How reliable is browser fingerprinting for device recognition?

Browser fingerprinting has roughly 90-95% stability for the same device across sessions, but it is not a security primitive. Use it as a recognition hint to pre-populate trust level when a returning device registers. Always require a server-assigned device_id UUID that the app persists in secure storage as the authoritative identifier.

What happens to active sessions when a remote wipe is issued?

All active sessions for that device_id are immediately revoked in the database (revoked_at = NOW()). The device trust_level is set to 'revoked'. Any subsequent token validation that joins against device will see the revoked status and reject the token, even if the wipe command has not yet been delivered to the physical device.

How does the device receive the wipe command if it is currently offline?

The wipe command is stored in device_command with status='pending'. When the device next establishes connectivity and calls the check-in endpoint, it receives the pending command via the poll_pending_commands function. For MDM-enrolled corporate devices, a push notification (APNs MDM push, FCM) can wake the device to check in sooner.

What is the difference between 'trusted' and 'corporate' trust levels?

'Trusted' means the user has explicitly confirmed this personal device via MFA challenge. 'Corporate' means the device is enrolled in an MDM (Mobile Device Management) system and has passed compliance checks. Corporate devices typically get access to more sensitive resources and are subject to remote wipe authority by the organization.

How is device fingerprinting implemented?

User-Agent, screen resolution, timezone, and installed fonts/plugins are hashed client-side using SHA-256; the hash is sent on registration as the device fingerprint.

How are trust levels assigned?

New devices start as unknown; after successful MFA verification the device is promoted to trusted; corporate devices registered via MDM are automatically assigned the corporate level.

How is a remote wipe command delivered?

A DeviceCommand row with type=wipe is inserted; the device polls a /commands endpoint on next sync and executes the wipe, then confirms completion by updating the command status.

How are sessions invalidated on device removal?

Removing a device triggers a cascade that revokes all active sessions bound to that device_id via a foreign-key relationship or explicit session cleanup job.

Device Management System Low-Level Design: Registration, Trust Levels, and Remote Wipe

⏱ 8 min read

Device Management System Low-Level Design

A device management system answers three security questions: what devices have accessed an account, how much should each device be trusted, and how do you revoke a device remotely when it is lost or compromised? This article covers device fingerprinting, trust level assignment, session-to-device binding, remote wipe command delivery, and compliance checks — with full SQL schema and Python implementation.

Device Fingerprinting

A stable device identifier cannot rely on IP address (changes on every network switch) or cookie (cleared by users). Instead, generate a fingerprint hash from attributes that rarely change:

import hashlib
import json
from typing import Optional

def compute_device_fingerprint(
    user_agent:   str,
    screen_res:   str,    # e.g. "1920x1080"
    timezone:     str,    # e.g. "America/New_York"
    language:     str,    # e.g. "en-US"
    platform:     str,    # e.g. "MacIntel"
    canvas_hash:  Optional[str] = None   # optional canvas fingerprint from JS
) -> str:
    """
    Returns a stable hex fingerprint for this device profile.
    Not a security primitive — used for recognition, not authentication.
    """
    components = {
        'ua':       user_agent,
        'screen':   screen_res,
        'tz':       timezone,
        'lang':     language,
        'platform': platform,
    }
    if canvas_hash:
        components['canvas'] = canvas_hash

    canonical = json.dumps(components, sort_keys=True)
    return hashlib.sha256(canonical.encode('utf-8')).hexdigest()

The fingerprint is advisory, not authoritative. Two devices may collide (same model, same settings), and a single device may drift after OS upgrades. Store it as a recognition hint alongside a server-assigned device_id UUID that the app persists locally.

SQL Schema

CREATE TYPE trust_level AS ENUM ('unknown', 'trusted', 'corporate', 'revoked');

CREATE TABLE device (
    id              BIGSERIAL PRIMARY KEY,
    device_id       UUID        NOT NULL UNIQUE DEFAULT gen_random_uuid(),
    user_id         BIGINT      NOT NULL,
    fingerprint     TEXT        NOT NULL,
    trust_level     trust_level NOT NULL DEFAULT 'unknown',
    name            TEXT,                          -- user-assigned label, e.g. "Work MacBook"
    platform        TEXT        NOT NULL,          -- 'web','ios','android','desktop'
    os_version      TEXT,
    app_version     TEXT,
    encryption_enabled BOOLEAN  DEFAULT NULL,      -- NULL = unknown
    last_seen_at    TIMESTAMPTZ,
    last_seen_ip    INET,
    enrolled_at     TIMESTAMPTZ,                   -- NULL = not MDM enrolled
    wiped_at        TIMESTAMPTZ,
    created_at      TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

CREATE INDEX idx_device_user ON device (user_id, trust_level);
CREATE INDEX idx_device_fp   ON device (fingerprint);

CREATE TABLE device_session (
    id          BIGSERIAL PRIMARY KEY,
    session_id  UUID        NOT NULL UNIQUE DEFAULT gen_random_uuid(),
    device_id   UUID        NOT NULL REFERENCES device(device_id) ON DELETE CASCADE,
    user_id     BIGINT      NOT NULL,
    access_token_hash TEXT  NOT NULL,              -- SHA-256 of the bearer token
    ip_address  INET,
    user_agent  TEXT,
    expires_at  TIMESTAMPTZ NOT NULL,
    revoked_at  TIMESTAMPTZ,
    created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW()
);

CREATE INDEX idx_ds_device ON device_session (device_id) WHERE revoked_at IS NULL;
CREATE INDEX idx_ds_token  ON device_session (access_token_hash) WHERE revoked_at IS NULL;

CREATE TABLE device_command (
    id          BIGSERIAL PRIMARY KEY,
    device_id   UUID        NOT NULL REFERENCES device(device_id),
    command     TEXT        NOT NULL CHECK (command IN ('wipe','lock','unenroll','push_policy')),
    payload     JSONB,
    status      TEXT        NOT NULL DEFAULT 'pending'
                            CHECK (status IN ('pending','delivered','acknowledged','failed')),
    issued_by   BIGINT      NOT NULL,
    issued_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    delivered_at  TIMESTAMPTZ,
    acknowledged_at TIMESTAMPTZ
);

CREATE INDEX idx_dc_device_pending ON device_command (device_id, status)
    WHERE status = 'pending';

Device Registration

from dataclasses import dataclass
from datetime import datetime, timezone

@dataclass
class DeviceRegistrationRequest:
    user_id:     int
    device_id:   str          # client-generated UUID, persisted on device
    fingerprint: str
    platform:    str
    os_version:  str
    app_version: str
    name:        Optional[str] = None

def register_device(db, req: DeviceRegistrationRequest) -> dict:
    """
    Upserts device record. Returns dict with device_id and assigned trust_level.
    Trust level defaults to 'unknown'; elevated to 'trusted' after MFA confirmation,
    or 'corporate' when MDM enrollment is verified.
    """
    existing = db.fetchone(
        "SELECT * FROM device WHERE device_id=%s", (req.device_id,)
    )
    if existing:
        db.execute(
            """UPDATE device SET os_version=%s, app_version=%s,
               last_seen_at=NOW() WHERE device_id=%s""",
            (req.os_version, req.app_version, req.device_id)
        )
        db.commit()
        return {'device_id': req.device_id, 'trust_level': existing['trust_level']}

    # New device: check if fingerprint matches a known trusted device for this user
    fp_match = db.fetchone(
        """SELECT trust_level FROM device
           WHERE user_id=%s AND fingerprint=%s AND trust_level != 'revoked'
           ORDER BY last_seen_at DESC LIMIT 1""",
        (req.user_id, req.fingerprint)
    )
    initial_trust = fp_match['trust_level'] if fp_match else 'unknown'

    db.execute(
        """INSERT INTO device
           (device_id, user_id, fingerprint, trust_level, name, platform, os_version, app_version, last_seen_at)
           VALUES (%s,%s,%s,%s,%s,%s,%s,%s,NOW())""",
        (req.device_id, req.user_id, req.fingerprint, initial_trust,
         req.name, req.platform, req.os_version, req.app_version)
    )
    db.commit()
    return {'device_id': req.device_id, 'trust_level': initial_trust}

Session Binding to Device

Every access token is bound to a specific device. Token validation rejects the token if the device has been revoked or wiped:

import hashlib
from datetime import datetime, timezone

def validate_session(db, token: str) -> Optional[dict]:
    """Returns session+device info or None if invalid."""
    token_hash = hashlib.sha256(token.encode()).hexdigest()
    row = db.fetchone(
        """SELECT ds.*, d.trust_level, d.wiped_at
           FROM device_session ds
           JOIN device d ON d.device_id = ds.device_id
           WHERE ds.access_token_hash = %s
             AND ds.revoked_at IS NULL
             AND ds.expires_at > NOW()""",
        (token_hash,)
    )
    if not row:
        return None
    if row['wiped_at'] or row['trust_level'] == 'revoked':
        # Revoke this session immediately
        db.execute(
            "UPDATE device_session SET revoked_at=NOW() WHERE access_token_hash=%s",
            (token_hash,)
        )
        db.commit()
        return None
    return row

Remote Wipe Command

def issue_remote_wipe(db, device_id: str, issued_by: int, reason: str) -> int:
    """
    Enqueues a wipe command and immediately revokes all active sessions.
    Returns the command ID.
    """
    # Mark device as revoked immediately (blocks new logins)
    db.execute(
        "UPDATE device SET trust_level='revoked', wiped_at=NOW() WHERE device_id=%s",
        (device_id,)
    )
    # Revoke all active sessions
    db.execute(
        """UPDATE device_session SET revoked_at=NOW()
           WHERE device_id=%s AND revoked_at IS NULL""",
        (device_id,)
    )
    # Enqueue wipe command for delivery when device next phones home
    db.execute(
        """INSERT INTO device_command (device_id, command, payload, issued_by)
           VALUES (%s, 'wipe', %s, %s)""",
        (device_id, json.dumps({'reason': reason}), issued_by)
    )
    db.commit()
    cmd = db.fetchone("SELECT lastval()")
    return cmd['lastval']


def poll_pending_commands(db, device_id: str) -> list:
    """
    Called by the device on every check-in. Returns pending commands
    and marks them as delivered.
    """
    commands = db.fetchall(
        """UPDATE device_command SET status='delivered', delivered_at=NOW()
           WHERE device_id=%s AND status='pending'
           RETURNING *""",
        (device_id,)
    )
    db.commit()
    return commands

Compliance Checks

from packaging.version import Version

MINIMUM_OS_VERSIONS = {
    'ios':     '16.0',
    'android': '12',
    'desktop': '0',   # no restriction
}

def run_compliance_check(db, device_id: str) -> dict:
    """
    Returns compliance status. Non-compliant devices are downgraded to 'unknown' trust.
    """
    device = db.fetchone("SELECT * FROM device WHERE device_id=%s", (device_id,))
    issues = []

    # OS version check
    min_ver = MINIMUM_OS_VERSIONS.get(device['platform'], '0')
    if device['os_version'] and Version(device['os_version']) < Version(min_ver):
        issues.append(f"OS {device['os_version']} below minimum {min_ver}")

    # Encryption check
    if device['encryption_enabled'] is False:
        issues.append("Disk encryption disabled")

    compliant = len(issues) == 0
    if not compliant and device['trust_level'] == 'corporate':
        db.execute(
            "UPDATE device SET trust_level='unknown' WHERE device_id=%s",
            (device_id,)
        )
        db.commit()

    return {'compliant': compliant, 'issues': issues}