Ask HN: Anyone using device/browser fingerprint in production?
2•the_arun•2h ago
Do any enterprises use fingerprintJS or thumbmarkJS in Production? Are they secure & compliant with user privacy? Any legal concerns?
Comments
bobbiechen•1h ago
Disclosure: I work on Device Fingerprinting at Stytch, for fraud and security use cases.
I don't think serious enterprises use the open-source versions of Fingerprint.js or ThumbmarkJS for fraud and security. Because they are open source, an attacker can just read the code, find out what they're doing, and test locally until they can construct whatever fingerprint they want. See https://github.com/kkoooqq/fakebrowser for an example that explicitly tests against Fingerprint.js .
Here are some public enterprises that do use Stytch's Device Fingerprinting, which is hardened against spoofing, for fraud prevention and security: Calendly, Replit, RH (Restoration Hardware), SoLo Funds, Groq, etc. Check out the Replit case study for details: https://stytch.com/customer-stories/replit
About compliance, privacy, and legal, this is specific to both the implementation and the use case. This is our docs page if it helps: https://stytch.com/docs/fraud/guides/device-fingerprinting/i... . Generally fraud prevention is considered legitimate interest / necessary processing. I can't speak for marketing or adtech use cases as that's not what our product is used for.
bobbiechen•1h ago
I don't think serious enterprises use the open-source versions of Fingerprint.js or ThumbmarkJS for fraud and security. Because they are open source, an attacker can just read the code, find out what they're doing, and test locally until they can construct whatever fingerprint they want. See https://github.com/kkoooqq/fakebrowser for an example that explicitly tests against Fingerprint.js .
Here are some public enterprises that do use Stytch's Device Fingerprinting, which is hardened against spoofing, for fraud prevention and security: Calendly, Replit, RH (Restoration Hardware), SoLo Funds, Groq, etc. Check out the Replit case study for details: https://stytch.com/customer-stories/replit
About compliance, privacy, and legal, this is specific to both the implementation and the use case. This is our docs page if it helps: https://stytch.com/docs/fraud/guides/device-fingerprinting/i... . Generally fraud prevention is considered legitimate interest / necessary processing. I can't speak for marketing or adtech use cases as that's not what our product is used for.