Fingerprinting
Descope provides built-in device fingerprinting and risk detection capabilities to help you strengthen your application's security. By analyzing device and session data, Descope can detect suspicious activity such as bot behavior, impossible travel, and unrecognized devices.
You can use these built-in risk signals (riskInfo) directly in your authentication flows or enhance them with advanced fraud detection connectors. This guide provides a high-level overview of both options.
Built-In Risk Signals (riskInfo)
For implementation instructions, visit the Implementing Fingerprinting guide.
Every Descope project includes several default risk signals available through the riskInfo context object. These signals can be used in flow logic to adapt the authentication flow based on the risk level of the user.
| Signal | Description |
|---|---|
| riskInfo.botDetected | Detects bot-like behavior based on network-level signals from Cloudflare. |
| riskInfo.impossibleTravel | Flags login attempts that are geographically implausible compared to previous logins, based on time and distance. |
| riskInfo.riskScore | Risk score (0 - 1) derived from Cloudflare and optional connector signals. Learn more |
| riskInfo.trustedDevice | Indicates whether the current device was previously marked as trusted via a cookie on your custom domain. |
These signals are available by default and can be used without additional setup in most cases.
Example Use Cases
Risk detection can be used throughout your authentication flows to reduce friction for low-risk users and enforce stronger checks for high-risk scenarios.
| Use Case | Example | How Fingerprinting Helps |
|---|---|---|
| Bot Prevention at Signup | Preventing automated account creation. | Use riskInfo.botDetected or riskInfo.riskScore to challenge suspicious signups with CAPTCHA or block them entirely. |
| High-Risk Login Detection | Detecting compromised accounts or unfamiliar devices. | Use riskInfo.riskScore and riskInfo.trustedDevice to trigger MFA for high-risk logins. |
| Adaptive Authentication | Adjusting authentication steps based on risk. | Branch your flow to add verification steps only when certain risk signals are present. |
| Trusted Device Recognition | Reducing friction for returning users. | Use riskInfo.trustedDevice to skip MFA for previously verified devices. |
Enhancing Fingerprinting with Connectors
Most connector-based risk detection must be added after a Screen component in your flow.
Descope also supports integration with third-party fraud detection providers for more advanced risk analysis and fingerprinting. These connectors can be used in addition to or instead of the default riskInfo signals.
Some of the supported capabilities include:
- Advanced device fingerprinting and browser profiling
- VPN and proxy detection
- AI operator and automation detection
- IP threat reputation checks
- Behavioral risk scoring
- Breach monitoring and email reputation
You can explore available connectors in the Connectors page. Examples include:
Most fingerprinting related connectors require an external subscription.
- reCAPTCHA Enterprise (bot protection)
- Turnstile (alternative CAPTCHA)
- Telesign (phone number and risk intelligence)
- Fingerprint (advanced device and browser fingerprinting)
- Forter and Sardine (fraud and behavioral risk scoring)
Next Steps
To configure and use fingerprinting in your flows, visit the Implementing Fingerprinting guide.
The implementation guide includes:
- How to set up fingerprinting in Descope Flows
- When to use the Fingerprint Assess action
- Best practices for balancing security and user experience