Device Fingerprinting and Risk Scoring
GrantFlow collects device information during role activation requests to support AI-driven risk scoring. This helps approvers make informed decisions by providing context about the device and environment from which access is being requested.
Purpose
Device fingerprinting serves several security objectives:
- Anomaly detection: Identify when a request comes from an unusual device or location
- Risk assessment: Provide signals for AI-based risk scoring algorithms
- Audit trail: Record device context for compliance and forensic investigations
- Pattern recognition: Detect potentially compromised accounts based on behavioral changes
What Information Is Collected
When a user submits a role activation request, GrantFlow collects non-invasive device signals from the browser. This information is attached to the activation request and stored as part of the audit trail.
Browser Characteristics
| Signal | Description | Example |
|---|---|---|
| User Agent | Browser and OS identification | Chrome 120 on Windows 11 |
| Platform | Operating system platform | Win32, MacIntel, Linux x86_64 |
| Languages | Browser language preferences | en-US, de-DE |
| Timezone | User's timezone offset | UTC-5 (EST) |
| Screen Resolution | Display dimensions | 1920x1080 |
Hardware Signals
| Signal | Description | Privacy Note |
|---|---|---|
| CPU Cores | Logical processor count | Generic hardware profile |
| Device Memory | Approximate RAM (GB) | Rounded to nearest GB |
| GPU Vendor/Renderer | Graphics hardware identifier | WebGL-derived information |
| Touch Support | Touch-enabled device | Boolean flag |
Network Information
| Signal | Description | Use Case |
|---|---|---|
| Connection Type | Network type (wifi, cellular, ethernet) | Anomaly detection |
| Downlink Speed | Estimated bandwidth | Profile consistency |
| Round-Trip Time | Network latency estimate | Location inference |
| IP Address | Request source IP | Geo-location, anomaly detection |
Security Signals
| Signal | Description | Purpose |
|---|---|---|
| WebDriver Detection | Automated browser detection | Bot prevention |
| Headless Browser | Headless mode detection | Automation detection |
| Browser Integrity | Extension/modification detection | Tampering detection |
Privacy Considerations
GrantFlow's device fingerprinting is designed with privacy in mind:
What We Don't Collect
- No persistent device IDs: We don't create or store cross-session tracking identifiers
- No cookies for fingerprinting: Device data is collected fresh with each request
- No third-party tracking: All collection happens client-side without external services
- No personal files: We never access local storage, files, or personal data
Data Handling
- Session-scoped: Fingerprint data is associated only with the specific activation request
- Hashed sensitive data: Font lists and similar high-entropy data are hashed before storage
- Tenant isolation: Device data is stored within tenant-specific databases
- Audit purpose: Data is retained as part of the audit trail per your retention policies
Transparency
Users can see that device information is collected as part of the activation request process. The information is used solely for security assessment and audit purposes.
How Risk Scoring Works
Device fingerprint data feeds into GrantFlow's risk scoring system:
Risk Factors
The AI risk scoring model considers factors such as:
- Device consistency: Is this request from a device the user has used before?
- Location anomaly: Is the apparent location unusual for this user?
- Time patterns: Is the request at an unusual time?
- Automation signals: Are there signs this isn't a human-initiated request?
- Network characteristics: Is the network profile consistent with expectations?
Risk Levels
Risk scores are categorized into levels that approvers can see:
| Level | Score Range | Guidance |
|---|---|---|
| Low | 0-30 | Normal request, standard approval process |
| Medium | 31-60 | Some unusual signals, review carefully |
| High | 61-80 | Multiple anomalies, verify with requester |
| Critical | 81-100 | Strong anomaly indicators, consider denying |
INFO
Risk scores are advisory. Approvers always have final authority over approval decisions, and should use their judgment based on context they may have that the automated system doesn't.
Viewing Device Information
For Approvers
When reviewing an activation request, approvers can see:
- Summary risk score and level
- Key device characteristics
- Notable anomalies flagged by the system
- Comparison with the user's typical request patterns
For Administrators
Administrators have access to:
- Full device context in audit logs
- Historical device patterns per user
- Risk score distribution analytics
- False positive/negative feedback for model improvement
Browser Compatibility
Device fingerprinting works across all modern browsers:
| Browser | Support Level | Notes |
|---|---|---|
| Chrome/Edge | Full | All signals available |
| Firefox | Full | All signals available |
| Safari | Partial | Some hardware signals limited by privacy features |
| Mobile Browsers | Full | Touch and mobile-specific signals included |
TIP
Safari's Intelligent Tracking Prevention may limit some signals. This doesn't affect core functionality—the risk scoring model adapts to available signals.
Compliance Considerations
GDPR
Device fingerprinting for security purposes typically falls under "legitimate interest" for protecting systems and data. However, you should:
- Include device data collection in your privacy policy
- Ensure retention periods align with your data protection policies
- Document the security purpose in your records of processing activities
SOC 2
Device fingerprinting supports SOC 2 compliance by:
- Providing additional authentication context
- Creating detailed audit trails
- Enabling anomaly detection controls
Industry Regulations
For regulated industries (finance, healthcare), device fingerprinting provides additional assurance that access requests originate from expected sources. Consult your compliance team for specific guidance.
Enhanced Fingerprinting Signals
Recent updates have expanded the fingerprinting signal set to improve device identification accuracy:
| Signal | Description | Added |
|---|---|---|
| WebGL Renderer | GPU and graphics driver identification via WebGL rendering context | v1.3 |
| Canvas Fingerprint | Unique rendering characteristics of the HTML5 Canvas API | v1.3 |
| Audio Context | Audio processing characteristics unique to hardware configuration | v1.3 |
| Font Enumeration | Available system fonts detected via rendering measurement | v1.2 |
| Hardware Concurrency | Number of logical CPU cores reported by the browser | v1.2 |
These signals work together with existing fingerprinting data (timezone, screen resolution, language, platform) to create a more reliable device identifier. All signals are collected client-side and hashed before transmission — no raw fingerprint data is sent to the server.
INFO
WebGL rendering identification may not be available in all browsers. When WebGL is disabled or blocked, GrantFlow falls back to other available signals. This does not affect functionality but may reduce fingerprint uniqueness.
Troubleshooting
Missing Device Data
If activation requests lack device information:
- Check browser compatibility: Ensure the user's browser supports the required APIs
- Review network proxies: Some corporate proxies strip client information
- Check for browser extensions: Privacy extensions may block fingerprinting APIs
High False Positive Rate
If too many legitimate requests are flagged as high risk:
- Review threshold settings: Consider raising thresholds if they're too sensitive
- Provide feedback: Use the approval interface to mark false positives
- Check user patterns: Frequent travelers or users with multiple devices may naturally have more variation
Performance Concerns
Device fingerprinting adds minimal overhead:
- Collection takes less than 50ms client-side
- No blocking operations in the request path
- Fingerprint data is small (approximately 2KB per request)