Forum Discussion

Samuel_Jemston's avatar
Samuel_Jemston
Icon for Nimbostratus rankNimbostratus
Sep 05, 2021

What are the differences between Device ID and device ID+?

Hi everyone,

 

Am reading about Device ID+ recently and I want to know the difference between existing device id on F5 and new device id+ from Shape.

  1. Does both works based on Java Script
  2. What is there in Device id+ and not in Device ID.

 

Regards

Sam

  • Hi Sam,

     

    to compare the two might be worth a devcentral article. However, I will keep it short.

     

    Device ID is an ASM / AdvWAF feature. The BIG-IP uses JavaScript to create a device ID from client. The JavaScript tries to obtain various signals from the client to retrieve attributes like the browser type and version, installed updates, installed fonts, and others. The BIG-IP stores the device ID in the TSPD101 cookie.

    This information can be used for example with brute force attack prevention or web scraping protection.

     

    Device ID+ is from Shape and uses more advanced methods for signal collection. The data is processed by Shape using AI and ML, the Shape API is called during the process of creating the cookie.

    This will create a different kind of cookie, a Device ID+ cookie which contains the following values.

    • diA is known as the “residue-based identifier”. It is the main identifier used directly after the username in our example. This value is stored locally on the device and may be deleted if the user clears their local storage or cookies.
    • diB is known as the “attribute-based identifier”. This value will remain the same even when the user clears local storage. Keep in mind, it can change if the user upgrades their browser version as it is based on environment signals that remain consistent across browser versions.

     

    This is just really brief technical comparison. Use cases, deployment scenarios - all this is explained in more detail in this two links:

    K19556739: Overview of BIG-IP ASM client fingerprinting

    Use cases for Device ID (also called client fingerprinting) are at the bottom of this overview, see Supplemental Information.

    About F5 Device ID+

    Use cases for DID you can find:

    • here: https://devcentral.f5.com/s/articles/Building-a-Fraud-Profile-with-Device-ID-Part-1
    • and here: https://devcentral.f5.com/s/articles/DeviceID-with-APM-and-API-Server

     

    KR

    Daniel

  • Thanks a lot for the quick response Daniel,

    Now I understand the difference , will go though the KB article.

    Thanks again.

     

    Regards

    Sam