Shape FAQ

On This Page:

Device ID

How can I get started with Shape Device ID?

Deploying Device ID is as simple as adding a JavaScript tag to your website.

There are many easy ways to add a script tag. F5 BIG-IP customers may use a freely provided iApp. NGINX customers may modify their config files to inject the JS. Users of content management systems or tag managers may use these tools to add the tag. And that’s it. You’re up and running.

With the tag inline, you gain the benefits by consuming the identifier via a cookie. You can integrate the identifier into your application’s real-time behavior or log it to your SIEM for richer analysis.

Subscribe to the free Device ID service via the free tier of Volterra, talk to your F5 account rep, or email deviceidplus@f5.com to get started with Device ID today.


What is Shape Device ID?

Device ID is a real-time, high-precision device identifier that utilizes advanced signal collection and proven machine learning algorithms to assign a unique identifier to each device visiting your site. Deployment is simple, with immediate benefits for the security, networking, fraud, and digital teams. Best of all, Device ID is free for up to 20 million devices a year. Never has understanding the unique devices visiting your applications been so easy.


Is Shape Device ID really free?

Device ID is free to Volterra customers with up to 20 million unique devices per year. Volterra as a part of F5, a security leader, wants to give back to the security community.


What are the benefits of Shape Device ID?

Customers can leverage Device ID in support of multiple use cases:

  • Strengthen application security. Strengthen attack detection and mitigation analysis through accurate device identification. Recognize returning devices that your security systems have already flagged as suspicious.
  • Optimize traffic management. Incorporate a unique device identifier into routing logic to better manage and optimize network traffic. Identify devices even when malicious actors manipulate Layer 7 data.
  • Mitigate fraud and risk. Monitor customer behavior across new account creation, user authentication, e-commerce checkout, and financial transactions to keep customers safe.
  • Personalize and accelerate online experiences. Make login, checkout, and authentication seamless for known returning users and devices. Volerra has
  • demonstrated through A/B testing that reducing security friction increases revenue, and device identification is an important element in any strategy for friction reduction.

What is unique about Shape Device ID?

Shape leads the market with the highest quality device identifier.

  • Device ID is built on signals that Shape Security developed over years of battling advanced persistent attackers targeting the world’s largest retailers and financial institutions.
  • Shape continuously refines its signal collection, ensuring identifier uniqueness and persistence based on machine learning algorithms that run over the dataset Shape has built by processing over two billion transactions per day.
  • Shape can prevent attackers tampering with signal collection through its industry-leading code obfuscation technology.

How does Shape Device ID work?

When a user visits your website, Device ID leverages JavaScript to collect information about the browser, device OS, hardware, and network configuration. These attributes feed into the Device ID service built on industry-recognized AI and machine learning capabilities. The data is processed in real time, and a unique identifier is assigned to the device, unless it is already a known device. For returning devices, behavior, actions, and other properties can be recorded, learned, and studied to facilitate the reduction of fraud and a smooth experience for known good users.


Does Shape Device ID depend on any Volterra product or version?

No. Device ID is an independent product not dependent on any other Volterra product.


Does Shape Device ID use browser attributes?

Yes, the JavaScript deployed as part of Device ID collects attributes of the browser. Indeed, Volterra invests heavily and utilizes advanced AI to determine which attributes to collect to construct the most effective device identifier.


Can Shape Device ID be used to extend session length?

Device ID can be incorporated into a solution for session extension. It is more persistent than cookie-based identifiers normally used to track sessions. In addition to Device ID, Shape offers Shape Recognize, a SaaS-based solution that offers additional intelligence that can be leveraged to recommend whether a given device should be eligible for an extended session.


Can Shape Device ID be used to detect fraud?

Device ID can be used in tandem with log analysis to help detect fraud. In addition to Device ID, Shape offers SAFE (Shape AI Fraud Engine), a SaaS-based solution designed to prevent, detect, and remediate fraudulent transactions before they cause financial losses.


Can Device ID be used to stop bots to prevent credential stuffing and scraping?

Device ID can be incorporated into an anti-bot solution to detect patterns of automation. However, stopping malicious automation is a difficult problem, and we don’t recommend using Device ID alone to deal with these types of problems. F5 provides a fully managed anti-bot defense through Shape Enterprise Defense and Shape Silverline Defense. These F5 services defend the world’s largest retailers and financial institutions from the tremendous costs of scraping and account takeovers through credential stuffing, and we’d be happy to discuss how we could best protect your enterprise.


Does Device ID include reporting/dashboards?

Yes. The Device ID dashboard provides aggregated insights that can be used to provide indications of fraud, login friction, and other issues.


Does Device ID collect personal information?

Device ID stores pseudonymized personal data, which consists only of IP addresses and the device identifiers themselves that the service generates. Pseudonymized data is data that cannot be used to identify a person without additional information.

Device ID does not capture data that users enter into applications such as usernames, emails, and credit card numbers. Data collection is limited to that which is necessary to deliver the Device ID+ service.


What kind of data is collected by Device ID?

The meta-data that goes into assigning a device identifier falls into four categories:

  • Browser information, such as browser type, browser version, plugins, fonts etc.
  • Hardware, such as whether the traffic is coming from a laptop or mobile device, etc.
  • Type of operating system, such as Windows, Linux, etc.
  • Network information, such as IP addresses, User Agents etc.

Is data obfuscated and is it transmitted securely?

The Device ID JS, which powers Device ID, is significantly obfuscated. This makes defeating it sufficiently difficult. Device ID JS collects the signals required to calculate Device ID. All data is transmitted securely to the F5 cloud after being base64 encoded and encrypted via TLS.


Are the API calls triggered by the Device ID JS asynchronous?

Yes, the Device ID JS is loaded asynchronously to avoid any performance impact during page loading. The execution of the Device ID JS does not delay page loading.


What kind of latency is expected?

The Device ID JS runs asynchronously, thus the browser continues running even if the request has not yet finished. The API response and network latency are expected to take approximately 200ms.


Do I need Device ID JS on all web pages?

This is strongly recommended. Injecting the Device ID JS on all pages maximizes the probability of having a Device ID response for every session. With Device ID JS on every page, the lack of a Device ID response cookie for a transaction is an indicator that the cookie has been removed from the browser, which is a likely indicator of fraud.


How big is the Device ID JS?

60 KB when gzipped.


Can Device ID be used to extend session length?

Device ID can be incorporated into a solution for session extension. It is more persistent than cookie-based identifiers normally used to track sessions. In addition to Device ID, F5 offers Recognize, a SaaS-based solution that offers additional intelligence that can be leveraged to recommend whether a given device should be eligible for an extended session.