Choosing a fingerprinting solution
Stytch vs. Fingerprint
Fingerprint is a JavaScript-based client-side browser fingerprinting library that can be used to identify website visitors. While Fingerprint's product can provide useful customer intelligence, Stytch's device fingerprinting library is a more sophisticated alternative to Fingerprint for detecting and preventing fraud, either as a standalone product or deeply embedded with Stytch's authentication platform.
Stytch's device fingerprinting product uses a comprehensive approach to signal collection that combines hardware, passive network/TLS, and active browser-level fingerprinting. This allows Stytch to generate device fingerprints that remain stable across incognito browsing, webviews, proxies, VPNs, changes to user agent or IP addresses, and more, so you can accurately identify users and challenge bots or other malicious traffic.
Read more about how Stytch compares to Fingerprint below, or reach out to our team for a demo and to get set up with device fingerprinting credentials:
A quick summary
Fingerprinting solution design, accuracy and security
Stytch
Fingerprint
Identification accuracy
Identification accuracy
>99%
>99%
Globally unique, stable, visitor ID
Globally unique, stable, visitor ID
Supported
Supported
Action recommendation
Action recommendation
Supported
- Each fingerprint includes one of three default suggested actions - Allow, Block, and Challenge - to allow for easy and accurate decisioning
Partially supported
- Raw device attributes, accuracy score, and confidence score can be combined to determine a custom decisioning approach for your project
Bot detection and device classification
Bot detection and device classification
Supported
- Action recommendations can be used to quickly detect and ban or challenge bots and bad actors
- Custom ban rules can also be configured more granularly based on user, browser, or device fingerprint if desired
Supported
- Provides raw device attributes for use in custom decisioning rather than a holistic device classification
TLS fingerprinting
TLS fingerprinting
Supported
- Proprietary TLS and network fingerprinting, performed entirely server-side to prevent tampering
Partially supported
- Performs some TLS fingerprinting, but this requires a full round trip request and returns identifiers client-side where they are vulnerable to tampering
Encryption
Encryption
Supported
- Encryption on-wire & at rest. Payloads are never visible in plain text to external users
Partially supported
- Incomplete encryption at rest, which allows for full inspection and modification of fingerprint payload inputs and outputs
Tamper resistance
Tamper resistance
- Uses cryptographic signing to detect fingerprints that have been tampered with. Resistant to static and dynamic analysis reverse-engineering techniques
- Supports browser (Pro, Enterprise) and Android (Enterprise only) tamper detection, but incomplete encryption means that payloads may be susceptible to manipulation
Language
Language
- Built in WebAssembly for maximum obfuscation and speed
- Built in JavaScript
Developer experience and performance
Stytch
Fingerprint
Integration time
Integration time
- Hours to days
- Hours to days
API/SDK offerings
API/SDK offerings
- Available as an API or integrated with Stytch's frontend SDKs
- Available as an API or via client or server-side SDKs
Latency (see full testing details below)
Latency (see full testing details below)
- On average 250 ms for new users, 125 ms for returning users
- On average 650 ms for new users, 550 ms for returning users
Third-party integrations
Third-party integrations
- Integrated with Stytch's frontend authentication SDKs
- Additional third-party integrations are not available at this time, but we’re open to requests. Let us know what you’d like to see by reaching out to support@stytch.com
- Offers third party integrations with a number of CDNs and marketing analytics/customer data platforms such as Cloudflare and Segment
Support
Support
- USA-based support via community Slack, direct email, and Forum
- Step-by-step integration help and highly available support during integration and beyond
- Basic technical support via email or Discord
- Premium support available for Enterprise plans
A more detailed comparison
Design for anti-reverse engineering
Why tamper resistance matters
For a device or browser fingerprinting solution to be effective, identification accuracy and tamper resistance need to go hand-in-hand. Accuracy is critical to understand traffic, identify unique visitors, and ensure that bad actors are blocked while good ones are let through. However, when bad actors encounter restrictions, they will immediately try to reverse engineer and bypass those checks. As a result, tamper resistant solution design is critical to ensure that those identifications remain accurate and fraudulent actors can’t get through.
In a recent head-to-head analysis between Stytch's device fingerprinting solution and Fingerprint Pro, we found that both solutions had similar accuracy in identifying unique site visitors, but that Stytch offered superior tamper resistance.
Encryption approach
Stytch's device fingerprinting solution uses full encryption at-rest and on-wire for all JS property evaluations and signal collections, so that payloads are never visible in plain text to external users. By contrast, Fingerprint payloads are not consistently encrypted at-rest. This means that bad actors can easily inspect Fingerprint's payloads to identify where signal gathering occurs, set breakpoints directly in the fingerprint collections code, modify the inputs or outputs of the collections, or modify the fingerprint.js script itself and use it to generate fraudulent fingerprints.
Stytch's solution also incorporates a number of tamper-resistant and tamper-evident features via cryptographic signing. Stytch's robust deception detection techniques also ensure that if Stytch's payload internals are somehow tampered with, the results won’t be accepted by Stytch's servers for access.
JavaScript vs. WebAssembly
One key enabler of Stytch's strong tamper resistance is that Stytch's device fingerprinting product is built in WebAssembly for maximum obfuscation and to ensure that the product remains a black box. Fingerprint's solution is built in pure JavaScript, so its encryption and signal collection logic are subject to trivial interception via breakpoints.
Solution approach
Stytch's product is similar to Fingerprint's product in that they both offer highly accurate, globally unique, stable visitor IDs that can be used to understand website traffic and personalize the user experience on your site and block bad actors.
Granularity != Accuracy
However, the two products are very different in how they approach aggregating individual signals to help identify users and challenge or block suspicious traffic.
Fingerprint.js provides users with a wide array of individual attributes, such as VPN detection, IP geolocation, and more. With Fingerprint, aggregating the output of these attributes to make a decision on what behavior to allow or disallow is up to you. An advantage of this approach is the ability to see and customize behavior based on raw device attributes; however, these individual signals are susceptible to large numbers of false positives and negatives. For example, Fingerprint's VPN detection is largely based on IP address lookups and timezone mismatch. While these factors are effective in a large number of cases, they’re also imperfect and easily gamed by bad actors, leading to inaccurate data.
In contrast, Stytch's solution looks holistically at the hardware, network, and browser-level profile of a website visitor and uses deterministic pattern matching to generate an action recommendation and a unique, stable fingerprint. This allows for a more streamlined implementation when using Stytch, and avoids creating an illusion of accuracy by presenting raw attributes that may not be fully reliable.
Developer experience and performance
Integration and support
Both Stytch and Fingerprint are relatively lightweight to integrate, and can be configured in a matter of hours or days, depending on the use case. You can get a sense of what it looks like to get started with Stytch's device fingerprinting solution by referencing the docs. Stytch also offers top-notch support and integration guidance through our solutions engineering and developer success teams.
Load times
Performance is another critical dimension. A device or browser fingerprinting product needs to load quickly to avoid deterring legitimate users. In our testing, we found that Stytch's telemetry.js took an average of 250 ms to load when uncached (for new users) and 125 ms to load when cached. In contrast, Fingerprint Pro (v3.8.2) took an average of 650 ms to load when uncached and 550 ms to load when cached. In summary, Stytch was 4x faster than Fingerprint for returning users and 2x faster for new ones.
Product connections
Fingerprint offers a wider range of integrations with third party providers like Cloudflare or Microsoft Azure; however, Stytch's device fingerprinting product can be easily bundled with Stytch authentication to mitigate account takeover attacks, credential stuffing, toll fraud, and more.
Pricing and packaging
Purchasing options
While Fingerprint's browser fingerprinting solution is a standalone product that can be optionally integrated with third party authentication solutions, Stytch's comprehensive product suite includes authentication as well as device fingerprinting.
As a result, Stytch's device fingerprinting product can either be purchased standalone, similar to that of Fingerprint, or can be purchased as a built-in protection layer directly integrated into Stytch's authentication SDKs. This allows for flexible implementation of Stytch's device fingerprinting solution to prevent fraud, stop account takeover attacks, and accurately identify both users and bots.
Pricing
Pricing is comparable between Fingerprint Pro's and Stytch’s device/browser fingerprinting solutions, and both companies charge based on API lookups. Stytch also offers bundling discounts for customers who use Stytch device fingerprinting in tandem with Stytch’s authentication solutions, which provides both cost savings and additional protection against toll fraud, account takeovers, credential stuffing, and more.
Set up a demo with the Stytch team to learn more about pricing for device fingerprinting and to get set up with API credentials.
Comparison details
The comparisons above focus on Fingerprint Pro (v3.8.2) vs. Stytch Device Fingerprinting as of August 2023. The performance results were collected on both a M1 Macbook Pro and a Windows 10 PC with similar, repeatable results observed in both instances.
If something here doesn’t look right, let us know at support@stytch.com; we’re committed to providing an accurate and fair comparison of our products.