Device Fingerprinting in Flows
Descope provides built-in fingerprinting and risk-based features that you can use to build secure, adaptive authentication flows.
This guide shows you how to configure and use these built-in capabilities inside your Descope Flows.
For a general overview of fingerprinting capabilities and what default features are available, visit the Fingerprinting overview page.
Using the Fingerprint Assess Action
Certain risk detection features (riskInfo.botDetected and riskInfo.riskScore) require the Fingerprint Assess action to be used in your Descope flows.
To use these features:
- Add a Screen where the user interacts (e.g., login, signup, or MFA screen).
- Insert a Fingerprint Assess action immediately after the Screen.
- Use the collected fingerprinting and risk data in conditional logic to build your authentication flow (e.g., challenge users with high risk).
Which Features Require the Fingerprint Assess Action?
| Risk Signal | Requires Fingerprint Assess? |
|---|---|
riskInfo.botDetected | ✅ Yes |
riskInfo.riskScore | ✅ Yes |
riskInfo.impossibleTravel | ❌ No |
riskInfo.trustedDevice | ❌ No |
Risk Signals and Implementation
Risk Score (riskInfo.riskScore)
The risk score provides a unified measure of authentication risk (0-1) based on multiple signals.
- Detection Sources:
- Network-level analysis via Cloudflare
- Enhanced by reCAPTCHA, Turnstile, Telesign, or other connectors when configured
- Scoring Logic: Takes the maximum risk level from all sources for a conservative final score
- Behavior:
- With Fingerprint Assess: Both Cloudflare and connector signals are evaluated
- Without Fingerprint Assess: Only connector signals contribute to the score
Implementation
Use risk scoring to adapt your flow based on the perceived risk level of each login:
- Add a Screen (e.g., login, signup)
- Add the Fingerprint / Assess action immediately after the Screen
- Create a Conditional Step checking if
riskInfo.riskScoreexceeds your risk threshold
Example: Trigger step-up authentication if riskInfo.riskScore > 0.5
Bot Detection (riskInfo.botDetected)
Detects bot-like behavior during authentication attempts.
- Detection Source: Network-level analysis via Cloudflare
- Limitations: Purely network-based, no browser or device fingerprinting
- Requirement: Requires the Fingerprint Assess action after a screen
Implementation
- Insert the Fingerprint / Assess action after the Screen
- Create a Conditional Step that checks if
riskInfo.botDetected == true
Example: Block login attempts or apply stricter authentication if a bot is detected
Impossible Travel (riskInfo.impossibleTravel)
Flags logins from geographically implausible locations.
- Detection Source: Geolocation and timestamp analysis
- Requirement: No special requirements or Fingerprint Assess needed
Implementation
- Create a Conditional Step that checks if
riskInfo.impossibleTravel == true
Example: Require re-authentication if impossible travel is detected
Trusted Device (riskInfo.trustedDevice)
Recognizes previously verified devices to reduce authentication friction.
- Detection Source: First-party cookie on your custom domain
- Requirements:
- Pro tier or higher
- Configured custom domain
- No Fingerprint Assess needed
Implementation
- Configure your custom domain
- Choose one of these implementation options:
- Add a Trust This Device button on a user-facing screen
- Use the Mark Device As Trusted action step in your flow logic
- Add a Trust This Device button on a user-facing screen
- Use
riskInfo.trustedDevicein conditional logic to adjust authentication
Connectors
Once you have these built-in features set up, you can further enhance your flows by combining them with Connector signals from services like:
- reCAPTCHA Enterprise (bot protection)
- Turnstile (alternative CAPTCHA)
- Telesign (phone number and risk intelligence)
- Fingerprint (advanced device and browser fingerprinting)
- Forter and Sardine (fraud and behavioral risk scoring)
For a complete list of all of the available fraud / risk based connectors, visit the Connectors page.
Using Connector Risk vs. Unified Risk Score
Third-party services like FingerprintJS, Turnstile, and Forter provide detailed risk signals optimized for their detection methods.
Aggregating everything into a single risk score may oversimplify your risk analysis.
By default, Descope provides a unified riskScore — but if you're using advanced connectors like Forter or Sardine, consider evaluating their individual responses directly for more control.
| Approach | When to Use |
|---|---|
Use riskInfo.riskScore | When you want simple risk evaluation for a basic flow (e.g., if riskScore > 0.7, trigger step-up authentication). |
| Use Connector-Specific Outputs | When using advanced services like Fingerprint, Forter, or Sardine, where granular risk signals should be evaluated independently for better accuracy and control. |
For more information about all available fingerprinting capabilities and connector options, visit the Fingerprinting Overview documentation page.
Backup Custom Schemes
In this article, you will learn how to handle Custom Schemes in Android for running flows in Descope mobile sdks.
Embedded OTP with Generic HTTP Connectors
Learn how to utilize embedded OTP codes for authenticating users when sending customized notifications with your messaging connectors within Descope.