Waiting room users are anonymous. CrowdHandler tracks them using cookies, with a token, a string of random characters that are unique to each device using the queue.


Since the token is stored on the users device, savvy users may be able to retrieve the token and share it with other users. The typical reason for this, would be users with a good queue position, trying to share that position with other user agents so that they can submit multiple orders or assist friends and family. If your product is valuable, bad actors may even attempt to sell tokens associated with good queue positions.



Device fingerprinting is not the only way to protect against token sharing. If you are selling high-value, limited edition product, we recommend using additional strategies such as:

1. Destroy session on checkout
2. Logging the token against your order and only allowing one order per token. (Requires custom integration)


How does device fingerprinting work?

With device fingerprinting switched on, we use some factors about the device to compile a signature fingerprint for  device. When the token is generated for that user, the signature is associated with it. If a device tries to poll that token with a fingerprint that does not match, it will not retrieve the token, but will instead be given a new randomly generated token tracked against the new fingerprint.


How does that play out in real life? Let's say user A joins a pre-sale, and is revealed a particularly good random position when the queue activates. They try to pass the token to user B. User A tries to access the queue using the token. Their fingerprint does not match, so they are given a new token. That token will be issued with a position at the back of the queue, so this is the same outcome as if User B had just entered the queue without the token.


How do I switch it on?

Head to your domain settings. Switch Device Fingerprinting from off to Basic or Advanced.



What's the difference?


Basic

We use a number of signals about the device to compile the fingerprint. It will catch most instances of token sharing, but may not catch sharing between near identical devices.


Advanced

Advanced matching incorporates IP and geo features into the fingerprint. This is very effective, but may catch legitimate users. For example:

A mobile user on a train,
A mobile user switching from wifi to 5G,
A desktop user switching on a VPN whilst waiting.

We recommend updating your template or messaging if you intend to use advanced device fingerprinting.