As the availability of unique IPs and user agents wanes and cookie reliability remains half-baked at best, device fingerprinting has emerged as a serious contender in the battle against online fraud and abuse. The aim of fingerprinting is to establish a consistent unique identifier for the same physical device or client over time. This identifier can then be utilized to detect multiple user accounts registered from the same device or a single account being shared across numerous devices.
Much like the proxy piercing techniques covered in 7 Proxy Piercing Techniques: What Works in 2023, device fingerprinting struggles to strike a balance between privacy and security, particularly as modern browsers and privacy tools develop to combat IP leaks and other potential privacy breaches. Initiatives such as Apple's ITP and Google's Privacy Sandbox are reining in data collection practices, compelling developers to keep up with regulatory changes and modify their techniques accordingly.
Despite device fingerprinting's continued effectiveness in 2023, constructing a unique and robust device fingerprint is expected to grow more difficult in the near future due to the advancement of privacy measures and technology. Thus, it's imperative to supplement fingerprinting with other techniques, such as behavioral profiling, feature aggregation, and risk scores.
So, what are the most suitable open-source and commercial alternatives specifically for developers, specifically those that are easy and affordable to evaluate? In this blog post, we explore these options and outline the factors to consider when making an informed decision about the best device fingerprinting solution for your needs.
For developers exploring device fingerprinting on a budget or looking for an accessible entry point, open-source solutions offer a valuable starting point. Primarily web-based and independent of server-side components, these solutions allow you to familiarize yourself with the capabilities and limitations of device fingerprinting without committing to a commercial license. While they may lack the sophisticated techniques, such as machine learning and network effects, employed by their commercial counterparts, they serve as a useful introduction to the field.
For those seeking a more robust and feature-rich solution, commercial device fingerprinting providers offer advanced capabilities that often incorporate machine learning, network effects, and additional tools for a comprehensive fraud prevention system. These solutions tend to be more accurate, better maintained, and supported by dedicated customer service teams, making them a more reliable choice as the landscape of device fingerprinting evolves due to privacy controls and technological advancements.
Keep in mind that the following list is not exhaustive, as new projects emerge regularly, but it provides a solid overview of available open-source options.
CreepJS is likely the most comprehensive open-source fingerprinting solution available, providing an extensive range of detection techniques. It identifies weaknesses and privacy leaks in modern anti-fingerprinting extensions such as Privacy Badger and Trace, and offers robust fingerprinting for more resistant browsers like Brave as well as automation tools such as puppeteer-extra-plugin-stealth. For larger production integration, you may want to cherry-pick specific functionality, such as the concept of "browser lies," instead of bundling the entire script, which would require some research and work.
FingerprintJS is a user-friendly alternative to CreepJS due to its simpler configuration. Originally created by Valentin Vasilyev in 2013, FingerprintJS transitioned into a venture-backed company in 2020, developing FingerprintJS Pro, a more advanced and accurate visitor identification service. The open-source version offers limited accuracy due to its client-side-only implementation, but it's easy to upgrade from the free option to the paid Pro plan.
Broprint.js is a streamlined, user-friendly library engineered to adeptly generate visitor identifiers. Though it appears to be more of a passion project, given its 16 commits, this lightweight solution integrates smoothly into projects without adding considerable overhead. By leveraging both canvas and audio fingerprinting techniques, Broprint.js offers a holistic fingerprinting approach, successfully identifying unique visitors with ease.
Supercookie is an innovative solution that uses favicons to assign a unique identifier to website visitors. Unlike traditional tracking methods, this ID can be stored persistently and cannot be easily cleared by the user. The tracking method works even in incognito mode and is not cleared by cache flushing, browser closing, or ad-blocker installation. While Supercookie offers a unique approach to browser fingerprinting, developers should consider the privacy implications and ethical aspects of using such a tracking method.
Although not a complete device fingerprinting solution, detectIncognito.js is worth mentioning as it offers a standalone feature for incognito mode detection without requiring a comprehensive solution. Please note that detecting private modes in browsers is an arms race, and this script may not work indefinitely.
Unlike the open-source alternatives, the list of commercial vendors presented here is more comprehensive, as these four notable providers have a developer-centric approach to trials, pricing, and documentation, making them stand out in the market.
Fingerprint.com offers a standalone device fingerprinting solution that focuses on its core functionality. It also includes features like geolocation, incognito detection, and bot detection. However, it doesn't provide the logic required to act on the fingerprint data. Fingerprint.com offers a 14-day free trial, followed by a $200/month plan for 100,000 API calls.
Castle presents a comprehensive device fingerprinting solution with an emphasis on aggregation and analytics. It assists in creating real-time logic for detecting multi-accounting and account sharing, as well as backtesting rules on historical data. This data-driven approach allows you to fully utilize your device fingerprints. Castle offers a 30-day free trial, with subsequent pricing at $33/month for 10,000 API calls.
IPQS provides an API-driven approach to device fingerprinting, granting developers easy access to its powerful features through a straightforward interface. Its offering is similar to Fingerprint.com but also includes additional APIs for more comprehensive fraud detection. IPQS has a free tier for up to 500 API calls/month, with pricing starting at $999/month thereafter.
Seon is a commercial fingerprinting solution that prioritizes data enrichment, bolstering the accuracy and effectiveness of its device fingerprinting capabilities. Like Castle, Seon leverages fingerprints in more sophisticated ways using aggregations. While Castle specializes in data visualization and querying, Seon focuses on identity enrichment, such as finding social media contacts associated with an email or phone number. Seon offers a free plan up to 2,000 API calls and then starts at $299/month which includes 4,000 API calls.
At a high level, the growing complexity of device fingerprinting makes commercial solutions potentially more suitable, as they are designed to keep pace with the constant changes in privacy controls and technology, however open-source solutions can be a good alternative if you're just starting out or are concerned about costs. Here's an outline of what to consider when choosing between open-source and commercial solutions:
Among the open-source options, CreepJS and FingerprintJS are the best maintained and most reliable choices. FingerprintJS is particularly user-friendly and should be the easiest for developers to get started with.
Selecting a specific commercial vendor ultimately depends on your price sensitivity and need for a more or less comprehensive solution. Fingerprint.com and IPQS offer more isolated and distinct fingerprinting APIs, whereas Castle and Seon provide end-to-end fraud prevention solutions. All of the vendors allow you to try their services for free, and they offer low-fee plans as you start scaling.
In the battle against online fraud and abuse, it's crucial to anticipate and adapt to emerging trends that will affect the efficiency of device fingerprinting. The following developments are already underway as it relates to device fingerprinting:
By staying informed and adapting to these trends, developers can make better decisions when selecting a device fingerprinting solution, ensuring the security of their applications and the privacy of their users. In this ever-changing landscape, the ability to anticipate and adjust will be crucial for success.