Manage Security

Browser Fingerprinting and Risk/Bot Detection

Descope offers device fingerprinting and risk-based authentication if your application is using Descope flows to integrate. Whenever an end-user signs-in, Descope client SDK generates a browser fingerprint.

A browser fingerprint is a set of information related to a user’s device from the hardware to the operating system to the browser and its configuration. Browser fingerprinting refers to the process of collecting information through a web browser to build a fingerprint of a device. Via a script running inside a browser, a server can collect a wide variety of information from public interfaces called Application Programming Interface (API) and HTTP headers. Unlike other identification techniques like cookies that rely on a unique identifier (ID) directly stored inside the browser, browser fingerprinting is qualified as completely stateless. It does not leave any trace as it does not require the storage of information inside the browser.

In addition to the browser fingerprint Descope uses many other attributes to assess a risk score for each session. This risk score can be used as a conditional parameter in the flows to trigger another authentication method or fail the login completely.

You can learn more about how fingerprinting, risk, and bot detection can be implemented in your Descope Project here.

Disabling Flows

The Descope service allows Descopers to disable flows within a project. Descopers can disable flows from the flows page within the Descope UI. Selecting the three dots to the right of the flow and then clicking disable. Users can disable one, multiple, or all Descope flows. These flows will be disabled and no longer run; however, Descopers can later be enabled if users choose. All flows are enabled by default.

Disabling flows is most applicable to Descopers using the backend SDK only. Unused and enabled flows could be a security breach in the event of an attacker utilizing the project ID to promote sign-up or step-up to the service, which the Descoper did not intend to open up for users. Disabling flows also applies to companies where invite-only-based access is the determined use case. It also benefits those using flows to harden their instance by disabling the unutilized flows.

You can find more information on managing flows within the Managing Descope Flows article.