Device Fingerprinting Protected Auth

Device Fingerprinting Protected Auth is a ready-made solution that enables you to focus solely on building auth flows with our frontend SDKs, while harnessing all the protective advantages of DFP.

One of the primary use cases for Stych’s Device Fingerprinting product is to detect and stop fraud – which often involves the fraudulent traffic attempting to sign up or log in to the application. This often manifests as part of a credential stuffing attack to compromise the accounts of current users or to gain access to protected compute resources. Our Device Fingerprinting product is required to be queried from the customer’s backend to ensure that a bad actor cannot spoof a response.

Meanwhile, Stytch offers frontend SDKs that allow users to build auth without a backend. The SDKs outsource the backend implementation by providing pre-built components to start a login flow and methods that communicate with the Stytch API. These SDKs enable developers to get up and running faster through these pre-built components.

Stytch offers a feature called Device Fingerprint Protected Auth that seamlessly integrates Device Fingerprinting with our frontend SDKs. When enabled, the SDKs automatically generate a telemetry ID before an API call and include the telemetry ID in the Stytch API request. The Stytch API will verify the fingerprint is a valid user before authenticating the request and handles the backend integration.

In the case of a credential stuffing attack, it would fail because the request doesn’t have a telemetry ID or the Device Fingerprinting product detects illegitimate requests like headless browser automation or a scripting language. The attacker would only see failed authentication attempts with no idea if the request failed due to a failed fingerprint request or an incorrect password.

Configuration

Device Fingerprint Protected Auth requires no code changes and is enabled from the Dashboard SDK configuration page under the Bot Protection section. Once enabled, there are two different modes for Device Fingerprint Protected Auth: Observation mode and Decision mode.

The Device Fingerprint Protected Auth product runs on the following frontend SDK auth methods:

Consumer Authentication:

  • stytch.magicLinks.email.send()
  • stytch.magicLinks.authenticate()
  • stytch.oauth.authenticate()
  • stytch.otps.authenticate()
  • stytch.otps.email.send()
  • stytch.otps.sms.loginOrCreate()
  • stytch.otps.sms.send()
  • stytch.otps.authenticate()
  • stytch.otps.whatsapp.loginOrCreate()
  • stytch.otps.whatsapp.send()
  • stytch.otps.authenticate()
  • stytch.passwords.create()
  • stytch.passwords.authenticate()
  • stytch.passwords.resetByEmailStart()
  • stytch.passwords.resetByEmail()
  • stytch.passwords.resetByExistingPassword()
  • stytch.passwords.resetBySession()
  • stytch.webauthn.authenticate()
  • stytch.biometrics.authenticate()
  • stytch.cryptoWallets.authenticate()
  • stytch.totps.authenticate()
  • stytch.totps.recover()

B2B SaaS Authentication:

  • stytch.sso.authenticate()
  • stytch.passwords.resetByEmailStart()
  • stytch.passwords.resetByEmail()
  • stytch.passwords.resetByExistingPassword()
  • stytch.passwords.resetBySession()
  • stytch.passwords.authenticate()
  • stytch.otps.sms.send()
  • stytch.otps.sms.authenticate()
  • stytch.oauth.authenticate()

What's next

Learn how to set up Device Fingerprinting Protected Auth.