Session cookies have long served as the quiet keys to online accounts. Steal one and an attacker can slip past passwords, bypass multifactor prompts, and operate as the legitimate user. The numbers tell a grim story. Constella’s 2026 Identity Breach Report documented 51.7 million infostealer packages processed in 2025 alone, a 72 percent jump from the prior year. Nearly all contained active credentials and precise URLs where they worked. Google now counters part of that threat with Device Bound Session Credentials. Rolled out to Windows users in Chrome 146 this April and expanding to Workspace accounts as of late May, the technology binds authentication sessions to the hardware of the original device. Google Security Blog authors Benjamin Ackerman, Daniel Rubery, and Guillaume Ehinger described the approach in clear terms: stolen cookies become useless without the private key locked inside the machine. The mechanism starts simply enough. During login Chrome generates a cryptographic key pair.…