Device Fingerprinting: Definition and Role in Fraud Prevention

Device fingerprinting is a key technology for identifying end-user devices within digital business processes. In the context of identity verification, it analyses technical characteristics of hardware and software to uniquely recognise a device, without relying on consent-based cookies.

For companies, this method provides a preventive security layer that detects fraudulent activities, such as multi-accounting or automated bot attacks, at the earliest stage of a registration process. Device fingerprinting complements biometric verification with a technical risk assessment, increasing process security without raising drop-off rates through additional user input.

What is Device Fingerprinting?

Device fingerprinting is a technological method used to uniquely identify and recognise end-user devices without storing information (such as cookies) on the user’s device. Unlike traditional tracking mechanisms, it relies on the passive collection of technical attributes that browsers or apps transmit during a session.

A practical example is the combination of browser version, installed plug-ins, and a specific list of locally available fonts. While millions of users may use the same browser, the likelihood that two users share the exact same configuration is extremely low.

Another example is canvas fingerprinting: the browser is instructed to render an invisible image. Because this process depends on the graphics card and installed drivers, it generates a unique output that makes the device identifiable.

In modern digital identity verification, this method plays a central role: it acts as a first line of defence in onboarding processes and enables early detection of fraud patterns before biometric capture or document verification even begins.

How it Works and the Technical Parameters

Device fingerprinting takes advantage of the fact that modern IT systems are highly individualised. A server collects multiple parameters that, when combined, form a virtually unique digital fingerprint. This mathematical uniqueness is referred to as entropy.

The rule is simple: the more attributes combined, the higher the probability that a device configuration is globally unique.

Collected Data Points in Detail

A device fingerprint is created by aggregating multiple real-time data points:

• Browser configuration: browser name and version, installed plug-ins, supported MIME types, language settings, default fonts

   

• System information: operating system version, build number, system time, time zone, installed media drivers

   

• Hardware specifications: screen resolution, color depth, CPU architecture, number of cores, hardware interfaces, battery status

   

• Network parameters: IP address, internet service provider (ISP), proxy usage, VPN detection, and TOR exit nodes

   

• Font probing: locally installed fonts, which are often highly individual and significantly increase entropy

   

• A TOR exit node refers to the final node in the Tor network where encrypted traffic re-enters the public internet, masking the user’s real IP address.

   

Advanced Methods: Canvas & Audio Fingerprinting

Modern systems use dynamic techniques beyond static browser data to increase accuracy.

Canvas fingerprinting involves rendering an invisible graphic that varies at a pixel level depending on the user's hardware and software.

Audio fingerprinting involves analysing how a browser processes an audio signal without producing any sound.

These methods are highly resilient to traditional anti-tracking measures and provide a stable basis for identification.

Distinction: Device fingerprinting vs. cookies

When it comes to the technical implementation of security processes, it is crucial to understand the differences between device fingerprinting and traditional cookies. Unlike cookies, which rely on data being actively stored on the end device and not blocked or deleted by the browser, device fingerprinting operates independently of client-side storage. This makes the method significantly more resistant to manipulation attempts. The following table illustrates the technical and procedural differences:

Regulatory Framework and GDPR Compliance

Device fingerprinting operates within a narrowly defined legal framework. As a digital fingerprint can be used to identify a device and thus, indirectly, a person — this information is protected under the GDPR and the European ePrivacy Directive. The latter has been transposed into German law through the TDDDG (Telecommunications, Digital Services and Data Protection Act).

A decisive factor for legal compliance is the intended purpose. Case law, particularly the 2019 the European Court of Justice ruling C-673/17 "Planet49", generally requires active consent (opt-in) for the collection of device information and the setting of cookies. However, the ePrivacy Directive provides an important exception: measures that are "strictly necessary" to securely provide a requested service do not require prior consent.

In the area of fraud prevention, companies can therefore process data based on legitimate interests pursuant to Art. 6(1)(f) GDPR. Here, protection against identity theft and compliance with legal requirements, such as in the context of AML checks, are given greater weight than intrusion into privacy.

In short, while permission must be sought for marketing tracking, the technical safeguarding of the onboarding process to prevent criminal activities is legally privileged, provided that the data is used exclusively for this security purpose.

Relevance for Businesses and Fraud Prevention

In highly automated business processes, device fingerprinting is an essential part of risk management. It is the first line of defence in digital onboarding. Companies use this technology to identify complex fraud scenarios that cannot be detected by traditional identification metrics alone:

• Multi-accounting detection: identifying users creating multiple accounts from the same device
• Bot detection: spotting inconsistencies between user-agent data and actual rendering behaviour
• Geofencing & proxy checks: comparing physical location with ID data; VPN usage increases risk scores
• Velocity checks: monitoring registration frequency per device to prevent mass attacks (e.g., DDoS or bulk registrations)
  
  

The Future of Fraud Prevention: PXL Vision & Device Signals

Device identification is a highly complex discipline that is gaining importance due to the rise of synthetic identity fraud and advanced deepfakes.

While biometric methods verify who the person is, device fingerprinting provides the technical context to detect manipulation at the infrastructure level.

At PXL Vision, the current focus is on AI-based document and biometric verification. At the same time, we increasingly recognize the potential of combining these capabilities with device intelligence.

We are therefore evaluating how device signals can be integrated into our platform. We also recommend that companies regularly review their end-to-end user journeys and enhance them with additional security layers such as device fingerprinting where appropriate.

The goal is to extend our multi-layered approach and make identity verification even more resilient against sophisticated, automated fraud attacks, enabling a truly comprehensive fraud prevention strategy.

FAQ: Frequently Asked Questions about Device Fingerprinting