Deep DivesDevice Fingerprinting

Device Fingerprinting

One-line relationship: C7 — deriving a stable device identity from browser and hardware signals, feeding into risk decisioning (C8) as one input among several, never as authentication on its own.

What it is

Every browser exposes a set of properties — user agent, installed fonts, screen resolution and colour depth, timezone, language, WebGL/canvas rendering quirks, hardware concurrency — that vary across devices but aren’t individually unique to any one device. Device fingerprinting combines many of these weak, individually-common signals into a single, reasonably stable identifier that tends to persist across sessions even without cookies, because it’s derived from the device’s actual characteristics rather than anything stored on it.

ThreatMetrix (the incumbent vendor in this space, referenced throughout the Atlas) does this at scale: fingerprint plus a global reputation network — has this device, this fingerprint, this combination of signals been seen in fraud before, anywhere in the network, not just on this bank’s own site.

Try it — a non-invasive demo

The accuracy/privacy tension

The more entropy a fingerprint collects, the more uniquely identifying it becomes — and the more it starts to resemble tracking a user did not consent to, rather than securing an account they did. Canvas and WebGL rendering fingerprints in particular are contentious precisely because they’re highly identifying and largely invisible to the user; some browsers (Safari, Firefox in strict mode) now actively randomize these outputs specifically to defeat fingerprinting. A production device-intelligence deployment has to navigate this tension deliberately — collecting enough signal to be useful for fraud detection, without crossing into surveillance the user never agreed to, and with a lawful basis that holds up under GDPR (see Standards & Compliance).

What to take to the client

Device fingerprinting is a real, useful signal — but it’s probabilistic, degrades as browsers actively fight it, and it’s one input to C8’s risk decision, not a gate on its own. Treat a fingerprint match as “this looks like a device we’ve seen,” not “this is proven to be that device” — the difference matters when a false positive means locking out a genuine customer.