Flows/Use Cases

Device Fingerprinting in Flows

Looking for a high-level overview of what fingerprinting is and how it helps? See the Fingerprinting Overview page for key features, use cases, and connector capabilities.

Descope provides built-in fingerprinting and risk-based features that you can use to build secure, adaptive authentication flows.
This guide shows you how to configure and use these built-in capabilities inside your Descope Flows.

For a general overview of fingerprinting capabilities and what default features are available, visit the Fingerprinting overview page.

Using the Fingerprint Assess Action

Certain risk detection features (riskInfo.botDetected and riskInfo.riskScore) require the Fingerprint Assess action to be used in your Descope flows.

To use these features:

  1. Add a Screen where the user interacts (e.g., login, signup, or MFA screen).
  2. Insert a Fingerprint Assess action immediately after the Screen.
  3. Use the collected fingerprinting and risk data in conditional logic to build your authentication flow (e.g., challenge users with high risk).

Which Features Require the Fingerprint Assess Action?

Risk SignalRequires Fingerprint Assess?
riskInfo.botDetected✅ Yes
riskInfo.riskScore✅ Yes
riskInfo.impossibleTravel❌ No
riskInfo.trustedDevice❌ No

Risk Signals and Implementation

Risk Score (riskInfo.riskScore)

The risk score provides a unified measure of authentication risk (0-1) based on multiple signals.

  • Detection Sources:
    • Network-level analysis via Cloudflare
    • Enhanced by reCAPTCHA, Turnstile, Telesign, or other connectors when configured
  • Scoring Logic: Takes the maximum risk level from all sources for a conservative final score
  • Behavior:
    • With Fingerprint Assess: Both Cloudflare and connector signals are evaluated
    • Without Fingerprint Assess: Only connector signals contribute to the score

Implementation

Use risk scoring to adapt your flow based on the perceived risk level of each login:

  1. Add a Screen (e.g., login, signup)
  2. Add the Fingerprint / Assess action immediately after the Screen
  3. Create a Conditional Step checking if riskInfo.riskScore exceeds your risk threshold

Example: Trigger step-up authentication if riskInfo.riskScore > 0.5

Descope risk score condition

Bot Detection (riskInfo.botDetected)

Detects bot-like behavior during authentication attempts.

  • Detection Source: Network-level analysis via Cloudflare
  • Limitations: Purely network-based, no browser or device fingerprinting
  • Requirement: Requires the Fingerprint Assess action after a screen

Implementation

  1. Insert the Fingerprint / Assess action after the Screen
  2. Create a Conditional Step that checks if riskInfo.botDetected == true

Example: Block login attempts or apply stricter authentication if a bot is detected

Impossible Travel (riskInfo.impossibleTravel)

Flags logins from geographically implausible locations.

  • Detection Source: Geolocation and timestamp analysis
  • Requirement: No special requirements or Fingerprint Assess needed

Implementation

  1. Create a Conditional Step that checks if riskInfo.impossibleTravel == true

Example: Require re-authentication if impossible travel is detected

Descope bot detected condition

Trusted Device (riskInfo.trustedDevice)

Recognizes previously verified devices to reduce authentication friction.

  • Detection Source: First-party cookie on your custom domain
  • Requirements:
    • Pro tier or higher
    • Configured custom domain
    • No Fingerprint Assess needed

Implementation

  1. Configure your custom domain
  2. Choose one of these implementation options:
    • Add a Trust This Device button on a user-facing screen Descope trust this device button
    • Use the Mark Device As Trusted action step in your flow logic Descope trust this device action
  3. Use riskInfo.trustedDevice in conditional logic to adjust authentication Descope trust this device condition

Connectors

Once you have these built-in features set up, you can further enhance your flows by combining them with Connector signals from services like:

  • reCAPTCHA Enterprise (bot protection)
  • Turnstile (alternative CAPTCHA)
  • Telesign (phone number and risk intelligence)
  • Fingerprint (advanced device and browser fingerprinting)
  • Forter and Sardine (fraud and behavioral risk scoring)

For a complete list of all of the available fraud / risk based connectors, visit the Connectors page.

Using Connector Risk vs. Unified Risk Score

Third-party services like FingerprintJS, Turnstile, and Forter provide detailed risk signals optimized for their detection methods.

Aggregating everything into a single risk score may oversimplify your risk analysis.

By default, Descope provides a unified riskScore — but if you're using advanced connectors like Forter or Sardine, consider evaluating their individual responses directly for more control.

ApproachWhen to Use
Use riskInfo.riskScoreWhen you want simple risk evaluation for a basic flow (e.g., if riskScore > 0.7, trigger step-up authentication).
Use Connector-Specific OutputsWhen using advanced services like Fingerprint, Forter, or Sardine, where granular risk signals should be evaluated independently for better accuracy and control.

For more information about all available fingerprinting capabilities and connector options, visit the Fingerprinting Overview documentation page.

Was this helpful?