As part of the ongoing story, but a fresh capability in Chrome should make that possibility much harder—provided website operators start making use of it. As good as passkeys and two-factor authentication are, they can’t fully prevent someone from breaking into (and possibly stealing) an account.

In a fresh development, it helps solve a problem called session hijacking, one that bad actors have long exploited across the web. While passkeys, strong passwords, and 2FA provide much needed defense against login attacks (e.g., phishing and credential stuffing), they only apply to the authentication process. Once you’ve logged in and the session is active, those forms of security have completed their job. They won’t protect against a hacker copying the cookies that keep you logged in and then use them to slide into your account (and possibly take it over). Called “Device Bound Session Credentials,” this patch recently became fully available in the general drop version of Chrome.

The report highlights that you tell them who you are on the VIP list and then show your photo ID. The management assumes that you’ll never share the pass, so it doesn’t have your picture on it. Meanwhile, someone sneaky comes by, takes a perfect photo of it while you’re holding the pass, and then flashes a printout at the bouncer while you’re already inside the building. They get the same access you do, and you’re none the wiser until they patch the photo ID on file and you’re suddenly booted out. Think of the basic default as similar to being issued an all-access pass for a venue.

Industry observers note that a hacker can steal the cookies all they like, but the website won’t allow them into your account because the device info won’t match between the cookie and the hijacker’s machine. But until now, this practice has not been widespread on consumer websites. Right now, Google’s arrival of Device Bound Session Credentials in Chrome works immediately for personal Google accounts and Google Workplace subscribers, but it also offers a standardized method of implementation. One way of thwarting such hijacking attacks is to bind a session to the device—that is, the cookie(s) generated for the active session only work on the PC or phone they were issued for.

As part of the ongoing story, users can obviously reduce risk of falling victim to session hijacking by sticking to good online habits, like installing well-known, trusted programs and extensions. They can also check link addresses before clicking and again before entering login info. Given Chrome’s popularity, its integration of Device Bound Session Cookies will likely spur developers to adopt and implement this method of issuing session tokens.

According to the latest update, session hijacking can actually happen in different ways, like malware on your PC installed as an app or a browser extension; malicious scripts on websites; and phishing sites. The options grow even wider when a less secure website is involved. Attackers can use methods like spying on unencrypted traffic on public networks or figuring out the system for how session tokens are issued. But these days, caution isn’t always enough.

Industry observers note that heck, you can install a widely used, vetted, and trusted app or browser extension and still become a victim of an attack—legitimate programs can later transform into malware, due to the developer getting hacked or selling out to a bad actor.

Industry observers note that and everyday users have no control over the backend of websites. Strategies like device bound session cookies are the kind of extra safeguard needed for an increasingly chaotic online global stage. Let’s hope developers make this standard quickly. So even following best practices is no guarantee of safety.

According to the latest update, since joining the team in 2016, she’s written about CPUs, Windows, PC building, Chrome, Raspberry Pi, and much more—while also serving as PCWorld’s resident bargain hunter (#slickdeals). Currently her focus is on security, helping people understand how best to protect themselves online. Her work has previously appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. A 15-year veteran of technology and video platform releases journalism, Alaina Yee covers a variety of topics for PCWorld.