It’s important to note that device fingerprinting doesn’t detect fraud alone, it’s most effective when combined with other fraud detection methodologies. This includes analyzing user activity, IP address, geolocation and payment information. However, analyzing someone’s device fingerprint is often one of the first red flags, and can be used to trigger followup or other forms of enhanced due diligence.
For example, let’s say that a risk team device fingerprinting documentation is looking at the details of a checkout transaction. They notice that the user’s reported screen resolution doesn’t match their physical device, indicating that they could be spoofing their device. By combining this data with other information, the risk team can quickly determine that this is likely fraud and take action accordingly.
Another way that device fingerprinting is useful is in helping to identify if a person has visited a website before without using cookies. This is known as device re-identification and can help prevent fraud or other security failures such as account takeovers by recognizing when a user has been attempting to reuse the same device and/or location.
Lastly, device fingerprinting is commonly used in marketing to track and deliver personalized content to visitors. This can be used to display different content based on a visitor’s unique configuration of hardware, software and browser. The device identifier is usually tied to a cookie, ensuring that this content can only be delivered to the same device once.
It is also worth noting that it is extremely difficult for people to prevent device fingerprinting, since the information collected is basic and passed to websites whenever they load in a web browser. This is why many companies rely on it as a backup for tracking when cookies cannot be used. In fact, Digiday recently asked seven ad tech companies (BounceX, Dataxu, Index Exchange, LiveRamp, Lotame, Sovrn and Tapad) if they use device fingerprinting to track people and all of them said that they do.
To enable device fingerprinting, a developer must implement the deviceFingerprint method of a custom device handler. The definitionMetadata method defines core information about the device handler including a map of parameters and a closure. The closure provides a way for the developer to customize how the device handler collects fingerprint information and what features it should support. A default set of parameters is available, but the developer can modify this list as needed. This enables the device handler to build a unique device fingerprint that can be verified at login. The fingerprint is then stored in a secure cookie or Flash shared object for subsequent identifications. The Oracle Adaptive Access Manager Admin console can then evaluate the probability that the fingerprinted device is a device that has been previously identified.