Device IDs, AI-powered fraud, and the trust gap in login flows

TL;DR: More than 70% of enterprises now rank identity-based attacks as a top concern, while 40% of those attacks are AI-powered and 88% of security professionals report rising bot activity, according to Arkose Labs. Device identification can reduce friction, but it does not remove the underlying trust problem in registration, login, and payments.

NHIMG editorial — what this means for NHI practitioners

By the numbers:

• 70% of enterprises consider identity-based attacks, ed attacks, including fake account creation and account takeovers, their top security concern.
• 40% of these attacks are AI-powered, reflecting the growing sophistication of modern threats.
• 88% of security professionals report a rise in AI-powered bot attacks, where bots can mimic trusted devices and identities to evade detection.

Questions worth separating out

Q: How should security teams use device identification without over-trusting it?

A: Use device identification as a correlation signal, not as proof of legitimacy.

Q: Why do AI-powered bots make identity-based fraud harder to stop?

A: AI-powered bots can adapt to challenge responses, mimic trusted device traits, and automate repeated attempts at scale.

Q: What breaks when device trust is treated as a standalone control?

A: Standalone device trust breaks when attackers reuse credentials, spoof browser signals, or simulate normal session behaviour long enough to pass a simple reputation check.

Practitioner guidance

• Treat device identity as a decision signal, not a trust verdict. Combine device identifiers with account age, credential history, session patterning, and transaction context before allowing access or payment completion.
• Harden recovery and step-up paths against AI-assisted abuse. Review password reset, account recovery, and challenge bypass logic for paths that reward a fraudster who has already mimicked a trusted device.
• Preserve lineage across device reputation changes. Version your device trust logic so historical fraud patterns remain visible after updates, and retain a mapping between old and new identifiers.

What's in the full announcement

Arkose Labs' full article covers the implementation detail this post intentionally leaves for the source:

• How Arkose Device ID creates persistent identifiers from browser configuration, hardware attributes, and session telemetry.
• How risk rules are tuned for registration, login, account takeover, account sharing, and payment workflows.
• How versioning preserves continuity between old and new identifiers when the underlying detection logic changes.
• How challenge bypass decisions are configured to reduce friction for returning devices without weakening enforcement.

👉 Read Arkose Labs' article on Arkose Device ID and AI-powered fraud →

Device IDs, AI-powered fraud, and the trust gap in login flows?

Explore further

View Full Forum →  |  NHI Foundation Course →