Device Check

What is Device Check?

Device Check is a verification process that runs on the end user’s device, without the need for any user interaction. It can be loaded by web browsers and mobile applications, completely preserving end users’ privacy. Its purpose is to spot any type of automation frameworks, spoofed environments or programmatic access to the interfaces.

In simple terms, Device Check acts like a CAPTCHA, without prompting any challenge to the end user. The verification runs automatically:

  • if the requester is a legitimate human user, the requested content is loaded
  • if the request comes from a bot, it is blocked or additionally challenged

Why Device Check?

Device Check supports DataDome’s bot protection with several benefits:

  • sophisticated and evasive bots can be detected from their first requests;
  • limited friction on user experience, reducing the false positive rate and the usage of captcha;
  • the protection level can be increased in sensitive contexts, proposing a more aggressive response;
  • users’ privacy is completely preserved, as no personal information is collected during the verification.

How does Device Check work?

Device Check is used in two scenarios:

  • When a bot is detected by DataDome, but the evidence of bot activity is not strong enough to block it or challenge it with a captcha
  • When a request is suspicious and the requested resource or the request context presents potential risks

In both cases, a JS code is executed client-side, to collect hundreds of signals and perform several checkpoints on the device and environment. The result of the check is then sent back to DataDome, who sends back the final result, either blocking a malicious actor or redirecting to the requested resource. If additional information is still needed to make the final decision, DataDome can challenge the requester with a CAPTCHA.

Since no user interaction is required, behavioral models are not applied to analyze the signals collected by Device Check. Instead, client and device fingerprinting techniques are leveraged, together with specific automated challenges capable of detecting spoofed environments and devices.

Device Check is fully operational on web browsers, mobile browsers and mobile apps.

How often are end users verified with Device Check?

Device Check is only applied for suspicious requests, hence the majority of legitimate end users should never be verified by it. Nevertheless, there are contexts where the usage of a client-side check is particularly beneficial for protection, resulting in a wider usage on legitimate users. In any case, once a legitimate user is verified with Device Check, DataDome remembers the outcome and does not repeat the verification.

Visual customization

In the relatively rare occasions when a legitimate end user’s device is verified by DataDome’s Device Check, a simple page is displayed, informing about the ongoing verification.

The page is translated in 38 languages, and administrators can customize it per domain directly from DataDome Dashboard, under “Management” > “Response Pages”.

The available options for customization are:

  • Upload a logo,
  • Choice of the two colors to render the spinner element,
  • The duration before redirection to the requested content (to let end users the time to read the short message indicating that a verification is being performed).
  • An “invisible mode” is also available, in which case no visual content is displayed to the end user, and the redirection to the target resource is triggered as soon as the check completes.

Is Device Check compatible with any device?

If DataDome is correctly integrated, Device Check is compatible with all web browsers and mobile apps.

DataDome’s JS Tag must be correctly integrated in the web pages that originate XHR/fetch requests protected by DataDome.

Like DataDome CAPTCHA, Device Check is supported for the following browsers:

  • Chrome ≥ 60
  • Firefox ≥ 55
  • Edge ≥ 80
  • Opera ≥ 50
  • Yandex ≥ 14
  • Safari ≥ 9.1
  • Internet Explorer 11

What data is collected by Device Check?

No personal information is collected by Device Check. Only technical details are inspected, including:

  • Screen details:
    • max resolution
    • current resolution
    • screen size
    • video quality
    • touch actions supported
  • Environment information:
    • audio and video codecs used
    • supported media extensions
    • active plugins
    • checks on browser type and version
  • Hardware information:
    • CPUs
    • GPUs
  • Javascript challenges:
    • JS functions whose results prove the consistency of the collected information
    • Rendering of canvases
    • Execution times

How to activate Device Check?

There is no need for activating Device Check: it is available by default for all customers and it is triggered based on the outcomes of DataDome’s detection models. For those detection models triggering a Device Check response, it is not possible to replace it with a Captcha or Block response. Similarly, Device Check cannot be forced by customers with custom rules, nor be used to override a Captcha or Block response associated to an existing detection model.

Does Device Check work in China (Behind the China Firewall)?

Yes. It has been tested in several towns in China.