TL;DR: Static device fingerprinting creates division and collision problems as browsers update, privacy tools randomise signals, and shared environments make different devices look identical, according to Arkose Labs. Device identity for fraud control now has to treat change as a signal, not just noise, because persistent reputation is only useful when the underlying identity is stable.
NHIMG editorial — based on content published by Arkose Labs: Device ID Fingerprinting Is Broken. Here’s How We Fixed It
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams handle device identity when fingerprints change over time?
A: Security teams should treat device identity as a continuity problem, not a one-time match.
Q: Why do static device fingerprints create false positives and false negatives?
A: Static fingerprints create false negatives when one device fragments into many IDs after signal changes, because historical risk no longer follows the same entity.
Q: What do fraud teams get wrong about device collision and division?
A: Teams often treat collision and division as tuning issues, but they are structural limits of snapshot-based identity.
Practitioner guidance
- Inventory where static fingerprints feed risk decisions Trace every fraud, step-up, and reputation workflow that depends on a single device hash, then mark where exact-match logic can fragment histories or merge unrelated users.
- Segment shared-infrastructure environments from unique-device workflows Separate corporate networks, campus networks, shared VDI, and common hardware pools from higher-confidence device contexts so collision-prone traffic does not contaminate the same reputation logic.
- Preserve device history across signal drift Keep a continuous record of past associations, prior risk decisions, and known behaviour so browser updates or network changes do not erase identity continuity.
What's in the full article
Arkose Labs' full blog post covers the operational detail this post intentionally leaves for the source:
- How Arkose Labs describes its stateless and stateful identification workflow for device continuity.
- The specific collision and division patterns the vendor says it observed across production traffic.
- The practical impact on fraud friction, false positives, and historical device reputation handling.
- How the vendor frames adversarial homogenization in the context of device identity evasion.
👉 Read Arkose Labs' analysis of why device fingerprinting breaks →
Device ID fingerprinting: what changes when signals keep moving?
Explore further
Static device fingerprinting is an identity control that assumes the device stays functionally still. That assumption breaks in modern web environments where browsers patch, privacy tools randomise signals, and shared networks blur separation. The failure is not just technical noise, it is governance drift, because the control cannot preserve a stable device record long enough to support reliable fraud decisions. Practitioners should treat this as a broken identity premise, not a tuning problem.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- That visibility gap matters because 97% of NHIs carry excessive privileges, widening the impact of identity mistakes across machine and automated access paths.
A question worth separating out:
Q: How can organisations decide whether device identity is reliable enough for risk scoring?
A: Use reliability tests that look for stable attribution over time, not just first-seen accuracy. Check whether the same device can be recognised after routine browser changes, whether shared environments are producing overlapping IDs, and whether historical fraud behaviour stays attached to the right entity. If those signals fail, the identity layer is not ready for high-stakes scoring.
👉 Read our full editorial: Device ID fingerprinting breaks when devices become dynamic