A device fingerprint - or device fingerprinting - is a method to identify a device using a combination of attributes provided by the device configuration and how the device is used. The attributes collected as data to build the device fingerprint can vary depending on who is building the fingerprint. Some of the most common attributes include:
While none of the data above is unique to the device, the possibility of two devices having the exact same combination of attributes is remote and statistically insignificant, making this method useful for identifying unique devices.
Sometimes it can be confused with cookies. But what are their differences?
Cookies, which are typically used for advertising purposes, are also used to identify a device and even users. Cookies are stored locally in the user's computer. This data could include information about the user's preferences, shopping cart information, and more. Cookies do uniquely identify a device since the user is given a file that works as a unique identifier, but only if users explicitly consent to receive cookies.
Thanks to GDPR, CCPA, and other internet regulations users must be given the option to opt-in or opt-out to the use of cookies. The fact that users can decide to not accept cookies, or can even wipe them from their devices, make cookies an unreliable identification method, not to mention, not privacy-friendly.
Device fingerprinting is a more stable recognition signal since some of the configurations used to build it do not change so often. To use device fingerprinting, a website or mobile app has to use a device fingerprint tracker. Coders will use a small part of Javascript to collect this information. This piece of code can identify the visitor's device, operating system, language, IP address, and more.
Web services have many reasons to track their visitors, from advertising to security. Throughout the years, especially in advertising, cookies have been the go-to method to uniquely identify users. While fingerprinting can also be used for advertising, usually, in the form of browser fingerprinting, most organizations use device fingerprinting for anti-fraud efforts. By focusing on preventing fraud, companies are trying to promote device fingerprinting as a user-friendly device identification method since it is usually built to protect customers and their financial information.
Using device fingerprinting is a common method used by businesses as part of their fraud detection systems to determine if a user is who they claim to be and prevent attempted account takeover.
Fraudsters are always trying to break cybersecurity defenses. Some of the most common fraudsters' attacks are related to Phone Number spoofing and IP address spoofing. By implementing these practices, fraudsters can mask their phone number and the real IP address of their browser and pretend to be another person or a legitimate user. Several phone number spoofing or IP address spoofing solutions are available for sale on the Dark Web. However, it is much more difficult for fraudsters to spoof a device fingerprint.
Device fingerprints can include many different signals picked up from the device:
In general, a Device Fingerprint provides added protection against the most commonly used fraud methodologies. To implement these device-level checks, businesses have to use fraud-prevention solutions that are resilient against many different kinds of spoofing.
Device Fingerprinting security platforms collect and examine device fingerprints among other types of user activity and behavior to determine the level of risk of an individual not being a legitimate user. After cross-referencing information, these systems can return low-risk or high-risk fraud signals for businesses' authentication engines to decide whether to present more friction and require additional authentication or authorize the user.
It is not obvious or clear to users that their device is being fingerprinted by a mobile app or website, nor is it easy for this practice to be prevented or turned off.
According to GDPR, Fingerprinting is only permitted if: