Industry

How device fingerprinting catches suspicious actors

Device fingerprinting is an effective way for organizations to catch suspicious actors in their tracks. Learn how you can apply it.

Image of factors that work with browser fingerprinting
Last updated:
2/21/2024
Read time:
Share this post
Copied
Table of contents
⚡ Key takeaways
  • Device fingerprinting is the process of collecting information about a device, which can then be used to identify the device and differentiate it from other devices, and re-identify it later.
  • Device fingerprinting can be a powerful way to identify and prevent fraud, as it helps businesses understand when a single device is tied to multiple accounts, when a single device is used to open a suspiciously large number of accounts, or when a single device is being used to attempt to log into multiple accounts.

If your business operates online — for example, as an online marketplace, a social media platform, an online dating website, or really just a business with a website — then you already know just how big a problem fraud can be. 

With just a few clicks, bad actors can open fake accounts (or hack into and take over legitimate accounts) and use those profiles to conduct all kinds of fraudulent activity, including money laundering and other financial crimes. 

The good news is that with the right identity verification and authentication solutions in place, it becomes much easier to identify potential bad actors before they become a problem.

Identity verification and authentication are all about collecting information from the user. Some of this information, such as the individual’s Social Security number or driver’s license, must be requested from the user. But users also automatically provide you with a wealth of information that you can use to identify and deter fraud — as long as you know what to look for. A device fingerprint is one such piece of data.

Below, we take a closer look at device fingerprinting, walk through how it works, and explain the different ways it can help online businesses detect and deter fraud.

What is device fingerprinting?

Device fingerprinting is the process of collecting information about a device, like a smartphone or desktop computer, which can then be used to identify the device and differentiate it from other devices, and re-identify it later. 

Device fingerprinting can be an incredibly powerful tool in identifying and preventing fraud, as it helps businesses understand when a single device is tied to multiple accounts, when a single device is used to open a suspiciously large number of accounts, or when a single device is being used to attempt to log into multiple accounts, etc. 

What specific information goes into generating a device fingerprint? While this can vary, it typically includes data about the device’s hardware and software, including (but not limited to):

  • IP address
  • VPN and browser information
  • Operating system
  • Time zone
  • Language settings
  • HTTP request headers
  • Installed plugins/fonts
  • Battery information
  • Screen resolution
  • User-agent
  • Flash data

It’s important to note that while each of these data points can in and of itself serve as a fraud signal, none of them individually are a device fingerprint. It is only when this information is combined that it becomes unique enough to serve as an identifier for a user’s device. 

How does device fingerprinting work?

Whenever a user visits your website, they open a connection between your business and their device. As soon as this connection is made, you can begin collecting a wealth of information about that user’s device and browser — so long as you have a tool in place that is capable of doing so.

Device fingerprinting typically happens automatically in the background whenever a user interacts with your business through your website. Some of the most important “moments” or interactions include when a new user opens an account, when an existing user logs into their account, or during other high-risk activities (such as when a user completes a purchase in an online marketplace).

As this data is collected, it is combined to form a fingerprint, which is unique to a given device/browser combination. 

Does device fingerprinting work with app-based applications?

Unfortunately, no. 

Device fingerprinting requires the collection of data about a user’s hardware (their device) and their software (the browser they use to access your site). This means that it can really only be leveraged for websites or browser-based applications. 

That said, there are other methods of re-identifying users on mobile apps. For example, here at Persona, our customers can collect a piece of data known as IDFV (iOS) or App Set ID (Android) when a user interacts with their mobile application. This piece of information serves much the same role as a device fingerprint plays for web-based applications. 

Why you should consider adding device fingerprinting to your IDV processes

Most forms of identity verification require you to request information from the user. This allows them to attempt to circumvent your defenses in a variety of ways — for example, by entering false information, using stolen credentials, or uploading forged documents. 

Device fingerprinting, by comparison, happens automatically in the background whenever a user interacts with your website. Because it happens automatically and without input from the user, it can serve as a strong second layer of defense on top of your other identity verification (IDV) and authentication processes. 

Does this mean that it’s foolproof? Of course not. There are steps that bad actors can take to try to prevent accurate device fingerprinting. For example, they might use a VPN to change their IP address when creating new accounts on your website. Or, they might clear their cache between login attempts when trying to perform an attack takeover. Emulators, virtual machines, and anti-fingerprinting tools can all also be used to try and avoid fingerprinting.

But the good news is that many of these activities and tools can be detected. And because most of your everyday users are unlikely to want to try and obscure their device fingerprint (because many likely don’t even know what it is), when you do detect suspicious activity like the use of these tools, it can be a strong risk signal that prompts followup, manual review, or another form of enhanced due diligence

Free white paper
See how experts evaluate IDV solutions

Device fingerprinting and your business

Device fingerprinting can be an incredibly powerful tool at your disposal in the fight against online fraud. But generally speaking, it isn’t meant to be your own line of defense. Device fingerprinting is best used in correlation with other verification and authentication techniques, which, when used together, form a layer of redundancy and real, comprehensive coverage. 

Which other verification techniques you leverage will of course depend on your business, your service, the expectations of your customers, and any regulatory requirements that you may be subject to. That being said, options include:

Here at Persona, we understand the fact that identity verification, reverification, and fraud prevention all go hand in hand. That’s why we’ve developed a variety of IDV solutions and tools that you can leverage at multiple stages in your fight against fraud. 

Our Verifications solution empowers you to craft the ideal verification flow for your business, whether that includes device fingerprinting or not, while Reports allows you to augment your verifications with trusted data for a more comprehensive understanding of who your users are. Spot something suspicious? Cases empowers you to review and investigate suspicious activity before making a final decision. Meanwhile, our link analysis tool Graph allows you to quickly and easily spot connections between user accounts — including those that might indicate fraud or other suspicious activity.

Interested in learning more? Start for free or get a demo today.

Published on:
12/14/2022

Frequently asked questions

How accurate is device fingerprinting?

Device fingerprinting works by collecting a broad swath of information about a user’s device — both the physical device as well as the browser they are using to access your website. This information is then combined into a fingerprint that is unique to that specific device. 

Because the device fingerprint consists of so many different pieces of information, it is improbable that another device would ever have a fingerprint that matches one belonging to another device, though it can rarely happen. With this in mind, device fingerprinting is a very accurate means of identifying devices and distinguishing them from one another.

How is device fingerprinting different from browser fingerprinting?

Device fingerprinting and browser fingerprinting are related, but distinct, techniques used to identify users. 

As discussed above, fingerprinting a user’s device requires the collection of data about both their device and their browser. Browser fingerprinting, on the other hand, only involves the collection of data about a user’s browser settings, such as their user agent header, font list, and operating system. 

Both techniques are commonly used in fraud prevention.

Is device fingerprinting enough to stop fraud?

While device fingerprinting can be a very effective means of identifying a device, it is not foolproof. Users who know what a device fingerprint is and who want to avoid having their devices fingerprinted have a number of options at their disposal for achieving that goal.

The good news? In many cases, identity verification software that performs device fingerprinting can recognize the presence of these developer tools and flag them as a risk signal.

Regardless, device fingerprinting is best leveraged as just one piece of your anti-fraud and verification toolkit. Ideally, your business will use multiple different tools that each work to prevent fraud in different ways, in order to build a redundant layer of fraud protection.

Ready to get started?

Get in touch or start exploring Persona today.