Device Fingerprinting in Flows
Descope provides built-in fingerprinting and risk-based features that you can use to build secure, adaptive authentication flows.
This guide shows you how to configure and use these built-in capabilities inside your Descope Flows.
For a general overview of fingerprinting capabilities and what default features are available, visit the Fingerprinting overview page.
Using the Fingerprint Assess Action
Certain risk detection features (riskInfo.botDetected and riskInfo.riskScore) require the Fingerprint Assess action to be used in your Descope flows.
To use these features:
- Add a Screen where the user interacts (e.g., login, signup, or MFA screen).
- Insert a Fingerprint Assess action immediately after the Screen.
- Use the collected fingerprinting and risk data in conditional logic to build your authentication flow (e.g., challenge users with high risk).
Which Features Require the Fingerprint Assess Action?
| Risk Signal | Requires Fingerprint Assess? |
|---|---|
riskInfo.botDetected | ✅ Yes |
riskInfo.riskScore | ✅ Yes |
riskInfo.impossibleTravel | ❌ No |
riskInfo.trustedDevice | ❌ No |
Risk Signals and Implementation
Risk Score (riskInfo.riskScore)
The risk score provides a unified measure of authentication risk (0-1) based on multiple signals.
- Detection Sources:
- Network-level analysis via Cloudflare
- Enhanced by reCAPTCHA, Turnstile, Telesign, or other connectors when configured
- Scoring Logic: Takes the maximum risk level from all sources for a conservative final score
- Behavior:
- With Fingerprint Assess: Both Cloudflare and connector signals are evaluated
- Without Fingerprint Assess: Only connector signals contribute to the score
Direction: Higher values mean more authentication risk (stronger signals that something may be off). This unified score is not the same as every vendor's native scale—for example, raw reCAPTCHA v3 uses a different convention (where a high score often means “likely human”). For strict bot yes/no logic, also consider riskInfo.botDetected and connector-specific outputs.
Interpreting riskInfo.riskScore
The table below is a practical way to read the unified score when tuning conditions. Exact boundaries depend on your traffic and tolerance for friction.
| Approximate range | Typical meaning |
|---|---|
| ~0.1-0.3 | Lower risk; often typical traffic or not strongly flagged |
| ~0.5+ | Elevated risk; a common starting point for extra verification (for example, step-up authentication) |
| ~0.7+ | Stronger risk; stricter step-up, MFA, or deny paths often use thresholds in this range |
Note
Treat these ranges as guidelines, not fixed rules. Adjust thresholds based on false positives, fraud losses, and user experience. The condition examples on this page (> 0.5, > 0.7) are illustrative patterns for adaptive flows.
Implementation
Use risk scoring to adapt your flow based on the perceived risk level of each login:
- Add a Screen (e.g., login, signup)
- Add the Fingerprint / Assess action immediately after the Screen
- Create a Conditional Step checking if
riskInfo.riskScoreexceeds your risk threshold
Example: Trigger step-up authentication if riskInfo.riskScore > 0.5
Bot Detection (riskInfo.botDetected)
Detects bot-like behavior during authentication attempts.
- Detection Source: Network-level analysis via Cloudflare
- Limitations: Purely network-based, no browser or device fingerprinting
- Requirement: Requires the Fingerprint Assess action after a screen
Implementation
- Insert the Fingerprint / Assess action after the Screen
- Create a Conditional Step that checks if
riskInfo.botDetected == true
Example: Block login attempts or apply stricter authentication if a bot is detected
Impossible Travel (riskInfo.impossibleTravel)
Flags logins from geographically implausible locations.
- Detection Source: Geolocation and timestamp analysis
- Requirement: No special requirements or Fingerprint Assess needed
Implementation
- Create a Conditional Step that checks if
riskInfo.impossibleTravel == true
Example: Require re-authentication if impossible travel is detected
Trusted Device (riskInfo.trustedDevice)
Recognizes previously verified devices to reduce authentication friction.
- Detection Source: First-party cookie on your custom domain
- Requirements:
- Pro tier or higher
- Configured custom domain
- No Fingerprint Assess needed
Implementation
- Configure your custom domain
- Choose one of these implementation options:
- Add a Trust This Device button on a user-facing screen
- Use the Mark Device As Trusted action step in your flow logic
- Add a Trust This Device button on a user-facing screen
- Use
riskInfo.trustedDevicein conditional logic to adjust authentication
Connectors
Once you have these built-in features set up, you can further enhance your flows by combining them with Connector signals from services like:
- reCAPTCHA Enterprise (bot protection)
- Turnstile (alternative CAPTCHA)
- Telesign (phone number and risk intelligence)
- Fingerprint (advanced device and browser fingerprinting)
- Forter and Sardine (fraud and behavioral risk scoring)
For a complete list of all of the available fraud/risk connectors, check out the Fraud Connectors Doc page.
Using Connector Risk vs. Unified Risk Score
Third-party services like FingerprintJS, Turnstile, and Forter provide detailed risk signals optimized for their detection methods.
Aggregating everything into a single risk score may oversimplify your risk analysis.
By default, Descope provides a unified riskScore — but if you're using advanced connectors like Forter or Sardine, consider evaluating their individual responses directly for more control.
| Approach | When to Use |
|---|---|
Use riskInfo.riskScore | When you want simple risk evaluation for a basic flow (e.g., if riskScore > 0.7, trigger step-up authentication). |
| Use Connector-Specific Outputs | When using advanced services like Fingerprint, Forter, or Sardine, where granular risk signals should be evaluated independently for better accuracy and control. |
For more information about all available fingerprinting capabilities and connector options, visit the Fingerprinting Overview documentation page.