I would love to know how this differs from fingerprinting. And if it is just fingerprinting it seems like it'd probably be trivial to bypass. Especially since it appears that you have a way to check your ID so you could potentially experiment with different ways to affect it.
1. Fraudsters would be able to game/bypass them more easily
2. Customers would be able to hold them accountable more easily
It is not in Cloudflare's best interest to explain their anti-fraud technology. The same thing applies to basically anyone doing anti-fraud by the way. Try asking a bank why they declined your transaction, or closed your account.
What other aspects could they harness?
* IP path selected & latency
* TCP TTL, window settings & extensions
* TLS ClientHello: extensions, ciphers, hash algos, etc
* HTTP/2 settings & behavior
* HTTP request headers
If you're interested in digging further into this set, look up JA3, which has variants that address most or all of those above.
If they redirect you to an intermediate page, their attack surface gets much larger, including everything in the JavaScript APIs and browser behavior.
* Extended client hints
* Canvas fingerprint
* WebGPU fingerprint
* WebRTC fingerprint
* TTS voices
* Fonts
* Battery state
* <link> preload behavior and timing
(and the list goes on and on and on, because browsers are huge and only slightly designed for privacy)
This is assuming they aren't willing to use any of the persistent state techniques, like cache poisoning, HSTS pinning, or simple old cookies.
These are mostly useful for catching cases where someone is trying to lie about which OS or browser they are using, or where they are using the same machine and instrumented browser foolishly.
