The challenge

Third-party cookies, once the backbone of cross-site device identification, are effectively obsolete. Safari has blocked them since 2017. Firefox since 2019. Chrome completed the transition in 2024. The tracking infrastructure that the fraud industry relied on for device continuity has been systematically dismantled by browser vendors — for legitimate privacy reasons that nonetheless create real problems for fraud detection.

The question is: what replaces cookies as the basis for device identity? The answer cannot be localStorage or IndexedDB — both are trivially clearable. It must be signals that are inherent to the device and browser, not stored by the application.

Our approach

Device Fingerprint v3 synthesises 140 passive signals collected during normal page load — canvas rendering characteristics, WebGL renderer and vendor strings, audio context fingerprint, font enumeration via CSS, hardware concurrency, device pixel ratio, and timezone offset among others. No active probing. No permission requests. No storage writes.

Accuracy

Privacy

Device fingerprinting occupies a complex position in GDPR and ePrivacy regulation. Our legal analysis concludes that passive fingerprinting for fraud prevention purposes falls within the legitimate interests basis under Article 6(1)(f) GDPR, provided the fingerprint is not used for advertising or tracking purposes and is retained only for the fraud detection lifecycle. Our DPA template covers this explicitly.

Integration

Device Fingerprint v3 is available as a standalone SDK for customers who want fingerprinting without the full Serixo stack, and as a built-in signal source for customers on the full platform. The standalone SDK is 14KB gzipped and adds approximately 40ms to first contentful paint in our benchmarks — well within acceptable thresholds for production deployment.