Google Chrome is experimenting with Device Bound Session Credentials, session keys that could potentially replace current authentication cookies. Current cookies are susceptible to theft by criminals, which DBSC must remedy.
DBSC is an authentication method that works with private keys and an API for websites. When a user logs in to a website, a private key is created and stored on the user’s system. The website periodically and automatically checks whether the key matches the system and the account.
The difference between DBSC and current authentication cookies is that the DBSC keys are linked to a user’s system. So stealing a DBSC key shouldn’t be enough. In addition, the DBSC key uses a PC’s TPM 2.0 chip, making it more difficult for malware to steal the keys. TPM 2.0 is required for Windows 11 PCs, but previous Windows versions did not. Google says on GitHub that about sixty percent of Windows PCs have a TPM 2.0 chip. The company is considering software alternatives for users without a TPM 2.0 chip.
Google emphasizes that the DBSC keys are unique per session, and that sites and advertisers cannot use the DBSCs to recognize and track individual systems. DBSC cannot therefore be used for advertising purposes. Users can remove the DBSC keys in the Chrome settings.
The company has been working on DBSC for some time and says it is currently experimenting with a prototype with Chrome Beta users. Google is talking about an ‘early initiative’ to test the reliability, feasibility and latency of the protocol. At the moment, DBSC only works with the Google Account, but later Workspace and Cloud should also be included. Other companies and parties, including Microsoft with Edge and identity services such as Okta, have shown interest in DBSC, according to Google. External websites could conduct the first tests by the end of 2024.
Current authentication or session cookies are vulnerable because criminals can steal them relatively easily. Because the cookies are created after the user logs in, criminals can bypass 2fa and other account protections. Because DBSC is linked to a user’s system and uses the TPM 2.0 chip, this authentication method would not be susceptible to the vulnerabilities in current cookies.
Tags: Google Chrome experiments alternative authentication cookies Computer News
