TL;DR: Fraud teams can no longer rely on device fingerprints alone, because attackers spoof attributes, clear cookies, and rotate device profiles while behavioural analysis spots emulators, automation, and low-and-slow fraud patterns, according to Arkose Labs. The governance lesson is that static identification and real-time intelligence must be layered, not treated as substitutes.
At a glance
What this is: This is an analysis of why device identification alone is insufficient and why behavioural device intelligence is needed alongside it to detect modern fraud.
Why it matters: It matters because identity teams must align fraud controls with how attackers actually operate, combining device history, behavioural signals, and contextual risk across human, NHI, and autonomous-adjacent environments.
👉 Read Arkose Labs' analysis of device intelligence and device identification
Context
Basic device tracking tells you whether a returning device looks familiar, but it does not tell you whether the behaviour behind that device is legitimate. In fraud programmes, that gap matters because spoofing, cookie clearing, and device rotation can break simple fingerprinting while leaving the underlying abuse unchanged.
Device intelligence closes part of that gap by scoring how a session behaves in real time, not just what the device claims to be. For identity teams, the practical issue is broader than fraud detection: the same behavioural blind spot appears anywhere a programme depends on persistent identifiers without enough runtime context.
Key questions
Q: How should security teams combine device identification and device intelligence?
A: Security teams should use device identification to recognise returning devices and device intelligence to evaluate whether the current session behaves normally. The strongest programmes treat them as complementary signals, not alternatives, so static history and live behaviour both influence risk decisions. That approach reduces blind spots against spoofing, automation, and low-and-slow abuse.
Q: Why do static device fingerprints fail against modern fraud?
A: Static fingerprints fail because attackers can spoof browser and hardware attributes, clear cookies, and rotate device configurations quickly enough to break simple matching. They also create false ambiguity when legitimate users upgrade browsers or switch devices. Device identity without behaviour only tells you that something looks familiar, not that the session is trustworthy.
Q: How do you know if device intelligence is actually working?
A: You know it is working when the system can distinguish automation, emulators, fraud farms, and normal user variation without overblocking legitimate customers. The best signal is a combination of better fraud detection, fewer false positives, and clearer analyst explanations of why a session was risky.
Q: What is the difference between device identification and device intelligence?
A: Device identification focuses on who a device appears to be by using persistent attributes and fingerprints. Device intelligence focuses on what that device is doing in the moment by analysing behaviour, context, and environmental anomalies. In practice, identification is about continuity, while intelligence is about session quality and risk.
Technical breakdown
Device identification and persistent fingerprints
Device identification builds a repeatable signature from browser, operating system, screen, hardware, cookies, and other persistent attributes. That lets security teams recognise returning devices, link sessions, and flag devices previously tied to fraud. The limitation is structural: a fingerprint is only as durable as the attributes that feed it. Attackers can reset cookies, spoof device fields, or shift configurations just enough to evade simple matching. Legitimate changes, such as browser upgrades or new hardware, also create noise that can weaken confidence in static identification alone.
Practical implication: do not treat device fingerprints as a standalone trust signal for fraud or account access.
Device intelligence and behavioural risk scoring
Device intelligence analyses what a session is doing in context, using signals such as typing cadence, mouse movement, navigation flow, emulator indicators, and inconsistencies between claimed and observed device traits. This approach is stronger against automation because behaviour is harder to fake than static attributes, especially across high-volume or low-friction interactions. It also helps identify fraud farms that constantly rotate device profiles while preserving suspicious interaction patterns. The trade-off is that behavioural models need enough context to avoid overreacting to legitimate user variation.
Practical implication: pair behavioural scoring with clear escalation rules so suspicious sessions are challenged, not simply blocked.
Why layered controls reduce blind spots
The article’s central technical point is that different fraud patterns defeat different controls. Volumetric bot attacks are often exposed by speed, repetition, and behavioural anomalies, while patient human-driven abuse is more likely to be caught by cross-session device continuity and historical linkage. When one control is absent, the other cannot fully compensate. That is why combining persistent device history with runtime behavioural analysis produces better confidence than either method alone. In practice, the value is not redundancy for its own sake but coverage across attack styles.
Practical implication: design fraud defence so static identity signals and runtime behaviour each cover the other’s blind spots.
Breaches seen in the wild
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
- Emerald Whale breach — exposed Git config files led to 15K secrets stolen and 10K repo compromises.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Device intelligence is becoming the deciding control because fraud now lives in the gap between identity and behaviour. Static fingerprints answer whether a device has been seen before, but modern attackers are interested in looking familiar, not being legitimate. That means programmes built around device identification alone will continue to miss spoofing, emulator use, and fraud-farm rotation. The practitioner conclusion is that behavioural context has to sit beside identity history, not underneath it.
Contextual risk scoring is the right named concept here, because trust is no longer a binary device decision. The article points to a mixed signal model where interaction patterns, environmental checks, and historical device data are evaluated together. That is a more realistic fraud lens than any single indicator can provide. For identity teams, the important shift is from asking whether a device is known to asking whether the session is internally consistent across multiple evidence types.
Low-and-slow fraud breaks controls that were designed around obvious spikes and repeatable patterns. A persistent attacker does not need to be fast if the defence only watches for high-volume abuse. Device identification helps connect seemingly separate attempts over time, but behavioural analysis is still required to spot the subtle anomalies that make those attempts suspicious. The operational implication is that fraud programmes need cross-session linkage and live session interpretation, not one without the other.
Identity programmes should stop treating device tracking as a fraud answer and start treating it as one signal in a broader governance model. The article makes clear that static attributes, behavioural signals, and contextual scoring solve different parts of the problem. That matters for IAM teams as well, because similar blind spots appear wherever a programme assumes persistence means trust. The practitioner conclusion is to align device controls with access decisions that can absorb uncertainty rather than overclaim certainty.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
- For a broader control lens, Ultimate Guide to NHIs , Key Challenges and Risks frames visibility gaps, over-privilege, and sprawl as recurring governance failures.
What this signals
Device intelligence is converging with identity governance because the attack surface is now behavioural, not just credential-based. Teams that still treat device tracking as a peripheral fraud control will keep missing the session-level anomalies that matter most. The governance challenge is to make runtime evidence usable inside access and fraud decisions without turning every legitimate variation into noise.
Contextual risk scoring: the practical lesson is that trust should be inferred from consistency across signals, not from any single device attribute. That makes device history, behaviour, and environmental checks part of the same decision fabric. For teams running mixed human and machine programmes, that same pattern is increasingly relevant wherever identities can be replayed or mimicked.
As NHIMG research shows, 1 in 4 organisations are already investing in dedicated NHI security capabilities, while another 60% plan to do so within 12 months. That same investment logic applies here: once static identification and behavioural intelligence are understood as complementary controls, the programme moves from point defence to layered identity assurance.
For practitioners
- Combine device history with behavioural scoring Use persistent device identification and real-time behaviour analysis together for account takeover, scraping, and fraud detection. Require both signals to contribute to risk decisions so spoofed devices and subtle manual abuse are assessed in the same policy path.
- Tune separate responses for bot and human fraud Map volumetric bot traffic to automated blocking and challenge flows, while sending low-and-slow patterns to analyst review or stepped-up verification. This avoids using a single response model for very different attack styles.
- Watch for emulator and virtual machine indicators Include environment checks for emulators, virtual machines, and inconsistent device attributes in your fraud telemetry. These signals are especially useful when attackers try to make non-standard endpoints look like ordinary customer devices.
- Measure false-positive pressure alongside fraud catch rate Track how often legitimate users are challenged because of browser upgrades, device changes, or normal behaviour variation. If the challenge rate rises without a matching fraud reduction, the model is too dependent on static fingerprints.
Key takeaways
- Device identification alone cannot keep pace with attackers who spoof attributes, clear cookies, and rotate device profiles.
- Behavioural device intelligence improves detection by evaluating session consistency, environmental anomalies, and interaction patterns in real time.
- Fraud programmes are strongest when static identity history and runtime behaviour are used together to separate bots, fraud farms, and legitimate customers.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NHI set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Behavioural monitoring and anomaly detection map to continuous security monitoring. |
| NIST Zero Trust (SP 800-207) | PR.AC-7 | Contextual access decisions fit zero-trust verification of sessions and identities. |
| NHI | NHI-03 | Persistent device identity and rotation-like churn are core NHI governance concerns. |
Treat device identities as governed entities and review how persistence, history, and trust are established.
Key terms
- Device Identification: Device identification is the practice of recognising a device by stable attributes such as browser, operating system, screen configuration, cookies, and hardware signals. It helps link sessions over time, but it cannot prove intent or legitimacy on its own. In fraud defence, it is a continuity signal, not a trust decision.
- Device Intelligence: Device intelligence evaluates how a device behaves during a session, using patterns such as typing cadence, mouse movement, navigation flow, and environmental anomalies. It is designed to spot automation, spoofing, and fraud-farm behaviour that static fingerprints miss. Its value comes from context, not just identity persistence.
- Behavioural Risk Scoring: Behavioural risk scoring is the process of combining multiple runtime signals into a single assessment of suspiciousness. The score is not a verdict on identity by itself, but a structured way to turn interaction patterns, device consistency, and environment checks into actionable fraud decisions.
Deepen your knowledge
Device identification, behavioural scoring, and layered fraud defence are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for mixed human and machine identity risk, it is worth exploring.
This post draws on content published by Arkose Labs: Account Security Are You Only Identifying Devices Or Actually Understanding Them? Read the original.
Published by the NHIMG editorial team on 2026-01-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
