As the availability of unique IPs and user agents wanes and cookie reliability remains half-baked at best, device fingerprinting has emerged as a serious contender in the battle against online fraud and abuse. The aim of fingerprinting is to establish a consistent unique identifier for the same physical device or client over time. This identifier can then be utilized to detect multiple user accounts registered from the same device or a single account being shared across numerous devices.
Much like the proxy piercing techniques covered in 7 Proxy Piercing Techniques: What Works in 2023, device fingerprinting struggles to strike a balance between privacy and security, particularly as modern browsers and privacy tools develop to combat IP leaks and other potential privacy breaches. Initiatives such as Apple's ITP and Google's Privacy Sandbox are reining in data collection practices, compelling developers to keep up with regulatory changes and modify their techniques accordingly.
Despite device fingerprinting's continued effectiveness in 2023, constructing a unique and robust device fingerprint is expected to grow more difficult in the near future due to the advancement of privacy measures and technology. Thus, it's imperative to supplement fingerprinting with other techniques, such as behavioral profiling, feature aggregation, and risk scores.
So, what are the most suitable open-source and commercial alternatives specifically for developers, specifically those that are easy and affordable to evaluate? In this blog post, we explore these options and outline the factors to consider when making an informed decision about the best device fingerprinting solution for your needs.
Open-source vs. Commercial Device Fingerprinting
For developers exploring device fingerprinting on a budget or looking for an accessible entry point, open-source solutions offer a valuable starting point. Primarily web-based and independent of server-side components, these solutions allow you to familiarize yourself with the capabilities and limitations of device fingerprinting without committing to a commercial license. While they may lack the sophisticated techniques, such as machine learning and network effects, employed by their commercial counterparts, they serve as a useful introduction to the field.
For those seeking a more robust and feature-rich solution, commercial device fingerprinting providers offer advanced capabilities that often incorporate machine learning, network effects, and additional tools for a comprehensive fraud prevention system. These solutions tend to be more accurate, better maintained, and supported by dedicated customer service teams, making them a more reliable choice as the landscape of device fingerprinting evolves due to privacy controls and technological advancements.
Open-source Device Fingerprinting
Keep in mind that the following list is not exhaustive, as new projects emerge regularly, but it provides a solid overview of available open-source options.
CreepJS is likely the most comprehensive open-source fingerprinting solution available, providing an extensive range of detection techniques. It identifies weaknesses and privacy leaks in modern anti-fingerprinting extensions such as Privacy Badger and Trace, and offers robust fingerprinting for more resistant browsers like Brave as well as automation tools such as puppeteer-extra-plugin-stealth. For larger production integration, you may want to cherry-pick specific functionality, such as the concept of "browser lies," instead of bundling the entire script, which would require some research and work.
FingerprintJS is a user-friendly alternative to CreepJS due to its simpler configuration. Originally created by Valentin Vasilyev in 2013, FingerprintJS transitioned into a venture-backed company in 2020, developing FingerprintJS Pro, a more advanced and accurate visitor identification service. The open-source version offers limited accuracy due to its client-side-only implementation, but it's easy to upgrade from the free option to the paid Pro plan.
Broprint.js is a streamlined, user-friendly library engineered to adeptly generate visitor identifiers. Though it appears to be more of a passion project, given its 16 commits, this lightweight solution integrates smoothly into projects without adding considerable overhead. By leveraging both canvas and audio fingerprinting techniques, Broprint.js offers a holistic fingerprinting approach, successfully identifying unique visitors with ease.
Supercookie is an innovative solution that uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored persistently and cannot be easily cleared by the user. The tracking method works even in incognito mode and is not cleared by cache flushing, browser closing, or ad-blocker installation. While Supercookie offers a unique approach to browser fingerprinting, developers should consider the privacy implications and ethical aspects of using such a tracking method.
Although not a complete device fingerprinting solution, detectIncognito.js is worth mentioning as it offers a standalone feature for incognito mode detection without requiring a comprehensive solution. Please note that detecting private modes in browsers is an arms race, and this script may not work indefinitely.
Commercial Device Fingerprinting
Unlike the open-source alternatives, the list of commercial vendors presented here is more comprehensive, as these four notable providers have a developer-centric approach to trials, pricing, and documentation, making them stand out in the market.
Fingerprint.com offers a standalone device fingerprinting solution that focuses on its core functionality. It also includes features like geolocation, incognito detection, and bot detection. However, it doesn't provide the logic required to act on the fingerprint data. Fingerprint.com offers a 14-day free trial, followed by a $200/month plan for 100,000 API calls.
Castle presents a comprehensive device fingerprinting solution with an emphasis on aggregation and analytics. It assists in creating real-time logic for detecting multi-accounting and account sharing, as well as backtesting rules on historical data. This data-driven approach allows you to fully utilize your device fingerprints. Castle offers a 30-day free trial, with subsequent pricing at $33/month for 10,000 API calls.
IPQS provides an API-driven approach to device fingerprinting, granting developers easy access to its powerful features through a straightforward interface. Its offering is similar to Fingerprint.com but also includes additional APIs for more comprehensive fraud detection. IPQS has a free tier for up to 500 API calls/month, with pricing starting at $999/month thereafter.
Seon is a commercial fingerprinting solution that prioritizes data enrichment, bolstering the accuracy and effectiveness of its device fingerprinting capabilities. Like Castle, Seon leverages fingerprints in more sophisticated ways using aggregations. While Castle specializes in data visualization and querying, Seon focuses on identity enrichment, such as finding social media contacts associated with an email or phone number. Seon offers a free plan up to 2,000 API calls and then starts at $299/month which includes 4,000 API calls.
The Ideal Device Fingerprinting Solution for Developers
At a high level, the growing complexity of device fingerprinting makes commercial solutions potentially more suitable, as they are designed to keep pace with the constant changes in privacy controls and technology, however open-source solutions can be a good alternative if you're just starting out or are concerned about costs. Here's an outline of what to consider when choosing between open-source and commercial solutions:
Open-source Device Fingerprinting
Among the open-source options, CreepJS and FingerprintJS are the best maintained and most reliable choices. FingerprintJS is particularly user-friendly and should be the easiest for developers to get started with.
- Budget: If you're working with a limited budget or want to experiment with device fingerprinting without incurring costs, open-source solutions provide a cost-effective starting point. Additionally, fingerprinting can become very expensive at scale, making open-source alternatives more appealing for developers with budget constraints.
- Customization: Open-source solutions often allow greater flexibility for customization and modification, enabling you to tailor the fingerprinting techniques to your application's unique requirements.
- Transparency: Open-source solutions provide greater transparency into the inner workings of the fingerprinting process. As a developer, it's easier to understand what's happening behind the scenes, whereas commercial solutions are often obfuscated and harder to scrutinize.
Commercial Device Fingerprinting
Selecting a specific commercial vendor ultimately depends on your price sensitivity and need for a more or less comprehensive solution. Fingerprint.com and IPQS offer more isolated and distinct fingerprinting APIs, whereas Castle and Seon provide end-to-end fraud prevention solutions. All of the vendors allow you to try their services for free, and they offer low-fee plans as you start scaling.
- Accuracy: Commercial solutions generally offer advanced features like machine learning and network effects, leading to a reduction in "collisions" – situations where separate physical devices of two different users are mistakenly identified as the same. This issue is prevalent with open-source solutions.
- Support: Commercial solutions typically include dedicated customer support and regular updates. For example, if an end-user encounters issues due to your fingerprinting rules, having access to a support team can help you understand why a fingerprint was generated in a certain way.
- End-to-end: Commercial alternatives often incorporate additional tools and services, such as behavioral analysis, feature aggregation, and risk scoring. These features can enhance device fingerprinting, resulting in a more robust fraud detection system. Since a fingerprint alone typically isn't enough to indicate fraud, this extra layer of logic is essential.
In the battle against online fraud and abuse, it's crucial to anticipate and adapt to emerging trends that will affect the efficiency of device fingerprinting. The following developments are already underway as it relates to device fingerprinting:
- Increasing privacy protections: As privacy regulations and browser initiatives to limit the data that can be collected continue to evolve, the fidelity of fingerprints will keep being lowered.
- Broader reliance on machine learning: As a result of lower fidelity, fingerprinting techniques become more complex, and developers can expect a growing reliance on machine learning based methods to improve accuracy and reduce false positives by clustering data not only by device attributes but also the unique user behavior tracked on each device.
- Multi-layered fraud prevention: While device fingerprinting is currently highlighted as an (and sometimes the most) effective method, the industry is at the same time recognizing that device fingerprinting alone may not be enough to detect fraudulent activity, and is more a useful tool in a greater toolbox. This includes behavioral profiling, feature aggregation, and risk scores to create a robust and reliable fraud prevention system.
By staying informed and adapting to these trends, developers can make better decisions when selecting a device fingerprinting solution, ensuring the security of their applications and the privacy of their users. In this ever-changing landscape, the ability to anticipate and adjust will be crucial for success.