The most efficient attack against MFA isn't breaking MFA. It's stealing the session cookie and skipping authentication entirely. No password. No second factor. Full access. This vector has dominated the infostealer ecosystem for years. Now, that vector has an expiration date. At least in Chrome.
The problem: session cookies bypass MFA
Infostealers processed 51.7 million credential packages in 2025, a 72% year-over-year increase (Constella). Of those credentials, 98.6% contained active passwords. The attack pattern is simple and scalable: malware steals the session cookie from the browser → attacker reuses the active session → full account access without authentication.
MFA protects the login. It doesn't protect the session after login. The session cookie is proof that the user already authenticated. Whoever has the cookie has the session. In enterprise environments, a single O365 or Google Workspace cookie can grant lateral access to the entire infrastructure. The defense chain has a link nobody was protecting.
Before DBSC, the response was reactive: heuristics to detect stolen cookies, session behavior analysis, manual revocation. It works partially. The attacker always has a window of opportunity between theft and detection.
How DBSC works: cryptographic binding to hardware
Device Bound Session Credentials (DBSC) reached general availability. Google announced on May 28, 2026: enabled by default on Chrome for Windows.
The mechanism is straightforward: during authentication, Chrome generates a cryptographic key pair inside the device's security chip. On Windows, the TPM. On macOS, the Secure Enclave (Chrome 148). The private key never leaves the hardware. It cannot be exported, copied, or exfiltrated by malware.
Session cookies become short-lived. When they expire, Chrome must prove possession of the private key before renewal. This proof happens inside the security chip — the renewal cookie is only issued if the cryptographic proof is valid. Without the hardware-bound key, the stolen cookie expires and cannot be renewed. The attacker is left with a dead cookie.
Google reported a significant reduction in session theft since the initial deployment. The shift is structural: from reactive to proactive. Before, detecting stolen cookies with heuristics. Now, stolen cookies are useless without the key that lives in the hardware.
Why DBSC is the most significant browser security improvement in years
The impact isn't incremental. DBSC invalidates the most used vector for bypassing MFA at scale. Infostealers evolved to specialize in session cookies precisely because this bypass is cheap, scalable, and works against any service that uses session cookies — which is practically all of them.
DBSC changes the economics of the attack. Before: infostealer steals cookie → attacker accesses account. After DBSC: infostealer steals cookie → cookie expires → attacker cannot access. The cost of the attack doesn't change, but the ROI drops to zero for this specific vector.
No other browser improvement in recent years has had this practical impact. SameSite cookies mitigated CSRF. HTTPOnly mitigated XSS-based cookie theft. But neither solved the problem of cookie theft via malware — which is exactly the vector infostealers exploit. DBSC attacks the problem at its root: the stolen cookie doesn't work outside the device.
What DBSC doesn't solve
DBSC is essential. It's not sufficient. The limitations are real and must be confronted.
Limited coverage. Chrome on Windows today. macOS support arriving in Chrome 148. Mobile and other browsers don't support it. Firefox and Safari haven't announced support. The protection covers a significant portion of enterprise traffic, but not everything.
Infostealers steal more than cookies. Saved passwords, PII, SSH keys, VPN configurations, cloud tokens. DBSC protects the session. Everything else still gets exfiltrated. An infostealer that can't steal cookies still steals credentials usable for credential stuffing, VPN access, and lateral movement.
Credentials already in circulation. The 51.7 million packages from 2025 are already in the underground. DBSC prevents new session theft. It doesn't remediate what already leaked. Compromised credentials from before DBSC remain valid until rotated.
Devices without TPM. Without a security chip, Chrome falls back to default behavior. Old hardware and personal devices without TPM remain unprotected. In BYOD environments, this is a real gap.
Malware active during login. If the infostealer is running at the moment of authentication, it can intercept the cookie before binding is completed. This is a more complex attack — requiring timing and persistence — but it's possible. DBSC protects against cookie theft at rest, not against real-time interception.
Conclusion
DBSC is the most significant browser security improvement in years. It kills the most used vector to bypass MFA. But it's one layer, not a complete solution. Infostealers continue stealing everything that isn't a session cookie. And 51.7 million packages are already out there.
At Tech86, we implement defense in depth against infostealers — from endpoint hardening to monitoring credentials circulating in the underground. DBSC is an essential layer of that defense. It's not the only one you need.