Skip to main content

Overview

In this guide, we’ll walk through how to use Stytch’s Device Fingerprinting (DFP) to identify and stop a credential stuffing attack. Credential stuffing is a cyberattack where attackers take usernames and passwords leaked from other platforms and use them on your application to perform account takeovers. This attack works because some users reuse the same credentials across multiple services. While the success rate for any individual account is very low, credential stuffing can result in many compromised accounts because of the sheer volume of automated attempts. Stytch Device Fingerprinting is designed to block these attacks and provides telemetry needed to distinguish legitimate users from bad actors.
This guide uses the terminology of the Stytch fraud prevention framework. Follow the link to learn more about the framework.

Signal gathering

You should collect and look up a fingerprint at the Login or Password Authentication step. See Use the Device Fingerprinting API to add DFP to your login flow. If you’re using one of Stytch’s frontend or mobile SDKs, you can automatically collect and submit fingerprints by turning on Protected Auth. It wraps your login calls and handles the telemetry gathering for you.

Warnings and Indicators

Monitor your DFP fingerprint submits through the Stytch Dashboard and your own internal logging or through Stytch’s Event Log Streaming. If you are experiencing a credential stuffing attack, you may notice one or more of the following factors:
  • Sudden increase in password authentication volume and velocity While a large spike in traffic may be malicious, you should also consider legitimate reasons for increased volume, such as a recent product launch or a marketing event.
  • Sudden increase in errors An elevation in 404 email_not_found and/or 401 unauthorized_credentials errors indicates attempts against emails that do not exist in Stytch. This is a strong indicator of automated credential stuffing. Generally, a high diversity of attempted emails distinguishes an attack from simple user error.
  • Unusual shift in DFP verdicts DFP detects automation tools, including browser automation and programmatic access. By default, any request which is detected as an automation receives a BLOCK verdict. See Reference guides for a full list of all verdict reasons or use the Get Verdict Reasons endpoint.

Decisioning

  • Identify confirmed attackers Once you’ve identified the bad actor by their IP address or a fingerprint, you can create a DFP Rule in your Stytch Dashboard to stop the attack. Before finalizing the rule, verify that it will not inadvertently block legitimate users. You can reference the uniqueness of each identifier in this guide.
  • Identify suspected compromised accounts If a login is successful, but originates from a Fingerprint or IP that was previously associated with a high volume of 404 email_not_found or 401 unauthorized_credentials errors, that account may be compromised. We recommend flagging these accounts for immediate password resets and session invalidation.

How Stytch helps mitigate credential stuffing across our platform

Stytch’s DFP is designed to automate your defense against credential stuffing. Rather than requiring manual intervention, Stytch uses a proprietary fingerprinting method to protect your users from malicious actors.
  • DFP Verdict Actions By default, DFP identifies bot signatures, headless browsers, and programmatic access. Most credential stuffing attempts will receive an immediate BLOCK verdict, allowing you to stop the attack at the API level.
  • Intelligent Rate Limiting Stytch automatically limits traffic based on device risk. If an IP or Fingerprint begins “spraying” credentials, our system blocks that specific actor.
  • Breach Detection If you are using Stytch’s password product for authentication, there is built-in breach detection. Stytch integrates with HaveIBeenPwned to detect known passwords that have been leaked in data breaches. By default, Stytch verifies the user’s password on both password creation and subsequent authentications.
We also recommend implementing the following proactive security controls:
  • Enable MFA: This is the single strongest control against credential stuffing.
  • Add new device notifications: Use Stytch’s user device history to send notifications about new devices and help identify potentially unauthorized access to user accounts.
  • Configure User locks: The lock duration and number of allowed failed attempts are configurable at the project level via the Dashboard in the Password and User Policies page.
  • Implement Passwordless Authentication: Moving to Email Magic Links or Passkeys removes the “password” variable entirely, eliminating the attack vector.

What’s next?

Learn how to get started with Device Fingerprinting in just a few minutes.

Want to try Stytch Device Fingerprinting?

Find out why Stytch’s device intelligence is trusted by Calendly, Replit, and many more.