Fraud and Risk Prevention

/

Guides

/

About Stytch

/

Use cases

Device Fingerprinting use cases and industry needs

Here's how Stytch's Device Fingerprinting product enhances security and user experience across consumer and B2B apps in all industries:

Blocking advanced programmatic attacks

Stytch’s Device Fingerprint product will detect bot activity and return a BLOCK verdict that developers can use before doing any sensitive activities:

  • Prevent Costly Attacks: B2B and B2C applications are both vulnerable to a number of at-scale attacks, especially against your login endpoints. Bot detection may be used to guard against:

    • Toll Fraud: Guard against toll fraud caused by bot traffic, particularly in apps using SMS login for international users.
    • Credential Stuffing and Brute Force Attacks: Defend your app against these common threats targeting password logins.
    • Phishing Attacks: Assess high phishing risk logins by detecting MITM attacks and high frequency logins from a given device using our bot detection and smart rate limiting.
  • Prevent Sign up Abuse: In PLG and consumer applications, free sign-up flows are vulnerable to abuse, including new account spam and free credit/usage exploitation.

Leveraging device IDs as an additional user identifier

Stytch’s Device Fingerprint product will return unique, stable device UUIDs that developers can leverage to enforce or enhance usage based on a user’s device:

  • User fan-out banning: Ensure policy violators are banned across all accounts associated with their device(s), especially in applications with free sign up, like PLG or consumer apps.
  • Prevent seat sharing or enforce paywalls: Device fingerprinting is commonly used to limit the number of devices per account to prevent unauthorized sharing. Inversely, device fingerprinting can be used to limit the number of accounts per device, to prevent paywall evasion.
  • Phishing and ATO prevention: DFP is often used as an additional signal during login - is the user using a ‘trusted’ or ‘remembered’ device, or is this a login attempt that should be scrutinized with MFA or other measures?