PCWorld
As good as passkeys and two-factor authentication are, they can’t fully prevent someone from breaking into (and possibly stealing) an account. But a new feature in Chrome should make that possibility much harder—provided website operators start making use of it. Called “Device Bound Session Credentials,” this update recently became fully available in the general release version of Chrome. It helps solve a problem called session hijacking , one that bad actors have long exploited across the web. While passkeys, strong passwords, and 2FA provide much needed defense against login attacks (e.g., phishing and credential stuffing ), they only apply to the authentication process. Once you’ve logged in and the session is active, those forms of security have completed their job. They won’t protect against a hacker copying the cookies that keep you logged in and then use them to slide into your account (and possibly take it over). Think of the basic default as similar to being issued an all-access pass for a venue. You tell them who you are on the VIP list and then show your photo ID. The management assumes that you’ll never share the pass, so it doesn’t have your picture on it. Meanwhile, someone sneaky comes by, takes a perfect photo of it while you’re holding the pass, and then flashes a printout at the bouncer while you’re already inside the building. They get the same access you do, and you’re none the wiser until they update the photo ID on file and you’re suddenly booted out. If a website ties your account cookies to a specific device, it safeguards your account far better against hackers. Mattias Inghe One way of thwarting such hijacking attacks is to bind a session to the device—that is, the cookie(s) generated for the active session only work on the PC or phone they were issued for. A hacker can steal the cookies all they like, but the website won’t allow them into your account because the device info won’t match between the cookie and the hijacker’s machine. But until now, this practice has not been widespread on consumer websites. Right now, Google’s launch of Device Bound Session Credentials in Chrome works immediately for personal Google accounts and Google Workplace subscribers, but it also offers a standardized method of implementation . Given Chrome’s popularity, its integration of Device Bound Session Cookies will likely spur developers to adopt and implement this method of issuing session tokens. Users can obviously reduce risk of falling victim to session hijacking by sticking to good online habits, like installing well-known, trusted software and extensions. They can also check link addresses before clicking and again before entering login info. But these days, caution isn’t always enough. Session hijacking can actually happen in different ways, like malware on your PC installed as an app or a browser extension; malicious scripts on websites; and phishing sites. The options grow even wider when a less secure website is involved. Attackers can use methods like spying on unencrypted traffic on public networks or figuring out the system for how session tokens are issued. Heck, you can install a popular, vetted, and trusted app or browser extension and still become a victim of an attack—legitimate software can later transform into malware , due to the developer getting hacked or selling out to a bad actor. So even following best practices is no guarantee of safety. And everyday users have no control over the backend of websites. Strategies like device bound session cookies are the kind of extra safeguard needed for an increasingly chaotic online world. Let’s hope developers make this standard quickly.
Go to News Site
Techmeme 
AppleInsider 
Kotaku 
Gizmodo 
Tom's Hardware 
