Device Fingerprinting
Stytch Device Fingerprinting (DFP) collects and interprets various attributes of a user's device to help you prevent fraud, reduce risk, and improve UX for your real users. Here are some examples of device attributes:
- Browser type
- Screen size
- Operating system
- Time zone
- IP address and related geographical data (city, region or state, country)
Stytch Device Fingerprinting collects these raw attributes and enhances them with proprietary tamper detection, warning flags, and recommended actions to take.
If you're using Stytch for authentication, you can enable Protected Auth to automatically enforce the resulting actions by allowing real users, blocking bots, and presenting challenges to suspicious activity.
The Stytch fraud prevention framework
At a high level, we think about fraud prevention in four main areas:
- Signal gathering: Capture information about user activity.
- Decisioning: Given that information, decide what to do.
- Enforcement: Given the decision, add or reduce friction in the user's journey.
- Analysis and feedback loop: Observe, iterate, and improve detection and controls based on real-world outcomes.
Ultimately, every fraud prevention team needs to collect the right signals to make the right decisions, enforce those decisions, and improve as bad actors try to evade their defenses. Device Fingerprinting provides a powerful tool for your team to reliably stop bad actors.
Features and benefits of Stytch Device Fingerprinting
For a given device, Stytch Device Fingerprinting delivers stable identifiers (fingerprints), a mix of industry-standard and proprietary signals, and derived insights about how you should respond.
Anyone can write Javascript code that collects raw browser signals like user agent string, but that code is easily reverse-engineered; attackers can spoof the signals or alter the payload to actively mislead you. That's why Stytch doesn't just give you raw signals like user agent.
Instead, Stytch Device Fingerprinting provides:
- Deterministically-generated fingerprints: aggregations of device signals that remain stable across incognito browsing, webviews, VPNs, changes to user agent or IP addresses, and more
- Tamper-resistant design, including encryption, obfuscation, and proprietary tamper detection
- Warning flags about automated or deceptive behavior, like headless browser automation or user agent spoofing
- High velocity flags with Intelligent Rate Limiting
- Verdicts, which are clear action recommendations (ALLOW, BLOCK, CHALLENGE) rather than opaque floating-point risk scores
- Customizable Rules to tailor decisioning for your own application's needs
You can use Stytch Device Fingerprinting as a standalone fraud and risk solution, or integrate with your existing signal gathering, decisioning engine, and enforcement logic.
Integration overview
At its core, Stytch Device Fingerprinting requires two integration points: a client-side Javascript library that gathers signals, and a backend API that interprets them.
The Javascript library calls a WebAssembly binary that gathers and sends signals to the Stytch backend for processing. The Stytch backend will return a Telemetry ID.
When you want to make a decision about that user, call the Lookup API with the Telemetry ID. The API will return Stytch's view of the user, including signals, fingerprints, warning flags, and verdict. Now, you can decide how to respond to the user's request and enforce your decision.
What's next
Learn how to bootstrap DFP in just a few minutes.
If you are interested in enabling Device Fingerprinting for your project, please reach out to Stytch.
Contact sales