Device Fingerprinting.
Identifying a device across sessions by combining many weak signals (user agent, screen size, fonts, canvas rendering, WebGL parameters) into a high-entropy identifier — used to detect device changes, account-takeover, and fraud.
The legitimate-interest argument for device fingerprinting in CIAM (fraud prevention, account-takeover defense) is generally defensible under GDPR; the marketing-adjacent uses (cross-site tracking) are not. The 2026 reality is that browsers are limiting fingerprinting entropy for cross-site tracking while still allowing it for the per-site security use case — first-party device-identity signals remain useful for fraud and ATO defense.
Common questions
Is device fingerprinting legal under GDPR?
How accurate is browser fingerprinting in 2026?
Can users defeat device fingerprinting?
Related terms
In the guides
Account Takeover Defense: A Layered Approach for 2026
ATO is the single largest CIAM threat in 2026. The defense stack is layered, credential stuffing protection, MFA, session management, and recovery design, each addressing a different attack class.
Adaptive Risk-Based Authentication: Decisioning at Login
Adaptive auth scores each login against risk signals, device, geo, velocity, behavior, and challenges only when the score warrants. Patterns and where vendors diverge.