/
Contact usSee pricingStart building

    About Stytch Fraud and Risk

    Introduction
    Use cases
    Device Fingerprinting
      Overview
      Fingerprints
    • Verdicts

      • Verdicts overview
        Allow
        Block
        Challenge
        Not Found
    Getting started
      Device Fingerprinting API
      DFP Protected Auth
    Decisioning
      Decisioning overview
      Setting rules with DFP
      Intelligent Rate Limiting
    Enforcement
      Enforcement overview
    • Protected Auth

      • Overview
        Handling challenges
    • Strong CAPTCHA

      • Overview
        Getting started
Get support on SlackVisit our developer forum

Contact us

Fraud and Risk Prevention

/

Guides

/

About Stytch Fraud and Risk

/

Device Fingerprinting

/

Overview

Device Fingerprinting

Stytch Device Fingerprinting (DFP) collects and interprets various attributes of a user's device to help you prevent fraud, reduce risk, and improve UX for your real users. Here are some examples of device attributes:

  • Browser type
  • Screen size
  • Operating system
  • Time zone
  • IP address and related geographical data (city, region or state, country)

Stytch Device Fingerprinting collects these raw attributes and enhances them with proprietary tamper detection, warning flags, and recommended actions to take.

If you're using Stytch for authentication, you can enable Protected Auth to automatically enforce the resulting actions by allowing real users, blocking bots, and presenting challenges to suspicious activity.

The Stytch fraud prevention framework

At a high level, we think about fraud prevention in four main areas:

  1. Signal gathering: Capture information about user activity.
  2. Decisioning: Given that information, decide what to do.
  3. Enforcement: Given the decision, add or reduce friction in the user's journey.
  4. Analysis and feedback loop: Observe, iterate, and improve detection and controls based on real-world outcomes.
Stytch fraud prevention framework

Ultimately, every fraud prevention team needs to collect the right signals to make the right decisions, enforce those decisions, and improve as bad actors try to evade their defenses. Device Fingerprinting provides a powerful tool for your team to reliably stop bad actors.

Features and benefits of Stytch Device Fingerprinting

For a given device, Stytch Device Fingerprinting delivers stable identifiers (fingerprints), a mix of industry-standard and proprietary signals, and derived insights about how you should respond.

Anyone can write Javascript code that collects raw browser signals like user agent string, but that code is easily reverse-engineered; attackers can spoof the signals or alter the payload to actively mislead you. That's why Stytch doesn't just give you raw signals like user agent.

Instead, Stytch Device Fingerprinting provides:

  • Deterministically-generated fingerprints: aggregations of device signals that remain stable across incognito browsing, webviews, VPNs, changes to user agent or IP addresses, and more
  • Tamper-resistant design, including encryption, obfuscation, and proprietary tamper detection
  • Warning flags about automated or deceptive behavior, like headless browser automation or user agent spoofing
  • High velocity flags with Intelligent Rate Limiting
  • Verdicts, which are clear action recommendations (ALLOW, BLOCK, CHALLENGE) rather than opaque floating-point risk scores
  • Customizable Rules to tailor decisioning for your own application's needs

You can use Stytch Device Fingerprinting as a standalone fraud and risk solution, or integrate with your existing signal gathering, decisioning engine, and enforcement logic.

Stytch Device Fingerprinting mapped to the Stytch fraud prevention framework

Integration overview

At its core, Stytch Device Fingerprinting requires two integration points: a client-side Javascript library that gathers signals, and a backend API that interprets them.

The Javascript library calls a WebAssembly binary that gathers and sends signals to the Stytch backend for processing. The Stytch backend will return a Telemetry ID.

When you want to make a decision about that user, call the Lookup API with the Telemetry ID. The API will return Stytch's view of the user, including signals, fingerprints, warning flags, and verdict. Now, you can decide how to respond to the user's request and enforce your decision.

What's next

Learn how to bootstrap DFP in just a few minutes.

If you are interested in enabling Device Fingerprinting for your project, please reach out to Stytch.

Contact sales

The Stytch fraud prevention framework

Features and benefits of Stytch Device Fingerprinting

Integration overview

What's next