A Chrome update should make it harder for hackers to bypass two-factor authentication. It only works on machines with a hardware security feature that will be familiar to anyone who has struggled with a Windows 11 upgrade.

Two-factor authentication is the idea that a user needs two different types of identification to log in to a device or account. Commonly this involves a password and then either biometric identification (such as a fingerprint or face scan) using a specific device such as a smartphone, or being in a particular location. It's often a way to limit the risk posed if somebody compromises a password.

The problem is that once somebody is logged in to a website having passed two-factor authentication, the site will often use a session cookie to mark them as authenticated. The user can then continue to get back into the site without logging in again until the session (a defined period of time) has expired.

The Risk of Cookie Hijacking

In some cases, a hacker can get hold of the session cookies, for example by remotely accessing a computer compromised by malware. They can then use those cookies to trick a website into thinking they are the victim and are already logged into the account. It's not so much a case of making people more vulnerable to hacking but rather worsening the damage that can be (quickly) done after a breach.

Google is now adding a feature called Chrome Device Bound Session Credentials. This uses a hardware device on the computer to store the session cookies in encrypted form, only decrypting them when needed. (Source: bleepingcomputer.com)

Hardware-Locked Security

The feature is rolling out through automatic updates to Chrome. It's initially going to business users through Workplace Chrome but should eventually be added to all personal accounts as well. (Source: lifehacker.com)

It only works if a computer has a hardware security device (a special chip) such as Secure Enclave on Macs and Trusted Platform Module (TPM) on a PC. You may remember the latter coming to attention as a mandatory feature for upgrading to Windows 11. This meant many people running older PCs which had the processing power and memory to cope with Windows 11 left deciding whether to stick with Windows 10 (with the risk of eventually losing security support) or find a potentially unstable workaround to bypass the requirement.

What's Your Opinion?

Do you think hardware-based security is worth the cost of potentially making older PCs obsolete? Have you ever been concerned about hackers hijacking your active web sessions? Would you upgrade your hardware specifically to gain access to better browser security features?