TL;DR: Static device fingerprinting creates division and collision problems as browsers update, privacy tools randomise signals, and shared environments make different devices look identical, according to Arkose Labs. Device identity for fraud control now has to treat change as a signal, not just noise, because persistent reputation is only useful when the underlying identity is stable.
At a glance
What this is: This is Arkose Labs’ analysis of why static device fingerprinting fails and how a dynamic device ID model reduces division, collision, and downstream fraud noise.
Why it matters: It matters because IAM-adjacent fraud controls depend on trustworthy device identity, and false device attribution can distort risk decisions across NHI, autonomous, and human access journeys.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
👉 Read Arkose Labs' analysis of why device fingerprinting breaks
Context
Device fingerprinting works by combining browser, hardware, and network signals into a device identity, but that identity only holds if the signals remain stable. In practice, browser updates, privacy protections, shared networks, and hardware homogeneity make static fingerprints drift or collide, which means the same device can splinter into multiple IDs and unrelated devices can share one.
For IAM and fraud teams, that is an identity governance problem as much as a detection problem. When device identity becomes unreliable, trust scores, step-up decisions, and reputation histories start to misclassify both legitimate users and risky sessions, weakening controls across human access, machine-to-machine journeys, and any workflow that depends on device continuity.
Key questions
Q: How should security teams handle device identity when fingerprints change over time?
A: Security teams should treat device identity as a continuity problem, not a one-time match. Static fingerprints break when browsers update, networks change, or privacy tools randomise signals, so the safer model preserves history across sessions and uses drift as context. That approach keeps risk decisions tied to the same device even when surface attributes move.
Q: Why do static device fingerprints create false positives and false negatives?
A: Static fingerprints create false negatives when one device fragments into many IDs after signal changes, because historical risk no longer follows the same entity. They create false positives when many similar devices collapse into one ID and inherit each other's reputation. In both cases, the problem is attribution failure, not just weak matching.
Q: What do fraud teams get wrong about device collision and division?
A: Teams often treat collision and division as tuning issues, but they are structural limits of snapshot-based identity. Collision means multiple devices share one ID, while division means one device is split across many IDs. Both distort trust scores, queue decisions, and reputation histories, so they need architectural treatment rather than more hashing.
Q: How can organisations decide whether device identity is reliable enough for risk scoring?
A: Use reliability tests that look for stable attribution over time, not just first-seen accuracy. Check whether the same device can be recognised after routine browser changes, whether shared environments are producing overlapping IDs, and whether historical fraud behaviour stays attached to the right entity. If those signals fail, the identity layer is not ready for high-stakes scoring.
Technical breakdown
Division problem in static device fingerprinting
Static fingerprinting hashes a snapshot of device signals into a fixed identifier, which fails when one or more attributes change. That creates the division problem: one real device becomes many IDs after a browser patch, a network change, or a privacy-driven signal randomisation event. The result is broken continuity, because historical risk data no longer follows the same device. A system that depends on exact match logic is fragile by design in a web environment where change is normal, not exceptional.
Practical implication: stop treating a single static hash as authoritative for device reputation and review where your risk engine assumes exact signal stability.
Collision problem and shared device identity
Collision happens when distinct devices produce similar or identical fingerprints because they share common hardware, default browser settings, or network context. In enterprise and consumer environments alike, identical MacBook models, popular browser versions, and shared corporate or campus networks can collapse many devices into one ID. That creates noisy attribution, where innocent users inherit the fraud history of someone else. The problem is not just false positives. It is a loss of separation between entities that should be evaluated independently.
Practical implication: map where shared infrastructure and standard configurations are causing identity overlap, then segment decisions that depend on device uniqueness.
Persistent device identity as a risk signal
A persistent device ID model does not merely recognise a returning device. It compares current signals with prior behaviour and uses divergence as a signal in its own right. That is materially different from static fingerprinting, because continuity is preserved even as attributes evolve naturally. For fraud and access teams, the architectural shift is from identification at a moment in time to identity over time. The security value comes from linking change, history, and behaviour into one decision surface.
Practical implication: build device governance around continuity and behavioural drift, not only first-seen matching or one-time fingerprint capture.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Static device fingerprinting is an identity control that assumes the device stays functionally still. That assumption breaks in modern web environments where browsers patch, privacy tools randomise signals, and shared networks blur separation. The failure is not just technical noise, it is governance drift, because the control cannot preserve a stable device record long enough to support reliable fraud decisions. Practitioners should treat this as a broken identity premise, not a tuning problem.
Collision is the more dangerous failure mode because it turns device identity into shared liability. When multiple devices inherit one ID, the control starts attributing one actor's behaviour to another actor's session history. That undermines access friction, chargeback mitigation, and account takeover detection at the same time. The practical conclusion is that device identity must be evaluated as an attribution system, not a standalone fingerprint.
Division and collision together create identity blast radius in fraud programmes. A fragmented device history removes continuity, while a shared device ID contaminates trust across unrelated users. This is why device identity cannot be treated as a simple preprocessing layer before risk scoring. Security teams need to understand that the quality of the identity record directly shapes the quality of the decision downstream.
Change should be treated as signal when device identity is used for trust decisions. The article's core lesson is that a device that evolves is not necessarily evasive, but a device that changes in patterned ways can reveal manipulation. That distinction is where modern device governance now lives. Practitioners should preserve change history, not discard it.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- That visibility gap matters because 97% of NHIs carry excessive privileges, widening the impact of identity mistakes across machine and automated access paths.
- For a broader governance baseline, see Ultimate Guide to NHIs , The NHI Market for how the category is evolving.
What this signals
Device identity is becoming a governance primitive, not a convenience signal. As more risk engines rely on persistent device reputation, teams need to ask whether they are managing identity continuity or merely collecting hashes. The practical shift is to measure how often device histories survive routine change and how often shared environments contaminate attribution.
The same pattern shows up across machine identity programmes: when visibility is weak, the confidence in downstream decisions collapses. Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs, which is a reminder that attribution quality is now a cross-domain control problem, not just a fraud-control nuance.
For practitioners
- Inventory where static fingerprints feed risk decisions Trace every fraud, step-up, and reputation workflow that depends on a single device hash, then mark where exact-match logic can fragment histories or merge unrelated users. Use those paths as your prioritisation list for replacing brittle attribution with continuity-aware device identity. Review the decision points that rely on stable device identity before the next tuning cycle.
- Segment shared-infrastructure environments from unique-device workflows Separate corporate networks, campus networks, shared VDI, and common hardware pools from higher-confidence device contexts so collision-prone traffic does not contaminate the same reputation logic. Use policy boundaries to keep geography, hardware sameness, and user behaviour from being collapsed into one trust signal. Anchor the segmentation to environments where many devices look alike.
- Preserve device history across signal drift Keep a continuous record of past associations, prior risk decisions, and known behaviour so browser updates or network changes do not erase identity continuity. That history is what distinguishes organic evolution from suspicious manipulation. Pair it with review logic that highlights abrupt changes in similarity rather than forcing a new identity every time a signal shifts.
- Rebalance false positive review around collision risk Measure how often innocent users are being linked to fraud outcomes because common signals create shared IDs. Then adjust friction thresholds, manual review queues, and reputation models so collision hot spots get additional separation logic. This is where customer impact and security quality intersect.
Key takeaways
- Static device fingerprinting fails because modern environments change faster than snapshot-based identity can keep up.
- Collision and division are not edge cases, they are structural errors that distort reputation, friction, and fraud attribution at scale.
- Teams should move toward continuity-aware device identity so historical trust survives routine change without collapsing attribution.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Device identity persistence and rotation gaps map to NHI credential governance. |
| NIST CSF 2.0 | PR.AC-4 | Device identity quality affects access control decisions and trust validation. |
| NIST Zero Trust (SP 800-207) | AC-4 | Zero trust depends on continuous verification of device context, not static fingerprints. |
Review how persistent device identity supports NHI-03 style lifecycle and rotation controls.
Key terms
- Device fingerprinting: Device fingerprinting is the practice of combining browser, hardware, and network signals to recognise a device across sessions. It is useful when the signals are stable, but it becomes brittle when those signals drift, are shared, or are intentionally randomised, which weakens attribution and trust.
- Collision problem: Collision happens when multiple different devices produce the same or similar identifier and are treated as one entity. In identity and fraud systems, that causes one user’s history to contaminate another’s decisions, raising false positives and making trust scores less reliable.
- Division problem: Division occurs when one real device is split into multiple identifiers because its observable signals change over time. The system loses continuity, so historical behaviour stops following the same device and downstream risk logic becomes fragmented or inconsistent.
- Persistent device identity: Persistent device identity is a model that preserves continuity across sessions even when surface signals change. It uses history, similarity, and behavioural context to decide whether a returning device is the same entity, which is more durable than a static fingerprint in modern environments.
Deepen your knowledge
Device identity continuity and broader NHI governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is still relying on snapshot-based identity and static trust signals, it is worth exploring.
This post draws on content published by Arkose Labs: Device ID Fingerprinting Is Broken. Here’s How We Fixed It. Read the original.
Published by the NHIMG editorial team on 2026-03-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
