Device Fingerprint Correlation
Browser fingerprint correlation layer that uses FingerprintJS visitor IDs to detect multi-account farming and sybil attacks. Tracks the relationship between browser fingerprints, user IDs, and cookies over a rolling time window.
How it works
- The integrator's frontend collects a FingerprintJS visitor ID and passes it in the claim's
fingerprintfield - The server persists
(visitorId, uid, cookieHash, seenAt)tuples in the database - On each claim, the layer queries the rolling window to check:
- Visitor-to-UID fan-out: Same browser fingerprint claiming with many different user IDs → sybil detection
- UID-to-visitor fan-out: Same user ID seen from many different browsers → multi-device farming
- Cross-integrator reuse: Same visitor seen across different integrator apps → account sharing
- Trust is boosted when the
hostContextis HMAC-signed by a verified integrator
Configuration
| Env var | Default | Description |
|---|---|---|
FAUCET_FINGERPRINT_ENABLED | false | Enable the fingerprint layer |
FAUCET_FINGERPRINT_WINDOW_MS | 86400000 | Rolling window (default 24 hours) |
FAUCET_FINGERPRINT_MAX_VISITORS_PER_UID | 3 | Max distinct browsers per user ID before score bump |
FAUCET_FINGERPRINT_MAX_UIDS_PER_VISITOR | 3 | Max user IDs per browser before review |
Decision logic
- Fan-out within thresholds:
allowwith low score - Visitor-to-UID exceeds max:
allowwith elevated score (pipeline may deny based on aggregate) - Cross-integrator reuse detected:
reviewfor manual inspection - HMAC-signed hostContext: trust boost (lower score)
Trade-offs
- Effective against multi-account farming (same person, many accounts)
- Requires integrator cooperation — the frontend must send fingerprint data
- Privacy considerations — stores browser fingerprint hashes in the database
- Client-side collection via FingerprintJS (free open-source tier available)
Integrator integration
To use this layer, integrators must:
- Include FingerprintJS in their frontend
- Pass the
visitorIdin the claim request'sfingerprintfield - Optionally sign the
hostContextwith HMAC for trust boost (see integrator-hmac.md)