Device & IP Intelligence for KYC

IP addresses reveal significant context about user connections.

IP intelligence signals:

• Geolocation: Country, region, city, coordinates
• ISP/Organization: Residential vs business vs datacenter
• Connection type: Mobile, broadband, VPN, proxy, Tor
• Reputation: Historical fraud activity from this IP

Risk indicators:

• VPN/Proxy usage: Hides true location—may be legitimate or fraudulent
• Datacenter IPs: Unusual for consumer activity, often bots or fraud
• Tor exit nodes: Strong anonymization intent
• IP/location mismatch: Device timezone doesn't match IP location
• Impossible travel: Same user from distant locations in short time

Implementation:

• Use IP intelligence APIs (MaxMind, IPinfo, IPQS)
• Combine IP data with other signals (don't block on IP alone)
• Consider legitimate VPN usage (corporate, privacy-conscious users)
• Track IP history per user for pattern detection

Behavioral biometrics analyzes how users interact with your interface—patterns that are difficult for fraudsters to replicate.

Behavioral signals:

• Typing patterns: Speed, rhythm, key press duration
• Mouse movements: Trajectory, speed, click patterns
• Touch patterns: Pressure, gesture speed, hold duration
• Navigation behavior: Page flow, scroll patterns, interaction timing

Why behavioral biometrics helps:

• Continuous authentication (not just at login)
• Detects account takeover mid-session
• Identifies automated/bot activity
• Adds layer without user friction

Integration approaches:

• JavaScript SDK collecting browser interactions
• Mobile SDK collecting touch and sensor data
• Server-side analysis of interaction sequences
• Risk scoring integrated with other signals

Behavioral biometrics works best as a continuous signal, not a one-time check. Fraudsters might pass initial verification but reveal themselves through subsequent behavior.

Device and IP intelligence enables risk-based verification flows that adapt to context.

Low-risk signals:

• Known device with clean history
• Residential IP in expected location
• Normal behavioral patterns
• Returning user with positive history

High-risk signals:

• New device never seen before
• Datacenter or VPN IP address
• Unusual location or impossible travel
• Device linked to previous fraud
• Abnormal behavioral patterns

Adaptive verification flows:

• Low risk: Streamlined verification, skip optional steps
• Medium risk: Standard verification flow
• High risk: Additional verification, active liveness, manual review

Implementation:

• Calculate risk score from combined signals
• Define thresholds for flow routing
• Monitor outcomes to calibrate thresholds
• A/B test flow variations to optimize conversion vs fraud

The goal is providing frictionless experience for legitimate users while creating barriers for fraudsters.

Implementing comprehensive device intelligence requires careful architecture.

Data collection:

• Fingerprinting SDK integrated in verification flow
• IP intelligence API calls with caching
• Behavioral data collection throughout session
• Historical data storage for pattern analysis

Identity graph:

• Link devices to user accounts
• Track device-to-device relationships
• Identify device sharing patterns
• Flag suspicious device clusters

Real-time scoring:

• Combine signals into unified risk score
• Sub-second response time for flow decisions
• Explainable scoring for manual review
• Continuous updates as session progresses

Provider options:

• Build custom using open-source fingerprinting + IP APIs
• Integrated solutions (Sardine, Castle, SEON)
• Payment processor intelligence (Stripe Radar)

Most companies benefit from starting with a provider, then building custom components as needs become more specialized.