TL;DR: Traditional device fingerprinting is breaking under privacy pressure, standardized endpoints, and attacker spoofing, pushing security teams toward layered and behavioural identification that can still distinguish collision, division, and persistence issues, according to Arkose Labs. The governance problem is no longer device recognition alone but whether identity controls can maintain reliable, compliant trust signals without assuming static device attributes.
NHIMG editorial — based on content published by Arkose Labs: device identity beyond traditional fingerprinting and the shift to behavioural recognition
Questions worth separating out
Q: How should security teams handle device identity when fingerprinting becomes unreliable?
A: Teams should move from static fingerprinting to layered device identity that combines behavioural signals, persistence rules, and context-aware risk scoring.
Q: Why do standardised devices create problems for device-based security controls?
A: Standardised devices compress entropy, so many legitimate endpoints look alike to a fingerprinting engine.
Q: What do teams get wrong about device persistence?
A: They often treat persistence as a single yes-or-no property when it actually has separate session, cross-session, and long-term meanings.
Practitioner guidance
- Audit fingerprint collision rates across managed fleets Measure how often standard corporate devices produce indistinguishable signatures across operating-system, browser, and hardware combinations.
- Set separate persistence rules for session, cross-session, and long-term trust Define when a device should stay recognised during an active session, across logins, and across software changes.
- Add behavioural signals to high-risk device decisions Augment static identification with interaction timing, typing cadence, and navigation flow on flows where spoofing or privacy tooling already weakens device certainty.
What's in the full article
Arkose Labs' full article covers the operational detail this post intentionally leaves for the source:
- Technical examples of how collision, division, and persistence appear in live fraud and access environments
- Implementation detail on local storage tracking and anonymous telemetry for device recognition
- Operational guidance on combining bot management with device ID for mixed threat patterns
- Discussion of how AI-powered evasion changes the detection model over time
👉 Read Arkose Labs' analysis of device fingerprinting limits and behavioural device ID →
Device identity and behavioral recognition: are your controls keeping up?
Explore further
Device identity now fails for the same reason many identity controls fail under modern pressure: it assumes stable attributes in a system built for change. Static fingerprints were designed for an environment where browser state, endpoint configuration, and network context moved slowly enough to be useful. That assumption breaks when privacy tooling randomises signals, operating systems update continuously, and attackers can imitate common device profiles. The implication is that device identity has to be treated as a changing trust signal, not a fixed attribute set.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- The same research found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how quickly identity scope can outrun governance.
A question worth separating out:
Q: How can organisations reduce device rotation abuse without hurting user experience?
A: Use layered scoring that links device continuity, behavioural consistency, and transaction context before deciding whether a session should be challenged. That approach reduces reliance on any one identifier and makes rotation attacks harder to sustain. The right balance is to challenge suspicious combinations, not every device change.
👉 Read our full editorial: Device identity is moving beyond fingerprinting and static trust