Google is rolling out Device-Bound Session Credentials (DBSC) to limit session hijacking by binding a session to the device that created it. Instead of relying on a stealable bearer cookie alone, Chrome generates a per-session public/private keypair and stores the private key in secure hardware (on Windows, the TPM where available).
Servers can periodically challenge the client to prove it still holds that device-locked key, making exfiltrated cookies useless on other machines.
DBSC is in beta for Google Workspace users on Chrome for Windows and currently tracked as a W3C proposal. If other browsers adopt it, DBSC could meaningfully reduce modern “infostealer” attacks that bypass 2FA by exporting session tokens.
Source: Feisty Duck Newsletter 128: Google Debuts Device-Bound Session Credentials Against Session Hijacking