the configured endpoint for updated cookies,” DBSC’s maintainers explain.
According to Google, which is bringing DBSC for half of Chrome’s desktop users, no meaningful information about the device is leaked: “the only information sent to the server is the per-session public key which the server uses to certify proof of key possession later.”
DBSC will be available in Chrome based on the computer’s hardware capabilities – although Google may also consider support for software keys for all users – and its implementation will be aligned with the phase-out of third-party cookies.
The internet giant is also taking steps to ensure that DBSC does not become a new tracking vector when third-party cookies are eliminated, and that these cookies remain protected in the meantime. When a user opts out of cookies, DBSC will also be disabled.
Google is currently trying out a DBSC prototype on Google Accounts in Chrome Beta. When fully deployed, it will provide both consumers and enterprise users with improved account security under the hood. Origin trials for websites should become available by the end of 2024.
“We are also working to enable this technology for our Google Workspace and Google Cloud customers to provide another layer of account security,” the internet giant explains.
Related: Chrome’s Standard Safe Browsing Now Has Real-Time URL Protection
Related: Google Announces Enhanced Fraud Protection for Android
Related: Google Contributes $1 Million to Rust, Says It Prevented Hundreds of Android Vulnerabilities
