The pressure of bot threats is not decreasing for online businesses. The bot landscape is evolving fast, allowing an ever-growing audience of malicious actors to access advanced automated frameworks. As a result, the average sophistication level of bot attacks has increased over time, requiring protection strategies to dynamically adapt and react faster—without compromising precision. In this context, it may be difficult to find the right balance between highly reactive protection, blocking all bad bot requests, and the degradation of end users’ experience due to CAPTCHA challenges or unexpected restrictions.

With Device Check, DataDome offers a powerful tool to increase protection for businesses while safeguarding user experience.

What is Device Check?

Device Check is a verification process that runs on the end user’s device without the need for any user interaction. Its purpose is to spot any type of automation frameworks, spoofed environments or programmatic access to user interfaces. It can be loaded by web browsers and mobile applications, and minimizes data collection to preserve end users’ privacy.

In simple terms, Device Check acts like a CAPTCHA, but without prompting any challenge to the end user. The verification takes place quickly, after which:

• If the requester is a human user, the requested content is loaded automatically.
• If the request comes from a bot, it is blocked or additionally challenged.

How does Device Check work?

Device Check is used in three scenarios:

• When bot activity is detected with low confidence and a CAPTCHA response would not be appropriate due to the risk of false positives.
• When a request is suspicious and the target resource or the request context presents potential risks.
• When a customer wants to force all users accessing a critical resource to execute a proof of work and a fingerprinting challenge to ensure the authenticity of their device.

In all cases, a JavaScript (JS) code is executed client-side to collect hundreds of signals and perform several checkpoints on the device and environment. The result of the check is then sent back to DataDome, who returns the final result: either blocking a malicious actor or redirecting to the requested resource. If additional information is still needed to make the final decision, DataDome can challenge the requester with our secure, privacy-compliant, and user-friendly CAPTCHA.

Since no user interaction is required, behavioral models are not applied to analyze the signals collected by Device Check. Instead, client and device fingerprinting techniques are leveraged, together with specific automated challenges capable of detecting spoofed environments and devices.

Device Check is fully operational on web browsers, mobile browsers, and mobile apps.

How Device Check Reduces False Positives

To identify any areas of improvement in the feature, Device Check was activated in early access to protect the online shop of one of DataDome’s customers, a luxury brand. The product pages were targeted by intense scraping attacks, perpetrated by advanced bots that required an aggressive response from DataDome. This context caused an increase in the false positive rate of DataDome detection for the product pages only.

After deploying Device Check, the detection efficacy remained very high, while the number of CAPTCHAs passed decreased remarkably, reducing the overall false positive rate. Compared to the week preceding the activation of Device Check, the overall false positive rate observed on product pages for the week following the activation decreased by more than 80%.

Friction on user experience was also reduced by decreasing both the number of CAPTCHAs displayed to human users and the number of legitimate users verified with Device Check, as we utilized the feature conservatively. Only suspicious requests were challenged—and those challenged turned out to be over 99% bots. Out of more than 3.5M requests verified with Device Check, around 1000 were from legitimate human users.

Overall, Device Check reduced the already low number of human users served a CAPTCHA, because DataDome only proposes Device Check verification in cases of reasonable suspicion of bot threat—and users who pass Device Check don’t need to solve our CAPTCHA.

How Device Check Increases Protection Against Advanced Scraper Bots

An online classifieds leader in the APAC region was constantly attacked by advanced scraping bots, negatively impacting their business. Though DataDome was detecting most of them, the need for a very low false positive rate was limiting the reactiveness of DataDome’s response, causing a few bot requests to be authorized. Bots that got through were blocked after the emergence of behavioral patterns—but to offer full protection, scraping attempts needed to be intercepted from the very first request. Device Check was deployed in this context, initially on requests from limited regions, then all possible origins.

After enabling Device Check without regional restrictions, the bot detection rate increased by more than 60%. But the increase in the bot detection rate was not only due to the usage of Device Check; an intense attack was perpetrated after the activation. Device Check alone contributed to more than 9% of all detected bots, proving its effectiveness.

Moreover, the ratio of legitimate requesters verified with Device Check remained very low—less than 0.7%—showing once again that enhanced protection does not always come at the expense of degrading user experience and losing conversions.

How Device Check Combats Ad Fraud

An online marketing global leader was seeing its revenue impacted by ad fraud. In fact, too many engagements were considered invalid by their internal validation tool and were not billed to their customers, even if many of them were generated by legitimate end users. As an example, traffic sent from Apple’s iCloud Private Relay was considered invalid despite the presence of many legitimate end users.

DataDome Device Check was introduced to filter bot traffic with more precision, reducing false positives and optimizing revenue. With the protected traffic consisting of one single interaction (one click) without the possibility of using server-side or client-side behavioral analysis, Device Check was a major asset for DataDome’s detection capabilities, allowing us to force a synchronous check of the requester’s environment and collect more signals from the device fingerprint.

A few days after activation, almost 50% of the verified clicks were confirmed as legitimate humans and were no longer excluded from billing. Moreover, Device Check was able to spot advanced bots that would have passed the internal control tools.

Conclusion

Keeping a high level of protection against bot threats while preserving user experience is a complicated task. Device Check, a new tool provided by DataDome to verify requesters’ devices and client environments, has already proven to be an effective asset to fulfill this task in several contexts—from online shops, to classifieds, to online marketing.

To learn more about Device Check and how DataDome’s online bot and fraud protection can keep your business safe from bad bots, book a demo today or start a free trial.