Auth & identity
December 16, 2022
Author: Stytch Team
Hackers have any number of methods they draw upon to take over user accounts and access sensitive information. Whether they’re stuffing credentials, using brute force attacks, phishing, or sending spam, they’re almost always making use of bots at some point in their process. The sophistication and potential scale of their techniques evolve every day.
While certain authentication flows like phone and email verification help drastically reduce the chance that someone is impersonating a user, there are still ways around these techniques. One of the best ways companies can protect against fraud is by reinforcing secure auth methods with equally strong fraud protection tools. One of the most effective and user-friendly of those tools is device fingerprinting.
Device fingerprinting is a way to identify devices that are accessing a website or application. A device’s identity can be composed of a number of attributes that an application detects when the user accesses the site or app that are then associated with a unique ID. Unlike cookies, which are stored client-side, device attributes and IDs are stored in a server-side database, which the website or app can then use to check against future behavior from their users.
When a user accesses a website or app, certain kinds of information about a user’s device have to be available in order for the website to load and display properly. Those attributes include a device’s IP address, browser brand and version, HTTP request headers, the user_agent string, operating system (OS), browser or OS language, installed browser fonts, time zone, and many others. Once a site or app has collected those attributes, it turns them into a device hash that can then be parsed by their fraud manager.
By allowing websites to affiliate device data with their users, companies can monitor for irregularities or suspicious activity, and intervene sooner if they detect a risk of fraud or account takeover. For example, if a user who usually logs in from IP addresses exclusively in one time zone and one browser language suddenly logs in from a brand new IP with a different default browser language, companies can take additional steps to verify the user and/or protect their account. This action can mean something as unobtrusive as requesting additional authentication methods, or more robust responses like revoking access tokens or invalidating session cookies.
Device fingerprinting also helps prevent what’s known as “first-party fraud,” in which bots create net new accounts in order to abuse a website using spam, purchasing scarce assets (think of Nike shoe drops or Taylor Swift’s recent Ticketmaster fiasco), etc. By giving companies a better sense of which traffic is a genuine user and which is fraudulent / bot-created, they’re better able to protect their users from bot-driven experiences like automated ticket scalping and spammy advertisements / emails.
It’s important to note that the hashes used to “fingerprint” devices are only as unique as the information they collect. Obviously, there’s more than one person in the world on a MacBook Pro using Firefox! So the more data sources and more unique data points a device fingerprint is based on, the better it works as a unique identifier. This is why Stytch uses device, network, and browser data points to make sure our device fingerprints are as unique as possible.
This is also why the power of device fingerprinting to prevent fraud is not just about what information is collected, but how that information matches or doesn’t match contextually with a given user, and the different notification and classification systems a given app sets up to monitor device behavior patterns within their platform.
While Stytch is laser-focused on device fingerprinting for fraud prevention, companies may also use device fingerprinting for other purposes like cybersecurity or marketing (to better target online advertisements or personalize consumer experiences).
Privacy regulations vary widely by geography, but more stringent legislation like Europe’s General Data Protection Regulation (GDPR) consider techniques like device fingerprinting that process personal data for the sake of preventing fraud as a legitimate interest. GDPR is much more strict with techniques like device fingerprinting when it comes to marketing or ecommerce use cases.
Whatever your app or site’s use case or geography, you must gain consent from users whenever collecting their information, including when using device fingerprinting. We find the best way to do this is to:
The end goal with disclosures like these isn’t about checking a box: it’s about engendering trust. The whole reason we recommend fraud prevention tools like device fingerprinting is to make it easier for our customers to earn and keep their users’ trust with their information. A transparent, clear disclosure about precisely how you go about that is as important as the tool itself.
As mentioned above, there are many different attributes an app or site could collect about a user, and different ways to configure the categories of risk and action a given website or app might take in case of suspicious behavior.
Generally there are three main things to look out for when configuring device fingerprinting for your site or app:
Let’s take the following basic example:
In this code snippet, we use the user’s userAgent, screen resolution, and time zone to create a unique device hash that can be used to identify and track the user’s device. While these attributes may suffice for some basic device fingerprinting applications, they’re fairly easy to alter or obfuscate. Hackers can easily change their userAgent to a virtual machine (VM), or use a VPN or private browsing mode to elide giving an IP address, time zone, etc. Relatively simple factors like these are also fairly easy for hackers to “spoof” or imitate, by analyzing the fingerprint of other devices and then contriving or faking those data points on their machines.
There are a few things developers can do to improve these potential vulnerabilities:
As a comprehensive auth platform, Stytch’s Device Fingerprinting goes the extra mile for customizability and security: we collect device data from multiple sources and use advanced techniques to create a unique, cryptographically-secured fingerprint for each user’s device. This allows us to provide a higher level of security than other solutions, while still offering the same flexibility and developer-first experience that comes with any of our products.
If you’re interested in learning more, we’d love to chat – drop us a note here.