High-activity devices expose the limits of fraud controls

At a glance

What this is: This is Fingerprint’s analysis of high-activity devices as a fraud signal and how persistent identifiers help detect scaled abuse earlier.

Why it matters: It matters to IAM and security teams because device-level abuse can undermine authentication, session trust, and account protection across human and automated interactions.

By the numbers:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
• 5.7% of organisations have full visibility into their service accounts.

👉 Read Fingerprint’s analysis of high-activity devices and scaled abuse detection

Context

High-activity devices are devices or browser instances that generate unusually frequent or repetitive activity across logins, sessions, or transactions. In fraud programmes, that pattern often signals automation, scaled abuse, or a compromised device acting faster and more consistently than a normal user.

For IAM and fraud teams, the governance problem is that authentication alone does not tell you whether the same device is driving repeated abuse across accounts. Device intelligence and persistent identifiers add a control layer that helps separate legitimate repeat usage from high-volume malicious activity, especially when the same actor shifts between accounts or channels.

Key questions

Q: How should security teams respond to high-activity device signals in fraud flows?

A: Teams should treat high-activity device signals as a pattern-level abuse indicator, not as proof of one bad account. The practical response is to correlate repeated device behaviour across sessions, apply step-up checks to high-risk patterns, and route persistent offenders into containment workflows before abuse scales across multiple identities.

Q: Why do device signals matter when authentication already succeeded?

A: Authentication only confirms a moment in time. A device can still be used repeatedly for credential stuffing, spam, or transaction abuse after login, so device signals add the behavioural context needed to spot repetition, isolate abnormal reuse, and reduce reliance on account-level checks alone.

Q: What breaks when teams rely only on account-based fraud controls?

A: Account-based controls miss the durable actor in scaled abuse, which is often the device rather than the identity. When that happens, the same browser or device can cycle through many accounts without triggering the right threshold, leaving fraud teams to respond only after abuse has already spread.

Q: Who is accountable when high-activity devices drive repeated abuse?

A: Accountability sits across fraud operations, IAM, and session risk owners because the control gap spans identity, device, and transaction layers. Teams need a shared escalation path so recurring device activity is investigated once and acted on consistently, rather than being handled as disconnected anomalies.

Technical breakdown

Persistent identifiers and high-activity device clustering

Persistent identifiers let a control plane recognise a device or browser over time, even when the user changes accounts, clears cookies, or moves between sessions. High-activity detection works by clustering repeated events from the same device signals and then scoring whether the behaviour is normal reuse or coordinated abuse. The practical value is not just attribution, but the ability to identify repeat offenders before rate limits, CAPTCHA, or login controls are exhausted. In practice, this is strongest when device intelligence is combined with behavioural thresholds and transaction context.

Practical implication: build device-level clustering into fraud triage so repeated abuse is suppressed before it becomes account-level spread.

Why scaled abuse can evade authentication controls

Scaled abuse often succeeds because authentication controls are designed to verify identity at the point of login, not to track repeat behaviour after access is granted. A device can look legitimate on each individual request while still driving automation across many accounts, sessions, or attempts. That is why high-activity detection matters: it shifts analysis from one login event to the pattern created by many events. For identity teams, the key failure is assuming that a successful login proves trustworthy intent across the rest of the session lifecycle.

Practical implication: treat successful authentication as a checkpoint, not a trust guarantee, and apply post-login abuse scoring to the full session.

Device intelligence in embedded and privacy-sensitive flows

In mobile webviews, embedded browsers, and other constrained environments, teams often have less signal than they expect and more user experience risk than they want. Device intelligence helps recover context without relying only on invasive friction such as repeated challenges or hard blocks. The challenge is to use enough persistent signal to detect abuse while still preserving legitimate access for real users and complying with privacy and platform constraints. That balance is especially important when abuse patterns are shared across human and automated traffic.

Practical implication: use device intelligence selectively in high-risk flows where friction, privacy, and repeat-abuse detection must be balanced together.

Threat narrative

Attacker objective: The attacker aims to use one or more persistent device identities to scale abuse while staying below the threshold of ordinary account-based detection.

1. Entry begins when a device or browser instance appears normal enough to pass routine access checks while still generating repeated requests across accounts or sessions.
2. Escalation occurs when the same device signal is reused to drive larger volumes of login attempts, spam, or transaction abuse that evades user-centric controls.
3. Impact is scaled abuse across multiple accounts or workflows, where repeated activity consumes resources, undermines trust, and increases fraud losses.

Breaches seen in the wild

• JetBrains GitHub plugin token exposure — CVE-2024-37051 in JetBrains IntelliJ GitHub plugin exposed GitHub access tokens.
• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

High-activity devices are a repeat-abuse problem before they are an authentication problem. Fraud teams often look for bad credentials or failed logins, but the more durable signal is the device pattern that keeps reappearing across accounts and sessions. That is why persistent identifiers matter: they expose repetition that account-level controls do not naturally see. The practitioner takeaway is to govern abuse at the device layer, not just at the login layer.

Device intelligence becomes a governance control when it turns hidden reuse into observable behaviour. A single device can support multiple identities, multiple sessions, and multiple abuse attempts without changing its technical fingerprint enough to avoid detection. That makes high-activity scoring more than a fraud feature. It is a way to make repeat abuse measurable in environments where user identity alone is too easy to rotate.

Identity blast radius: the real risk is not one compromised account but one device repeatedly re-entering the environment through different identities. That framing applies across fraud, IAM, and session governance because the attack surface is the pattern of reuse, not the individual login. Once teams see the device as the durable actor, they can align risk scoring, challenge logic, and containment around the true source of repetition.

Fraud operations and identity governance need a shared view of repeat behaviour. Security teams frequently split authentication, account protection, and fraud response into separate workflows, which creates blind spots when the same device keeps resurfacing. The most effective response is not a single control but a common interpretation of recurring device activity across channels. Practitioner conclusion: the organisation should treat high-activity device signals as governance evidence, not just detection telemetry.

From our research:

• 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• That visibility gap is why teams should pair device intelligence with lifecycle controls from the NHI Lifecycle Management Guide when abuse patterns involve non-human access.

What this signals

Identity blast radius: high-activity device signals show why repeat abuse should be treated as a lifecycle problem, not only a login problem. When the same device keeps resurfacing, the programme needs a way to connect authentication events, session behaviour, and fraud escalation into one control story.

Device intelligence will matter more as environments blend human users, scripts, and embedded sessions. Teams that already separate fraud operations from IAM will struggle to see recurring abuse patterns unless they create a shared review model for persistent device activity and session risk.

The governance signal is clear: if the organisation cannot explain why the same device is active across multiple accounts, it cannot reliably explain where the abuse boundary begins. That is the point at which detection should feed into access policy, challenge logic, and lifecycle review, not sit in a separate console.

For practitioners

• Cluster repeat device behaviour across accounts Correlate persistent identifiers, IP reputation, and session timing so the same device cannot evade review by switching user accounts or browser states.
• Apply step-up controls to high-risk device patterns Trigger additional verification when a device exceeds expected activity thresholds or reappears across multiple sensitive workflows.
• Separate legitimate reuse from scaled abuse Define review rules for customer support, shared devices, and power users so investigators can distinguish normal repetition from coordinated fraud.
• Feed device signals into fraud and IAM workflows Use the same high-activity indicators in account protection, anti-bot, and session-risk processes so response decisions are consistent across teams.

Key takeaways

• High-activity devices are valuable because they expose repeat abuse patterns that account-based controls often miss.
• Persistent identifiers turn device reuse into a measurable signal, which helps teams distinguish legitimate repetition from scaled fraud.
• The right response is shared governance across fraud, IAM, and session risk, not isolated detection in one team.

Key terms

• High-Activity Device: A device or browser instance that generates repeated, concentrated, or unusually frequent events across accounts or sessions. In fraud and identity operations, the term matters because one device can drive scaled abuse even when individual logins appear legitimate.
• Persistent Identifier: A durable signal used to recognise a device or browser over time, even when some session attributes change. In practice, it helps teams connect repeated behaviour to the same source and distinguish ordinary reuse from coordinated abuse or automation.
• Scaled Abuse: High-volume misuse that is distributed across many requests, accounts, or sessions to avoid simple thresholds. It often looks like normal traffic in isolation, but the pattern becomes visible when device intelligence and behavioural correlation are applied together.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Fingerprint: How to spot high-activity devices and stop scaled abuse in its tracks. Read the original.