Ephemeral IDs: Cloudflare’s Latest Tool for Fraud Detection

During its recent Birthday Week, Cloudflare introduced Ephemeral IDs, a new feature for fraud detection. The tool identifies fraudulent activity—whether from bots or humans—by linking behavior to a specific client rather than an IP address.

Available through the Turnstile siteverify response, this new identification technology is designed to tackle the common issue of attackers who rotate a broad range of IP addresses to evade standard WAF monitoring techniques. Since Ephemeral IDs are generated based on patterns beyond IP addresses, malicious actors find it more challenging to fully disguise their requests. Oliver Payne, engineering manager at Cloudflare, Sally Lee, product manager at Cloudflare, and Benedikt Wolters, senior software engineer at Cloudflare, explain:

A practical use case for Ephemeral IDs is preventing fraudulent account signups. Imagine a bad actor, a real person using a real device, creating hundreds of fake accounts while rotating IP addresses to avoid detection. By ingesting Ephemeral IDs and logging them alongside your account creation logs, you can set up alerts based on account creation thresholds in real-time or retroactively investigate suspicious activity.

An IP address (green) versus an Ephemeral ID (blue). Source: Cloudflare blog

Introduced two years ago, Turnstile is a verification tool designed to replace CAPTCHAs by generating various types of non-intrusive challenges to verify users are human, without requiring visitors to solve a puzzle. Once Ephemeral IDs are enabled for a deployment, a curl request to Turnstile demonstrates how a temporary Ephemeral ID is returned to identify the client:

 


curl 'https://challenges.cloudflare.com/turnstile/v0/siteverify' --data 'secret=verysecret&response='
{
    "success": true,
    "error-codes": [],
    "challenge_ts": "2024-09-10T17:29:00.463Z",
    "hostname": "example.com",
    "metadata": {
        "ephemeral_id": "x:9f78e0ed210960d7693b167e"
    }
}

Source: Cloudflare blog

While the new option tracks different requests across time, Cloudflare emphasizes the privacy and compliance protections in place: when a visitor interacts with different Cloudflare customers, they receive different Ephemeral IDs for each one. Additionally, because these IDs change frequently, they cannot be used to track a single visitor over an extended period. User techcycleev comments on X:

I’m impressed by the innovative approach Cloudflare has taken with Ephemeral IDs. As a UX designer, I appreciate the emphasis on user privacy while maintaining effective fraud detection. This is a game-changer for secure online interactions.

Payne, Lee, and Wolters add:

Even though Ephemeral IDs are short-lived and may have changed by the time an investigation begins, they still provide valuable insights through aggregate analysis, and provide an extra dimension to identify fraud and abuse.

Ephemeral IDs were not the only announcement during Cloudflare’s Birthday Week, with 18 updates to the Workers platform, zero-latency SQLite storage in every Durable Object, and a faster AI platform other major updates.

Although every Cloudflare deployment benefits from the addition of Ephemeral IDs to the Challenge Platform, the new option is currently available through the Turnstile siteverify response only for Turnstile Enterprise and Bot Management Enterprise customers.