F5 Device ID+ FAQ

Q: What is F5 Device ID+?

F5 Device ID+ is a real-time, high-precision device identifier that utilizes advanced signal collection and proven machine learning algorithms to assign a unique identifier to each device visiting your site. Deployment is simple, with immediate benefits for the security, networking, fraud, and digital teams. Best of all, Device ID+ is free. Never has understanding the unique devices visiting your applications been so easy.


Q: Is Device ID+ really free?

Device ID+ is free to F5 customers with up to 20 million unique devices per year.


Q: Why would F5 offer Device ID+ for free?

As a security leader, F5 wants to give back to the security community. Because Device ID+ is so easy to deploy and so easy to consume, it is an easy way for us to give back to you.


Q: What are the benefits of Device ID+?

Customers can leverage Device ID+ in support of multiple use cases:

  • Strengthen application security. Strengthen attack detection and mitigation analysis through accurate device identification. Recognize returning devices that your security systems have already flagged as suspicious.
  • Optimize traffic management. Incorporate a unique device identifier into routing logic to better manage and optimize network traffic. Identify devices even when malicious actors manipulate Layer 7 data.
  • Mitigate fraud and risk. Monitor customer behavior across new account creation, user authentication, e-commerce checkout, and financial transactions to keep customers safe.
  • Personalize and accelerate online experiences. Make login, checkout, and authentication seamless for known returning users and devices. F5 has demonstrated through A/B testing that reducing security friction increases revenue, and device identification is an important element in any strategy for friction reduction.

Q: What is unique about F5 Device ID+?

F5 leads the market with the highest quality device identifier.

  • Device ID+ is built on signals that Shape Security (acquired by F5) developed over years of battling advanced persistent attackers targeting the world’s largest retailers and financial institutions.
  • F5 continuously refines its signal collection, ensuring identifier uniqueness and persistence based on machine learning algorithms that run over the dataset F5 has built by processing over two billion transactions per day.
  • F5 can prevent attackers tampering with signal collection through its industry-leading code obfuscation technology.

Q: How does Device ID+ work?

When a user visits your website, Device ID+ leverages JavaScript to collect information about the browser, device OS, hardware, and network configuration. These attributes feed into the Device ID+ service built on industry-recognized AI and machine learning capabilities. The data is processed in real time, and a unique identifier is assigned to the device, unless it is already a known device. For returning devices, behavior, actions, and other properties can be recorded, learned, and studied to facilitate the reduction of fraud and a smooth experience for known good users.


Q: Does Device ID+ depend on any F5 product or version?

No. Device ID+ is an independent product not dependent on any other F5 product.


Q: Does Device ID+ use browser attributes?

Yes, the JavaScript deployed as part of Device ID+ collects attributes of the browser. Indeed, F5 invests heavily and utilizes advanced AI to determine which attributes to collect to construct the most effective device identifier.


Q: How can I get started with Device ID+?

Deploying Device ID+ is as simple as adding a JavaScript tag to your website.

There are many easy ways to add a script tag. F5 BIG-IP customers may use a freely provided iApp. Shape Enterprise Defense and Silverline customers may reach out to their managed service team to add the tag through configuration. Users of content management systems or tag managers may use these tools to add the tag. And that’s it. You’re up and running.

With the tag inline, you gain the benefits by consuming the identifier via a cookie. You can integrate the identifier into your application’s real-time behavior or log it to your SIEM for richer analysis.

Subscribe to the free Device ID+ service via the F5 Cloud Services portal, talk to your F5 account rep, or email deviceidplus@f5.com to get started with Device ID+ today.


Q: Can Device ID+ be used to extend session length?

Device ID+ can be incorporated into a solution for session extension. It is more persistent than cookie-based identifiers normally used to track sessions. In addition to Device ID+, F5 offers Recognize, a SaaS-based solution that offers additional intelligence that can be leveraged to recommend whether a given device should be eligible for an extended session..


Q: Can Device ID+ be used to detect fraud?

Device ID+ can be used in tandem with log analysis to help detect fraud. In addition to Device ID+, F5 offers SAFE (Shape AI Fraud Engine), a SaaS-based solution designed to prevent, detect, and remediate fraudulent transactions before they cause financial losses.


Q: Can Device ID+ be used to stop bots to prevent credential stuffing and scraping?

Device ID+ can be incorporated into an anti-bot solution to detect patterns of automation. However, stopping malicious automation is a difficult problem, and we don’t recommend using Device ID+ alone to deal with these types of problems. F5 provides a fully managed anti-bot defense through Shape Enterprise Defense and Shape Silverline Defense. These F5 services defend the world’s largest retailers and financial institutions from the tremendous costs of scraping and account takeovers through credential stuffing, and we’d be happy to discuss how we could best protect your enterprise.


Q: Does Device ID+ include reporting/dashboards?

Dashboards will be provided via the F5 Cloud Services portal in January 2021. The dashboards will provide aggregated insights that can be used to provide indications of fraud, login friction, and other issues.


Q: Does Device ID+ collect personal information?

Device ID+ stores pseudonymized personal data, which consists only of IP addresses and the device identifiers themselves that the service generates. Pseudonymized data is data that cannot be used to identify a person without additional information.

Device ID+ does not capture data that users enter into applications such as usernames, emails, and credit card numbers. Data collection is limited to that which is necessary to deliver the Device ID+ service.


Q: What kind of data is collected by Device ID+?

The meta-data that goes into assigning a device identifier falls into four categories:

  • Browser information, such as browser type, browser version, plugins, fonts etc.
  • Hardware, such as whether the traffic is coming from a laptop or mobile device, etc.
  • Type of operating system, such as Windows, Linux, etc.
  • Network information, such as IP addresses, User Agents etc.

Q: Is data obfuscated and is it transmitted securely?

1JS, which powers Device ID+, is significantly obfuscated. That makes defeating it sufficiently difficult. 1JS collects the signals required to calculate Device ID+. All data is transmitted securely to the F5 cloud after being base64 encoded and encrypted via TLS.


Q: Are the API calls triggered by the 1JS asynchronous?

Yes.


Q: What kind of latency is expected?

1JS runs asynchronously, thus the browser continues running even if the request has not yet finished. The API response and network latency are expected to take approximately 200ms.


Q: Will 1JS interfere with my website?

1JS is loaded asynchronously to avoid any performance impact during page loading. The execution of 1JS does not delay page loading.


Q: Do I need 1JS on all web pages?

Yes, injecting 1JS on all pages maximizes the probability of having a Device ID+ response for every session. With 1JS on every page, the lack of a Device ID+ response cookie for a transaction is an indicator that the cookie has been removed from the browser, which is a likely indicator of fraud.