Device Bound Session Credentials (DBSC) are a session-hardening protocol that ties a web login session to the specific device that created it. Instead of treating a session cookie or token as a portable bearer secret, DBSC makes the browser prove possession of a device-held key when the session is used or refreshed. On supported systems, that key can be protected by hardware such as a Trusted Platform Module (TPM), which helps keep it from being copied out easily.
DBSC matters because many account takeovers begin after attackers steal session cookies, tokens, or browser state from infostealers, malicious extensions, or endpoint malware. If the stolen session cannot be replayed on another device, the attacker’s reuse options shrink. DBSC is a defense against session theft and replay, but it is not complete protection: it depends on server support, device trust, and whether the endpoint is already compromised when the binding occurs. For defenders, it is a practical way to reduce the value of stolen sessions.