What Is a Device Fingerprint? [How is it used?]
A device fingerprint - or device fingerprinting - is a method to identify a device using a combination of attributes provided by the device configuration and how the device is used. The attributes collected as data to build the device fingerprint can vary depending on who is building the fingerprint. Some of the most common attributes include:
- The IP address
- HTTP request headers
- Plugins or fonts that the user has installed on their device
- The screen resolution of the device
- The battery information of the device
- The operating system that the visitor is using
- User agents
- Flash data
- VPN and browser information
- Type of web browser and browser version
- Time zone settings
- Language settings
While none of the data above is unique to the device, the possibility of two devices having the exact same combination of attributes is remote and statistically insignificant, making this method useful for identifying unique devices.
Sometimes it can be confused with cookies. But what are their differences?
Cookies vs. a Device Fingerprint
Cookies, which are typically used for advertising purposes, are also used to identify a device and even users. Cookies are stored locally in the user's computer. This data could include information about the user's preferences, shopping cart information, and more. Cookies do uniquely identify a device since the user is given a file that works as a unique identifier, but only if users explicitly consent to receive cookies.
Thanks to GDPR, CCPA, and other internet regulations users must be given the option to opt-in or opt-out to the use of cookies. The fact that users can decide to not accept cookies, or can even wipe them from their devices, make cookies an unreliable identification method, not to mention, not privacy-friendly.
Device fingerprinting is a more stable recognition signal since some of the configurations used to build it do not change so often. To use device fingerprinting, a website or mobile app has to use a device fingerprint tracker. Coders will use a small part of Javascript to collect this information. This piece of code can identify the visitor's device, operating system, language, IP address, and more.
What are the Uses for Device Fingerprinting?
Web services have many reasons to track their visitors, from advertising to security. Throughout the years, especially in advertising, cookies have been the go-to method to uniquely identify users. While fingerprinting can also be used for advertising, usually, in the form of browser fingerprinting, most organizations use device fingerprinting for anti-fraud efforts. By focusing on preventing fraud, companies are trying to promote device fingerprinting as a user-friendly device identification method since it is usually built to protect customers and their financial information.
Using device fingerprinting is a common method used by businesses as part of their fraud detection systems to determine if a user is who they claim to be and prevent attempted account takeover.
How is a Device Fingerprint Used to Help Fight Fraud?
Fraudsters are always trying to break cybersecurity defenses. Some of the most common fraudsters' attacks are related to Phone Number spoofing and IP address spoofing. By implementing these practices, fraudsters can mask their phone number and the real IP address of their browser and pretend to be another person or a legitimate user. Several phone number spoofing or IP address spoofing solutions are available for sale on the Dark Web. However, it is much more difficult for fraudsters to spoof a device fingerprint.
Device fingerprints can include many different signals picked up from the device:
- “Minimalistic”: these are based on a few phone features, such as Device OS type, Browser Type, Phone Brand, etc…
- “Evolved”: these include detecting Jailbroken devices, Rooted devices, or emulated devices,
- “Complex”: these include the use of signatures on hardware components such as the screen resolution and memory size
In general, a Device Fingerprint provides added protection against the most commonly used fraud methodologies. To implement these device-level checks, businesses have to use fraud-prevention solutions that are resilient against many different kinds of spoofing.
Device Fingerprinting security platforms collect and examine device fingerprints among other types of user activity and behavior to determine the level of risk of an individual not being a legitimate user. After cross-referencing information, these systems can return low-risk or high-risk fraud signals for businesses' authentication engines to decide whether to present more friction and require additional authentication or authorize the user.
Device Fingerprinting and Privacy
It is not obvious or clear to users that their device is being fingerprinted by a mobile app or website, nor is it easy for this practice to be prevented or turned off.
According to GDPR, Fingerprinting is only permitted if:
- User consent is given explicitly to the company requiring the information;
- It is in the beneficiary’s legitimate interest their data is collected and used, for example, to preserve their own security