Fighting cookie theft using device bound sessions

Cookies, crucial for online convenience, are also vulnerable to theft, enabling attackers to access accounts. Cookie theft malware uses social engineering to infiltrate devices, exfiltrating authentication cookies that bypass two-factor authentication and anti-virus detection. To address this issue, Device Bound Session Credentials (DBSC) is being developed as a new web capability that binds authentication sessions to the device, rendering stolen cookies worthless. By forcing attackers to act locally, DBSC enhances on-device detection and cleanup. DBSC employs public/private key pairs stored securely on the device to establish sessions, verifying proof of possession throughout the session's lifetime. To maintain session freshness and support existing cookie-based solutions, DBSC uses a dedicated endpoint for out-of-band cookie refresh. DBSC prioritizes user privacy by ensuring no correlation of keys from different sessions on the same device, allowing users to delete keys at any time. The only information sent to the server is the per-session public key, which certifies proof of key possession. DBSC aligns with the phase-out of third-party cookies, disabling it in those scenarios. Google is piloting DBSC for some Google Account users, providing enhanced security. DBSC has garnered interest from server providers, identity providers, and browsers who seek to protect users from cookie theft. The development process is open and collaborative, with updates and timelines available on GitHub.