Device Fingerprinting in Flows
Descope provides built-in fingerprinting and risk-based features that you can use to build secure, adaptive authentication flows.
This guide shows you how to configure and use these built-in capabilities inside your Descope Flows.
For a general overview of fingerprinting capabilities and what default features are available, visit the Fingerprinting overview page.
Using the Fingerprint Assess Action
Certain risk detection features (riskInfo.botDetected
and riskInfo.riskScore
) require the Fingerprint Assess action to be used in your Descope flows.
To use these features:
- Add a Screen where the user interacts (e.g., login, signup, or MFA screen).
- Insert a Fingerprint Assess action immediately after the Screen.
- Use the collected fingerprinting and risk data in conditional logic to build your authentication flow (e.g., challenge users with high risk).
Which Features Require the Fingerprint Assess Action?
Risk Signal | Requires Fingerprint Assess? |
---|---|
riskInfo.botDetected | ✅ Yes |
riskInfo.riskScore | ✅ Yes |
riskInfo.impossibleTravel | ❌ No |
riskInfo.trustedDevice | ❌ No |
Risk Signals and Implementation
Risk Score (riskInfo.riskScore
)
The risk score provides a unified measure of authentication risk (0-1) based on multiple signals.
- Detection Sources:
- Network-level analysis via Cloudflare
- Enhanced by reCAPTCHA, Turnstile, Telesign, or other connectors when configured
- Scoring Logic: Takes the maximum risk level from all sources for a conservative final score
- Behavior:
- With Fingerprint Assess: Both Cloudflare and connector signals are evaluated
- Without Fingerprint Assess: Only connector signals contribute to the score
Implementation
Use risk scoring to adapt your flow based on the perceived risk level of each login:
- Add a Screen (e.g., login, signup)
- Add the Fingerprint / Assess action immediately after the Screen
- Create a Conditional Step checking if
riskInfo.riskScore
exceeds your risk threshold
Example: Trigger step-up authentication if riskInfo.riskScore > 0.5
Bot Detection (riskInfo.botDetected
)
Detects bot-like behavior during authentication attempts.
- Detection Source: Network-level analysis via Cloudflare
- Limitations: Purely network-based, no browser or device fingerprinting
- Requirement: Requires the Fingerprint Assess action after a screen
Implementation
- Insert the Fingerprint / Assess action after the Screen
- Create a Conditional Step that checks if
riskInfo.botDetected == true
Example: Block login attempts or apply stricter authentication if a bot is detected
Impossible Travel (riskInfo.impossibleTravel
)
Flags logins from geographically implausible locations.
- Detection Source: Geolocation and timestamp analysis
- Requirement: No special requirements or Fingerprint Assess needed
Implementation
- Create a Conditional Step that checks if
riskInfo.impossibleTravel == true
Example: Require re-authentication if impossible travel is detected
Trusted Device (riskInfo.trustedDevice
)
Recognizes previously verified devices to reduce authentication friction.
- Detection Source: First-party cookie on your custom domain
- Requirements:
- Pro tier or higher
- Configured custom domain
- No Fingerprint Assess needed
Implementation
- Configure your custom domain
- Choose one of these implementation options:
- Add a Trust This Device button on a user-facing screen
- Use the Mark Device As Trusted action step in your flow logic
- Add a Trust This Device button on a user-facing screen
- Use
riskInfo.trustedDevice
in conditional logic to adjust authentication
Connectors
Once you have these built-in features set up, you can further enhance your flows by combining them with Connector signals from services like:
- reCAPTCHA Enterprise (bot protection)
- Turnstile (alternative CAPTCHA)
- Telesign (phone number and risk intelligence)
- Fingerprint (advanced device and browser fingerprinting)
- Forter and Sardine (fraud and behavioral risk scoring)
For a complete list of all of the available fraud / risk based connectors, visit the Connectors page.
Using Connector Risk vs. Unified Risk Score
Third-party services like FingerprintJS, Turnstile, and Forter provide detailed risk signals optimized for their detection methods.
Aggregating everything into a single risk score may oversimplify your risk analysis.
By default, Descope provides a unified riskScore
— but if you're using advanced connectors like Forter or Sardine, consider evaluating their individual responses directly for more control.
Approach | When to Use |
---|---|
Use riskInfo.riskScore | When you want simple risk evaluation for a basic flow (e.g., if riskScore > 0.7 , trigger step-up authentication). |
Use Connector-Specific Outputs | When using advanced services like Fingerprint, Forter, or Sardine, where granular risk signals should be evaluated independently for better accuracy and control. |
For more information about all available fingerprinting capabilities and connector options, visit the Fingerprinting Overview documentation page.