Client: commercial bank (EU) with 4M+ users
Scope: online and mobile banking – login process
Integration: single JavaScript line (web) + mobile application library
Result: stable trusted-device recognition during login (PSD2/SCA)
A large commercial bank serving around 4 million active digital banking users (web and mobile) was operating under increasing pressure to prevent account takeovers (ATO) while also having to remain compliant with PSD2 requirements, including Strong Customer Authentication (SCA).
For the login process, this meant striking a delicate balance:
ensuring regulatory compliance and reducing fraud risk – without introducing unnecessary friction or negatively impacting the user experience.
However, the bank relied on a device recognition solution whose fingerprint was not resilient to natural, everyday environment changes. A browser update, hardware modification (e.g., monitor resolution), or changes in browser configuration (plugins, privacy settings) could cause a legitimate device to be marked as “untrusted.”
In addition, the solution had a coverage gap – it did not protect users logging in via mobile browsers (mobile web), leaving part of the traffic outside consistent device protection.
As a result, the bank received “untrusted device” alerts on average every few weeks. Customers were frequently asked to complete additional verification. Instead of simplifying authentication, the mechanism increased login friction, generated frustration, and triggered unnecessary step-up verification on the bank’s side.
The bank implemented Device Profile Smart (DP Smart) as an additional device intelligence signal within the login process.
DP Smart builds a device profile using multiple independent fingerprint streams – several groups of technical device and browser attributes that together create a stable representation of the user’s environment. This multi-stream approach ensures that a single natural change (such as a browser update) does not automatically cause a device to lose its trusted status.
The solution compares the current device profile with the previously stored baseline and returns a real-time risk assessment via REST API. Based on this signal, the bank can either continue the login process seamlessly or trigger additional verification only when justified.
Integration was fast and straightforward: a JavaScript snippet was added to the web channel and a dedicated library was implemented in the mobile application. Importantly, the solution also extended protection to mobile web logins, ensuring consistent coverage across all channels. Device Profile Smart operates in a SECaaS model, requiring no infrastructure build-out and no model training phase. Protection was effective from day one.
From a compliance perspective, the solution relies exclusively on technical device signals and does not require personal data, supporting a privacy-by-design approach. It is also resilient to common privacy tools and ad blockers, maintaining stable device recognition across the entire user base.
The impact was visible immediately. Login processes no longer generated false positives due to routine environment updates. As a result, the bank no longer had to review “untrusted device” alerts each time or trigger additional verification in cases resulting from legitimate banking activity.
Device recognition became more stable, reducing rapid profile desynchronization and improving decision accuracy in authentication flows. From a user perspective, the login experience remained smooth. Device analysis runs in the background and does not affect performance, minimizing UX risk. At the same time, the bank maintained full PSD2/SCA compliance, supported by a consistent technical device-based signal for authentication decisions.
As an additional outcome, the reduction in unnecessary verification also lowered SMS volume, resulting in ROI within approximately two months.
