Skip to content

DBSC for SSO (Device Bound Session Credentials for SSO) #268

Open
Open
DBSC for SSO (Device Bound Session Credentials for SSO)#268
@lucasrsant

Description

@lucasrsant
lucasrsant
opened on Feb 18, 2026

Introduction

The Device Bound Session Credentials for SSO feature is an enhancement to the novel DBSC protocol which prevents cross-origin device binding bypasses.

It introduces new browser capabilities to generate keys for a given Relying Party that are cryptographically proven to be stored on the same device as the Identity Provider's.

This way, the Identity Provider can bless a trusted key to the Relying Party, making cross-origin device binding bypasses impractical.

Feedback

I welcome feedback in this thread, but encourage you to file bugs against Device Bound Session Credentials for SSO.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions