Take me back

What is device fingerprinting, and how does it work?

Latest

Auth & identity

December 16, 2022

Author: Stytch Team

Hackers have any number of methods they draw upon to take over user accounts and access sensitive information. Whether they’re stuffing credentials, using brute force attacks, phishing, or sending spam, they’re almost always making use of bots at some point in their process. The sophistication and potential scale of their techniques evolve every day. 

While certain authentication flows help drastically reduce the chance that someone is impersonating a user – think passwordless methods like TOTPs or passkeys, along with multi-factor authentication flows – there are still ways around these techniques. One of the best ways companies can protect against fraud is by reinforcing secure auth methods with equally strong fraud protection tools. One of the most effective and user-friendly of those tools is device fingerprinting. 

In this article, we’ll cover:

What is device fingerprinting?

Device fingerprinting is a way of identifying and tracking devices that are accessing a website or application. A device’s identity can be composed of a number of attributes that an application detects when the user accesses the site or app that are then associated with a unique ID.

Unlike cookies, which are stored client-side, device IDs are stored in a server-side database. This database of device fingerprints can then be used to verify whether or not a user is accessing the app from the same device or not. If they use multiple devices or a new device and fraud is suspected, the application can block them or give additional authentication prompts to verify their identity.

How does device fingerprinting work?

When a user accesses a website or app, certain kinds of information about a user’s device have to be available in order for the website to load and display properly.  Once a site or app has collected those attributes, it turns them into a device hash that can then be parsed by their fraud manager. 

With this hash safely stored, the next time someone logs on claiming to be that user, the app can compare the device fingerprints to see if the user is logging on from the same device, or a new one. If it’s a new one, depending on how suspicious it is, the application can either block the user or ask for further verification.

What kind of device data does device fingerprinting collect?

Attributes included in a device fingerprint include the IP address, browser brand and version, HTTP request headers, the user_agent string, operating system (OS), browser or operating system language, installed browser fonts, time zone, screen resolution, and many others.

What are different kinds of device fingerprinting?

While products like Stytch collect several different types of information in a single device fingerprint, you may hear or read a few different terms on the web that all refer to a kind of device fingerprinting.

To avoid confusion, we’ve broken down a few different ways you might hear a device fingerprint described:

Browser fingerprinting

Browser fingerprinting refers specifically to information gathered about a users’ web browser. It’s worth noting though that though the information comprising a browser fingerprint is gathered via the browser, much of the information that can be gathered via the browser can still be about the user’s device and their web browser configurations.

Desktop device fingerprinting

Whereas “browser fingerprinting” generally refers to information that is gathered via a browser, “desktop device fingerprinting” simply refers to a device fingerprint comprised of information about a user’s desktop device (typically gathered because of information exposed to the application or service while the person is accessing it from that desktop device).

Mobile device fingerprinting

Similar to desktop device fingerprinting, “mobile device fingerprinting” refers to a device fingerprint comprised of information about someone’s mobile device while they are accessing an application or service from that mobile device.

How does device fingerprinting help prevent fraud?

By allowing websites to affiliate device data with their users, device fingerprinting helps companies monitor for irregularities or suspicious activity, and intervene sooner if they detect a risk of fraud or account takeover.

For example, if a user who usually logs in from IP addresses exclusively in one time zone and one browser language suddenly logs in from a brand new IP with a different default browser language, companies can take additional steps to verify the user and/or protect their account. This action can mean something as unobtrusive as requesting additional authentication methods, or more robust responses like revoking access tokens or invalidating session cookies. 

Device fingerprinting also helps prevent what’s known as “first-party fraud,” in which bots create net new accounts in order to abuse a website using spam, purchasing scarce assets (think of Nike shoe drops or Taylor Swift’s recent Ticketmaster fiasco), etc. By giving companies a better sense of which traffic is a genuine user and which is fraudulent / bot-created, they’re better able to protect their users from bot-driven experiences like automated ticket scalping and spammy advertisements / emails. 

It’s important to note that a “device fingerprint” is only as unique as the information they collect. Obviously, there’s more than one person in the world on a MacBook Pro using Firefox! So the more data sources and more unique data points a device fingerprint is based on, the more unique that device fingerprint is. This is why Stytch uses device, network, and browser data points to make sure our device fingerprints are as unique as possible.

This is also why the power of device fingerprinting to prevent fraud is not just about what information is collected, but how that information matches or doesn’t match contextually with a given user, and the different notification and classification systems a given app sets up to monitor device behavior patterns within their platform. 

How does device fingerprinting affect user privacy?

While Stytch is laser-focused on device fingerprinting for fraud prevention, companies may also use device fingerprinting for other purposes like marketing (to better target online advertisements or personalize consumer experiences). 

Privacy regulations vary widely by geography, but more stringent legislation like Europe’s General Data Protection Regulation (GDPR) consider techniques like device fingerprinting that process personal data for the sake of preventing fraud as a legitimate interest. GDPR is much more strict with techniques like device fingerprinting when it comes to marketing or ecommerce use cases. 

Whatever your app or site’s use case or geography, you must gain consent from users whenever collecting their information, including when using device fingerprinting. We find the best way to do this is to:

  • Explain to users exactly what an app is collecting and why
  • Explain how that information is being used, and how it will not be used
  • Explain all the additional steps and investments your company is making to actively protect your server-side databases and user information

The end goal with disclosures like these isn’t about checking a box: it’s about engendering trust. The whole reason we recommend fraud prevention tools like device fingerprinting is to make it easier for our customers to earn and keep their users’ trust with their information. A transparent, clear disclosure about precisely how you go about that is as important as the tool itself. 

What should I look out for when implementing device fingerprinting?

As mentioned above, there are many different attributes an app or site could collect about a user, and different ways to configure the categories of risk and action a given website or app might take in case of suspicious behavior. 

Generally there are three main things to look out for when configuring device fingerprinting for your site or app:

Insufficient data 

As we mentioned earlier, the more data a device fingerprint tracker collects, the more unique that device ID will be. So while it may seem easiest when implementing device fingerprinting to just track a few core attributes, insufficient data will render your device fingerprints easier to imitate and thus ineffective.

Easily alterable or reverse-engineered data

In addition to the amount of data you collect, you want to consider how easy it might be for a hacker to alter the data you do collect. For instance, it can be very easy to alter an IP address with a VPN, or change a browser or OS language. But other kinds of data are harder to alter: touch hardware, video and audio capabilities, and other kinds of device data cannot be changed so easily.

An example of a vulnerable device fingerprint

To see how this might work in practice, let’s take a look at the following example:

In this code snippet, we use the user’s device information, including their userAgent, screen resolution, and time zone to create a unique device hash that can be used to identify and track the user’s device.

While these attributes may suffice for some basic device fingerprinting applications, they’re fairly easy to alter or obfuscate. Hackers can easily change their userAgent to a virtual machine (VM), or use a VPN or private browsing mode to elide giving an IP address, time zone, etc. Relatively simple factors like these are also fairly easy for hackers to “spoof” or imitate, by analyzing the fingerprint of other devices and then contriving or faking those data points on their machines.

Device fingerprinting best practices

So if we want to avoid falling prey to hackers, what are some best practices for implementing device fingerprinting we can keep in mind?

There are a few things developers can do to improve on these potential vulnerabilities:

Collect a wider variety of stable data points

One of the surest ways to make your device hashes more unique and harder to hack is simply by collecting a larger variety of data points – in particular, you should focus on stable data points that don’t change when a user changes WiFi networks or upgrades their browser. Unlike IP addresses or time zones, hardware data like the make and model of a device are more challenging for hackers to alter or hide from detection. You can also detect more detailed information about a device’s browser, like the installed plugins and fonts.

Prevent access for VPNs or private browsing modes

If certain kinds of user data are important to your device fingerprinting solution, you can also deny access to users logging in through a VPN or incognito browsers. Note though that this can introduce friction for users who prefer navigating online this way, so make sure you know your user base before doing anything that will make it harder for people to use your product.

Use machine learning to better understand user patterns

Machine learning algorithms can leverage the scale of traffic to your app or website to better understand user and device behavior, identifying patterns and suspicious devices based on a combination of factors or correlations.

This kind of computing can augment your device fingerprinting and keep it agile and responsive as hacking methods and behaviors change. Especially as device fingerprinting becomes more prevalent, fraudsters will invent new ways to spoof or fake their device fingerprint. Machine learning and data science can be a powerful tool to detect how fraudulent behaviors are evolving, so that device fingerprinting can keep pace.

Incorporate more contemporary cryptographic techniques to protect device fingerprints

It’s a lot more challenging for fraudsters to reverse engineer legitimate device fingerprints if those fingerprints are more securely stored. Cryptographic techniques help reinforce device fingerprints’ integrity by making them much harder to access, and to fake.

Device Fingerprinting with Stytch

As a comprehensive auth platform, Stytch’s Device Fingerprinting goes the extra mile for customizability and security: we collect device data from multiple sources and use advanced techniques to create a unique, cryptographically-secured fingerprint for each user’s device. This allows us to provide a higher level of security than other solutions, while still offering the same flexibility and developer-first experience that comes with any of our products.

If any of this sounds like it might be useful for your company, you get started for free, check out our docs, or book a demo today

A depiction of a mobile screen with a thumbprint and a desktop screen with the terms system fonts, HTTP header attributes, browser extensions, local databases, CPU class listed.

What is browser fingerprinting?

View more

Introducing Strong CAPTCHA, Stytch’s answer to CAPTCHA fraud

View more

SHARE

Get started with Stytch

Start building for free