/
Contact usSee pricingStart building

    About Stytch Fraud and Risk

    Introduction
    Use Cases
      Overview

    • Recipes

        • Remembered device flow
    Device Fingerprinting
      Overview
      Fingerprints

    • Verdicts

        • Verdicts overview
        Allow
        Block
        Challenge
        Not Found
    Getting started
      Device Fingerprinting API
      DFP Protected Auth
    Decisioning
      Decisioning overview
      Setting rules with DFP
      Overriding verdict reasons
      Intelligent Rate Limiting
    Enforcement
      Enforcement overview

    • Protected Auth

        • Overview
        Handling challenges
    Integration steps
      Configure custom domains
      Add external metadata
      Test your integration
      Privacy and compliance considerations
    Reference
      Warning Flags (Verdict Reasons)
Get support on SlackVisit our developer forum

Contact us

Fraud and Risk Prevention

/

Guides

/

About Stytch Fraud and Risk

/

Device Fingerprinting

/

Fingerprints

Fingerprints

A fingerprint is a hashed identifier generated by collecting and combining different low-level signals of the device accessing your application.

Stytch Device Fingerprinting returns multiple fingerprints and identifiers based on information gathered about the hardware, browser and network being used, in order to give you a comprehensive picture of the traffic on your application.

Usage

You can set Rules based on specific fingerprints to customize the behavior for specific devices. Fingerprints can also be tied to other user data to associate known hardware sets, browsers, and other attributes with your user base. For example, you can use device fingerprints as part of a remembered device flow.

When determining which fingerprint to use for a given use case, consider a fingerprint's uniqueness and stability.

Fingerprints

There are two kinds of identifiers returned by Stytch Device Fingerprinting: IDs, and Fingerprints.

IDs are based on a cookie, and they are guaranteed to be unique. However, they are easily changed by bad actors who clear their cookies or use private browsing (incognito mode).

Fingerprints are deterministically-generated hashes of various low-level signals. These do not depend on stateful storage or IP address, so they remain stable even in incognito mode or when a VPN is used. Fingerprints are usually stable for months or longer, including through routine browser updates. Rarely, a browser update changes low-level signals permanently, which results in new fingerprints.

Below is a table outlining the distinct qualities of each identifier. For more details on different fingerprint characteristics and usage with our /rules endpoint, see our Setting Rules with DFP Guide.

FingerprintDefinitionUse CasesUniqueness
Visitor IDThe cookie stored on the user's device that uniquely identifies them.Having a unique identifier for a user.Guaranteed unique
Browser IDCombination of Visitor ID and Hardware Fingerprint to create a clear identifier of a browser.Detecting stolen sessions since the browser ID should only be associated with a single hardware fingerprint.Guaranteed unique
Visitor FingerprintA highly unique, cookie-less way of identifying specific traffic based on a diverse set of signals.Enforcing paywalls since the visitor fingerprint will be consistent across incognito mode, or banning specific kinds of traffic in a cookie-less way.99.9% unique
Browser FingerprintCombination of signals to identify a browser on a specific kind of device.Banning a specific user's browser across all profiles on multiple user accounts on a given machine.Low
Hardware FingerprintCombinations of signals to identify an operating system and architecture.Detecting proxy or location spoofing since the hardware fingerprint will be stable across different locations.Low
Network FingerprintCombination of signals associated with a specific network stack. Also known as TLS fingerprinting.Blocking programmatic access like Golang, Curl, or Node.Low

Usage

Fingerprints