Fingerprinting

Descope offers advanced fingerprinting capabilities for enhancing the security of your applications. Fingerprinting technology assesses the risk associated with a user's session by analyzing various attributes of the user's device and session. This can effectively identify potential fraud or security threats, such as new devices or unauthorized VPN usage.

This documentation provides an overview of Descope's fingerprinting features, a list of included and paid features, and a step-by-step guide to integrating fingerprinting into your projects.

Available Features

Free Tier

  • Risk-Based Authentication: This will assign a risk score to each session based on the collected fingerprint data and other attributes. It is powered by Cloudflare's risk posture management.
  • Bot Detection: This will identify and prevent login/signup attempts by automated bots. It is powered Cloudflare's bot management.
  • Impossible Traveler: This will return the possibility of the user's login request, based on the geographical distance of the previous login attempt and the current location. This is powered by Descope.

These features are already enabled with every Descope Project, and all you have to do to utilize them is to use the riskInfo conditions that are present under conditional statements, like so:

Conditional block in flow

Pro Tier

If you are a Pro tier customer, you will have the ability to use the feature below:

  • Trusted Device: Creates a unique fingerprint that is used by Descope to analyze information about the user's device and browser. This will allow you to mark specific devices for a user as a "trusted" device.

Instead of using the localStorage (as used in the Remember Me functionality) to cache the user's details, this functionality relies on the Top-Level-Domain cookie. Since Trusted Device relies on the use of cookies, you must have a properly configured custom domain in your Descope Project to use it.

Enterprise (w/Fingerprinting Add-On) Tier

These additional paid features do not come with a standard Enterprise tier of service. They can be implemented with the Fingerprint add-on, mentioned on our Pricing Page.

These features mentioned below operate differently than any of the Free / Pro features mentioned above. The fingerprinting add-on, only available to our Enterprise customers, creates a browser fingerprint with information through a web browser, and unlike cookies that rely on a unique identifier stored inside the browser, browser fingerprinting is stateless and does not require storing information on the client.

These fingerprints will automatically be stored on your custom domain, configured via the Base URL parameter in your client SDK initialization.

These features include:

  • New Device: Creates a unique fingerprint that can be used to analyze whether or not a user is logging in with a new device or not. This can also be implemented with Trusted Device, but will not be dependent on client cookies and instead will rely on FingerprintJS.
  • VPN Detection: Be able to detect unauthorized VPN usage from an authentication request. This will rely on FingerprintJS.

Once you've added the Descope Fingerprinting add-on, you will have to perform the steps here to gain access to the paid features.

Connectors

Descope can integrate with Fingerprint.com. Beyond device fingerprinting, security and "fingerprinting-like" capabilities in Descope flows can also be extended with a variety of connectors, including AbuseIPDB, Have I Been Pwned, Forter and more. These services typically rely on a paid subscription you can integrate within your Descope flows with a connector. For more info on these, visit our documentation on Connectors here.

How to Implement Fingerprinting

If you wish to know how to implement any of the capabilities mentioned in this guide, you can visit our guide on how to use these features in your flow.

Conclusion

By integrating Descope's fingerprinting features, you can enhance the security of your application by assessing device and session risk, detecting bots, and applying risk-based authentication measures.

Was this helpful?

On this page