What is a Device Fingerprint?

A device fingerprint is a set of data about a computer, mobile phone, or tablet that helps identify devices used to access an online site. It works where cookies cannot by identifying a combination of hardware and software attributes that is unique to a device. This information is used to evaluate risk and respond accordingly.

A fingerprint is captured as a user logs in to a protected application (usually a login page). This fingerprint is then stored on the server and can be compared against all fingerprints device fingerprint JavaScript API in OAAM to determine if the device has been seen before or has a known history of fraudulent activity. A risk evaluation is then performed at a pre-authentication, post-authentication or in-session/transaction checkpoint.

Oracle Adaptive Access Manager supports several different types of fingerprinting including browser, JavaScript and Flash fingerprints. The digital fingerprint tab on the session details and listing pages shows a list of fingerprints that have been created for the user’s login process. OAAM also provides the framework so users can create their own custom fingerprints.

Browser fingerprinting uses a variety of methods to capture data about a device including the browser type, extensions installed, system fonts and configuration and version information from the operating system. It is important to note that the fingerprinting surface is always limited by the entropy of available features. As such, sites should indicate that features do contribute to the fingerprinting surface and limit them where possible.

A popular method of fingerprinting is to use the canvas> element in HTML to draw an image with text and see how each device renders it. This is a very effective method of fingerprinting as minor differences in rendering can be used to differentiate devices from one another. Audio fingerprinting is also a fairly accurate way to identify devices as each has its own audio engine and sound library. However, audio fingerprinting is usually not as accurate as some other methods of fingerprinting due to the complexities of different devices’ audio processing algorithms.

The most common method of fingerprinting is to use a combination of all of the methods. This can be done through a custom fingerprint type that is created on the OAAM Admin console. This can include a custom combination of fingerprint types along with other contextual data about the user and the device such as the location, the time of day and so on.

OAAM is able to fingerprint the hardware and software identifiers of a mobile device such as the MAC address, IMEI number, OS version, phone settings and more. This is an excellent tool for detecting fake or stolen mobile devices. Mobile device fingerprinting can also be used to detect man-in-the-middle attacks where a fraudster can alter a customer’s transaction data or spoof the identity of a genuine user.