How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
Browser fingerprinting and network fingerprinting answer related but different questions.
Browser fingerprinting looks at what the browser sends or exposes: headers, client hints, JavaScript-visible APIs, rendering behaviour, storage, cookies, and browser-side challenge evidence.
Network fingerprinting looks at how the client connects and speaks protocols: TCP, TLS, JA3, JA4, HTTP/2, MTU or path evidence, IP or ASN context, and request protocol behaviour.
Neither layer proves a person's identity. Each layer provides request evidence that can support allow, log, challenge, rate limit, block, or review decisions.
How are the two methods different?
| Question | Browser fingerprinting | Network fingerprinting |
|---|---|---|
| Main view | Browser and device consistency | Connection, protocol, and path consistency |
| Typical signals | Headers, client hints, JavaScript APIs, canvas, WebGL, audio, fonts, screen, timezone, cookies | TCP, TLS ClientHello, JA3, JA4, HTTP/2 settings, ALPN, MTU, IP, ASN, proxy context |
| Collection style | Often combines passive request headers with active browser-side checks | Often passive at the edge or network layer |
| Best use | Checking whether a claimed browser behaves like that browser | Classifying client software, automation libraries, proxy paths, scanners, or protocol stacks |
| Main risk | Privacy sensitivity, browser drift, false positives from unusual devices or settings | Hash collisions, protocol drift, shared networks, proxy paths, and limited human context |
The overlap is intentional. HTTP headers and client hints are browser-visible request evidence, but they also sit inside the network request. That is why header evidence should be reviewed with both browser and network context.
When should defenders use browser signals?
Browser signals help when a request needs proof that a real browser executed expected client-side work or when the claimed browser profile needs review.
Common examples include:
- Login and account actions: compare browser evidence with account history before a trust decision.
- Bot and scraping checks: identify clients that copy headers but do not behave like the claimed browser.
- Anti-detect browser review: look for inconsistencies across user-agent, client hints, JavaScript APIs, rendering, cookies, and session behaviour.
- Challenge decisions: use browser-side challenge evidence to choose allow, challenge, rate limit, block, or review.
Pages on JavaScript browser fingerprinting and canvas, WebGL, and audio fingerprinting cover active browser evidence in more detail.
When should defenders use network signals?
Network signals help when traffic is distributed across many IPs or when the client stack itself is informative.
Common examples include:
- Automation and tool classification: identify non-browser libraries, scanners, or unusual protocol stacks.
- Residential proxy decisions: compare the source network with residential proxy detection, TLS shape, HTTP/2 behaviour, and browser evidence.
- Rate and DDoS controls: group requests for advanced rate limiting by fingerprint, route, ASN, IP class, response code, and behaviour.
- Incident response: classify suspicious clients early, then pass uncertain requests to WAF inspection, logging, or review.
The canonical pages on TLS fingerprinting, TCP fingerprinting, and HTTP/2 fingerprinting explain the protocol-level pieces.
Why combine them?
Attack traffic often tries to make one layer look ordinary. A residential proxy can make the IP look normal. A copied user-agent can make the request header look normal. A browser profile can make a subset of browser signals look normal.
Defenders reduce risk by comparing layers. A request that looks consistent across browser, header, TLS, HTTP/2, proxy, route, cookie, and behaviour evidence can be treated differently from one that only looks plausible in isolation.
The decision still needs limits. Normal users can have privacy tools, managed browsers, mobile networks, corporate proxies, accessibility settings, and unusual devices. A mature policy keeps space between allow and block and records enough evidence to tune false positives.
Related Articles
What is an Account Takeover?
An overview of Account Takeover Attacks
AI Crawler User Agents
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Misuse
AI Misuse explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.