Device Fingerprinting

Device fingerprinting (DFP) technology aggregates various attributes of a user’s device into a single identifier. These attributes are required to be available in order for the website to load and display property. Some common attributes include:

  • Browser type

  • Screen size

  • Operating system

  • Timezone

By combining them into an identifier, there’s enough entropy to ensure that the identifier is unique to each device.

Device Fingerprinting provides a repeatable, unique identifier that is used to detect and block fraudulent actors — but many DFP solutions on the market are easily reverse engineered by attackers, rendering your site vulnerable. Stytch’s defense-in-depth approach to DFP allows us to obfuscate the fingerprinting process in a way that makes it tamper-resistant to this reverse engineering and spoofing, protecting you against even the most sophisticated attackers.

Stytch’s Device Fingerprinting

Stytch’s Device Fingerprinting product identifies a user’s device by aggregating a mix of industry standard and proprietary signals into a set of stable identifiers while leveraging multiple security measures to prevent reverse engineering. Stytch’s device fingerprints remain stable across incognito browsing, webviews, VPNs, changes to user agent or IP addresses, and more.

Some of our features include:

  • Signals that are 99.9% unique to the device.

  • Clear Action Recommendations (ALLOW, BLOCK, CHALLENGE).
  • Multiple fingerprint types for different use cases.

  • Encryption at rest and in transit to prevent bad actors from reverse engineering the product.

The core of Stytch’s Device Fingerprint product is a Javascript library. The Javascript library calls a Web Assembly binary to gather and send the signals to the Stytch backend for processing. The Stytch backend will process the fingerprint and return a telemetry ID that can be used to look up the Stytch Fingerprint with a clear set of recommendations.

Multiple identifiers

A Stytch fingerprint consists of the following identifiers:

  • Visitor ID

    Definition: The cookie stored on the user’s device that uniquely identifies them. Use cases: Having a stable identifier for a user.

  • Browser ID

    Definition: Combination of VisitorID and NetworkFingerprint to create a clear identifier of a browser. Use Cases: Detecting stolen sessions since the browser ID should only be associated with a single browser fingerprint.

  • Visitor Fingerprint

    Definition: Cookie-less way of identifying a unique user. Use Cases: Enforcing Paywalls since the visitor fingerprint will be consistent across incognito mode.

  • Browser Fingerprint

    Definition: Combination of signals to identify a browser and its specific version. Use Cases: Banning a specific user’s browser version across all profiles on multiple user accounts on a given machine.

  • Hardware Fingerprint

    Definition: Combinations of signals to identify an operating system and architecture. Use Cases: Detecting Proxy or location spoofing since the Hardware fingerprint will be stable across different locations.

  • Network Fingerprint

    Definition: Combination of signals associated with a specific network commonly known as TLS fingerprinting. Use Cases: Blocking programmatic access like Golang, Curl, or Node.

Recommendations and actions

Stytch's Device Fingerprinting provides a set of customizable tools for your business to accurately identify users by device and take an ensuing action based on that information.

In addition to granular identifiers, each fingerprint has associated metadata:

  • Action: The suggested action based on the fingerprint review. The available actions are:
    • ALLOW - This is a known valid device grouping or device profile that is part of the default ALLOW listed set of known devices by Stytch. This grouping is made up of verified device profiles that match the characteristics of known/authentic traffic origins
    • BLOCK - This is a known bad or malicious device profile that is undesirable and should be blocked from completing the privileged action in question
    • CHALLENGE - This is an unknown or potentially malicious device that should be put through increased friction such as 2FA or other forms of extended user verification before allowing the privileged action to proceed
  • Detected Device Type: The operating system and architecture that took the fingerprint.
  • Is an Authentic Device: The assessment of whether this is an authentic device. It will be false if hardware or browser deception is detected
  • Reasons: A set of contextual clues to inform why a CHALLENGE or BLOCK action was suggested. For a list of possible Reasons, please contact support.

Together, these fingerprints and associated metadata provide a set of customizable tools for your business to accurately identify users by device and take an ensuing action based on that information.

Here's an example JSON response from our Device Fingerprinting API:

	"created_at": "2023-01-01T00:00:00Z",
	"expires_at": "2033-01-01T00:00:00Z",
	"fingerprints": {
		"browser_fingerprint": "browser-fingerprint-0b535ab5-ecff-4bc9-b845-48bf90098945",
		"browser_id": "browser-id-99cffb93-6378-48a5-aa90-d680232a7979",
		"hardware_fingerprint": "hardware-fingerprint-4af7a05d-cf77-4ff7-834f-0622452bb092",
		"network_fingerprint": "network-fingerprint-b5060259-40e6-3f29-8215-45ae2da3caa1",
		"visitor_fingerprint": "visitor-fingerprint-6ecf5792-1157-41ad-9ad6-052d31160cee",
		"visitor_id": "visitor-6139cbcc-4dda-4b1f-b1c0-13c08ec64d72"
	"status_code": 200,
	"telemetry_id": "026ac93b-8cdf-4fcb-bfa6-36a31cfecac1",
	"verdict": {
		"action": "ALLOW",
		"detected_device_type": "...",
		"is_authentic_device": true,
		"reasons": [...]

Use cases and industry needs

Stytch’s Device Fingerprinting product can be applied in a variety of use cases including:

  • Stopping Bot activity

    Stytch’s Device Fingerprint product will detect Bot activity and return a BLOCK verdict that developers can use before doing any sensitive activities.

  • Enforcing Paywalls

    The Visitor fingerprint can be used to detect unique users and track the number of articles that users have seen.

  • Personalizations for returning and anonymous users

    A visitor ID can be used to personalize a user’s experience before and after they log in.

  • Preventing Account Take Over

    Stytch’s Device Fingerprint product will detect if a bad actor is credential stuffing an endpoint with a programming language.

What's next

Learn how to bootstrap DFP in just a few minutes.

If you are interested in enabling our DFP product for your project, please reach out to Stytch.

Contact sales