What is device fingerprinting, and how does it work?

Hackers have any number of methods they draw upon to take over user accounts and access sensitive information. Whether they’re stuffing credentials, using brute force attacks, phishing, or sending spam, they’re almost always making use of bots at some point in their process. The sophistication and potential scale of their techniques evolve every day. 

While certain authentication flows like phone and email verification help drastically reduce the chance that someone is impersonating a user, there are still ways around these techniques. One of the best ways companies can protect against fraud is by reinforcing secure auth methods with equally strong fraud protection tools. One of the most effective and user-friendly of those tools is device fingerprinting. 

What is device fingerprinting?

Device fingerprinting is a way to identify devices that are accessing a website or application. A device’s identity can be composed of a number of attributes that an application detects when the user accesses the site or app that are then associated with a unique ID. Unlike cookies, which are stored client-side, device attributes and IDs are stored in a server-side database, which the website or app can then use to check against future behavior from their users. 

How does device fingerprinting work?

When a user accesses a website or app, certain kinds of information about a user’s device have to be available in order for the website to load and display properly. Those attributes include a device’s IP address, browser brand and version, HTTP request headers, the user_agent string, operating system (OS), browser or OS language, installed browser fonts, time zone, and many others.  Once a site or app has collected those attributes, it turns them into a device hash that can then be parsed by their fraud manager. 

How does device fingerprinting help prevent fraud?

By allowing websites to affiliate device data with their users, companies can monitor for irregularities or suspicious activity, and intervene sooner if they detect a risk of fraud or account takeover. For example, if a user who usually logs in from IP addresses exclusively in one time zone and one browser language suddenly logs in from a brand new IP with a different default browser language, companies can take additional steps to verify the user and/or protect their account. This action can mean something as unobtrusive as requesting additional authentication methods, or more robust responses like revoking access tokens or invalidating session cookies. 

Device fingerprinting also helps prevent what’s known as “first-party fraud,” in which bots create net new accounts in order to abuse a website using spam, purchasing scarce assets (think of Nike shoe drops or Taylor Swift’s recent Ticketmaster fiasco), etc. By giving companies a better sense of which traffic is a genuine user and which is fraudulent / bot-created, they’re better able to protect their users from bot-driven experiences like automated ticket scalping and spammy advertisements / emails. 

It’s important to note that the hashes used to “fingerprint” devices are only as unique as the information they collect. Obviously, there’s more than one person in the world on a MacBook Pro using Firefox! So the more data sources and more unique data points a device fingerprint is based on, the better it works as a unique identifier. This is why Stytch uses device, network, and browser data points to make sure our device fingerprints are as unique as possible.

This is also why the power of device fingerprinting to prevent fraud is not just about what information is collected, but how that information matches or doesn’t match contextually with a given user, and the different notification and classification systems a given app sets up to monitor device behavior patterns within their platform. 

How does device fingerprinting affect user privacy?

While Stytch is laser-focused on device fingerprinting for fraud prevention, companies may also use device fingerprinting for other purposes like cybersecurity or marketing (to better target online advertisements or personalize consumer experiences). 

Privacy regulations vary widely by geography, but more stringent legislation like Europe’s General Data Protection Regulation (GDPR) consider techniques like device fingerprinting that process personal data for the sake of preventing fraud as a legitimate interest. GDPR is much more strict with techniques like device fingerprinting when it comes to marketing or ecommerce use cases.  

Whatever your app or site’s use case or geography, you must gain consent from users whenever collecting their information, including when using device fingerprinting. We find the best way to do this is to:

• Explain to users exactly what an app is collecting and why
• Explain how that information is being used, and how it will not be used
• Explain all the additional steps and investments your company is making to actively protect your server-side databases and user information
  

The end goal with disclosures like these isn’t about checking a box: it’s about engendering trust. The whole reason we recommend fraud prevention tools like device fingerprinting is to make it easier for our customers to earn and keep their users’ trust with their information. A transparent, clear disclosure about precisely how you go about that is as important as the tool itself. 

How do I implement device fingerprinting? What should I look out for?

As mentioned above, there are many different attributes an app or site could collect about a user, and different ways to configure the categories of risk and action a given website or app might take in case of suspicious behavior. 

Generally there are three main things to look out for when configuring device fingerprinting for your site or app:

1. Insufficient data 
2. Easily alterable data
3. Reverse engineering 

Let’s take the following basic example: 

In this code snippet, we use the user’s userAgent, screen resolution, and time zone to create a unique device hash that can be used to identify and track the user’s device. While these attributes may suffice for some basic device fingerprinting applications, they’re fairly easy to alter or obfuscate. Hackers can easily change their userAgent to a virtual machine (VM), or use a VPN or private browsing mode to elide giving an IP address, time zone, etc. Relatively simple factors like these are also fairly easy for hackers to “spoof” or imitate, by analyzing the fingerprint of other devices and then contriving or faking those data points on their machines.

There are a few things developers can do to improve these potential vulnerabilities:

1. Collect a wider variety of stable data points: One of the surest ways to make your device hashes more unique and harder to hack is simply by collecting a larger variety of data points – in particular, you should focus on stable data points that don’t change when a user changes WiFi networks or upgrades their browser. Unlike IP addresses or time zones, hardware data like the make and model of a device are more challenging for hackers to alter or hide from detection. You can also detect more detailed information about a device’s browser, like the installed plugins and fonts.
2. Prevent access for VPNs or private browsing modes: If certain kinds of user data are important to your device fingerprinting solution, you can also deny access to users logging in through a VPN or incognito browsers. Note though that this can introduce friction for users who prefer navigating online this way, so make sure you know your user base before doing anything that will make it harder for people to use your product.
3. Use machine learning to better understand user patterns: Machine learning algorithms can leverage the scale of traffic to your app or website to better understand user and device behavior, identifying patterns and suspicious devices based on a combination of factors or correlations. This kind of computing can augment your device fingerprinting and keep it agile and responsive as hacking methods and behaviors change. Especially as device fingerprinting becomes more prevalent, fraudsters will invent new ways to spoof or fake their device fingerprint. Machine learning and data science can be a powerful tool to detect how fraudulent behaviors are evolving, so that device fingerprinting can keep pace.
4. Incorporate more contemporary cryptographic techniques to protect device fingerprints: It’s a lot more challenging for fraudsters to reverse engineer legitimate device fingerprints if those fingerprints are more securely stored. Cryptographic techniques help reinforce device fingerprints’ integrity by making them much harder to access, and to fake.

Device Fingerprinting with Stytch

As a comprehensive auth platform, Stytch’s Device Fingerprinting goes the extra mile for customizability and security: we collect device data from multiple sources and use advanced techniques to create a unique, cryptographically-secured fingerprint for each user’s device. This allows us to provide a higher level of security than other solutions, while still offering the same flexibility and developer-first experience that comes with any of our products.

If you’re interested in learning more, we’d love to chat – drop us a note here.