Device Fingerprinting
Device Fingerprinting
Challenge collects device and environment information after a user completes identity verification. This data helps security teams analyze verification events and detect anomalies or potential threats.
Overview
When a user successfully verifies their identity (e.g., via SAML or OIDC), they are shown a success page. In the background, Challenge runs a short device fingerprinting step before sending the completion notification to the requester (e.g., in Slack).
Why Device Fingerprinting?
Device fingerprinting supports:
- Security context – Browser, OS, and network information attached to the verification event
- Anomaly detection – Inconsistencies between sessions or devices can be reviewed by your team
- Audit trail – Richer metadata for compliance and incident response
Fingerprinting is best-effort. If collection fails or times out, the challenge is still marked verified and the requester is still notified; the notification may indicate that device information was not collected.
What Is Collected
Challenge collects the following (when available and permitted by the browser):
| Category | Examples |
|---|---|
| Browser | Browser name, version, user agent |
| Operating system | OS name and version |
| Screen | Resolution, color depth, orientation |
| Environment | Timezone, language, platform, cookies enabled |
| Hardware | CPU cores, device memory, touch points |
| Network | Public IP, optional geolocation (browser or IP-based) |
| Fingerprints | Basic canvas and WebGL renderer info (for stability) |
Geolocation is requested from the browser first; if the user denies or it is unavailable, Challenge may use IP-based geolocation from trusted third-party services. All collection runs in the user’s browser and is sent once to Challenge over HTTPS.
How It Works
After the user completes verification, Challenge collects device information in the background on the success page, then sends the completion notification to the requester (e.g., Slack) with whatever device context was gathered. If collection does not finish in time, the notification is still sent and the verification is still successful; the message may note that device information was not collected.
Troubleshooting
”Device information collection timed out” or missing device info
If the requester sees a message that device information collection timed out, or the notification has no device details, collection in the user’s browser did not complete in time or failed. Common causes and fixes are below.
Browser extensions blocking scripts or requests
Privacy and ad-blocking extensions often block fingerprinting-related scripts and third-party requests. That can prevent the fingerprint script from running or from loading resources it needs.
What to do:
- Identify likely extensions – Examples: uBlock Origin, Privacy Badger, Brave Shields, DuckDuckGo Privacy, or other ad/tracker blockers.
- Temporarily disable extensions – Ask the user to disable such extensions for the Challenge domain (e.g.
challenge.veraproof.io) or in a separate browser/profile, then retry the verification. - Use a clean profile – If possible, complete the challenge in a browser profile with no privacy/blocking extensions, or in a dedicated browser used only for verification.
If the script is blocked, collection can fail almost immediately and the notification will still be sent, often with a “timed out” or “device information not collected” message even though the real cause was blocking.
JavaScript disabled or restricted
The fingerprint step requires JavaScript.
What to do:
- Ensure JavaScript is enabled for the Challenge domain.
- If the organization uses policies that restrict or disable JavaScript, add an exception for the Challenge success page so the fingerprint script can run.
Location / geolocation permissions
Geolocation is optional but improves context. If the user denies location or the browser blocks it, Challenge may fall back to IP-based geolocation; in strict environments that can also be blocked.
What to do:
- Allow location when prompted – On the success page, if the browser asks for location permission, choosing “Allow” (at least for this session) lets Challenge use browser geolocation.
- Check site permissions – In browser settings (e.g. Site settings / Permissions for
challenge.veraproof.io), ensure Location is not set to “Block”. - Corporate policies – If location is disabled by policy, fingerprinting can still complete; only the geolocation part will be missing or IP-based.
Verification still succeeds
Even when device fingerprinting fails or times out:
- The challenge is still verified.
- The requester still receives the completion notification (e.g. in Slack).
- The notification may state that device information was not collected or timed out.
No need to re-run the challenge solely for device data; you can ask the user to retry in a different browser or with extensions disabled if you specifically need device information for that event.
Best practices
For administrators
- Document expectations – Tell users that a short “collecting device information” step may appear after verification and that they should allow it (and optionally location) if they want full context.
- Support guidance – Include in your support docs or runbooks that privacy/blocking extensions can cause “device information collection timed out” and that disabling them for the Challenge domain or using a clean profile resolves it when device info is required.
For users
- Allow the script – Avoid blocking the Challenge domain with ad or privacy blockers when completing verification.
- Location (optional) – Allowing location when the browser prompts can improve the device context in the notification.
- Use a supported browser – Complete verification in a modern, supported browser (e.g. Chrome, Firefox, Edge, Safari) with JavaScript enabled.
Support
For issues or questions about device fingerprinting, contact [email protected]. See also Success and Error Pages for how the success page and device fingerprinting status are shown to users.