Device intelligence vs device identification: what should teams do?

TL;DR: Fraud teams can no longer rely on device fingerprints alone, because attackers spoof attributes, clear cookies, and rotate device profiles while behavioural analysis spots emulators, automation, and low-and-slow fraud patterns, according to Arkose Labs. The governance lesson is that static identification and real-time intelligence must be layered, not treated as substitutes.

NHIMG editorial — based on content published by Arkose Labs: Account Security Are You Only Identifying Devices Or Actually Understanding Them?

Questions worth separating out

Q: How should security teams combine device identification and device intelligence?

A: Security teams should use device identification to recognise returning devices and device intelligence to evaluate whether the current session behaves normally.

Q: Why do static device fingerprints fail against modern fraud?

A: Static fingerprints fail because attackers can spoof browser and hardware attributes, clear cookies, and rotate device configurations quickly enough to break simple matching.

Q: How do you know if device intelligence is actually working?

A: You know it is working when the system can distinguish automation, emulators, fraud farms, and normal user variation without overblocking legitimate customers.

Practitioner guidance

• Combine device history with behavioural scoring Use persistent device identification and real-time behaviour analysis together for account takeover, scraping, and fraud detection.
• Tune separate responses for bot and human fraud Map volumetric bot traffic to automated blocking and challenge flows, while sending low-and-slow patterns to analyst review or stepped-up verification.
• Watch for emulator and virtual machine indicators Include environment checks for emulators, virtual machines, and inconsistent device attributes in your fraud telemetry.

What's in the full article

Arkose Labs' full analysis covers the operational detail this post intentionally leaves for the source:

• Specific behavioural signals used to score device risk, including cadence, movement, and navigation patterns
• Operational distinctions between bot swarms, fraud farms, and human-driven low-and-slow abuse
• How device history is combined with live session evidence in risk decisions
• Evaluation questions for teams comparing layered fraud controls

👉 Read Arkose Labs' analysis of device intelligence and device identification →

Device intelligence vs device identification: what should teams do?

Explore further

View Full Forum →  |  NHI Foundation Course →