How the three major DRMs identify devices

Each DRM system—Google Widevine, Microsoft PlayReady, and Apple FairPlay—has its own method for identifying and counting unique devices. However, their accuracy varies based on hardware enforcement, software implementation, and platform restrictions.

When billing is based on devices or active subscribers the device count needs to be as accurate as possible. For Verimatrix services, devices that provide uniqueness can be easily counted. For transient devices such as Chrome browsers the operator must use persistency in the player or set a unique value for each device and send to Verimatrix. If an identifier is created it should use a non personally indentifiable value such as a uniquely generated random value or hash for privacy reasons. Verimatrix handles PII data in compliance with GDPR guidlelines.

This value is typically controlled by the operator's subscriber management system (SMS) and bound to the client. Furthermore, the device id needs to persist across reboot, clearing of cache, and other methods of reseting the client.

Below is an overview of each of the three major DRM systems and how accurate they are when it comes to device identification.

Google Widevine is the least accurate, especially in browsers

How It Counts Unique Devices:

Widevine L1 (Android, Smart TVs, Hardware-backed) uses a hardware-secured identifier stored in a Trusted Execution Environment (TEE). Any license requests include a device-specific identifier tied to the chipset which is more accurate for unique device counting.

Widevine L3 (Browsers - Chrome, Edge, Firefox) there is no hardware binding—purely software-based DRM.
Identification of a device relies on session tokens, cookies, and browser storage to track devices. Furhtermore, when using tokens this identifier must be sent to the DRM system for identifying the device.

It's important to note device resets, incognito mode, or different browsers count as new devices. This can lead to inflated device counts. For Chrome devices one needs to enforce persistency in the app to prevent this.

Level of accuracy:

L1 (Android & Smart TVs): High Accuracy (Persistent Hardware ID).
L3 (Browsers): Low Accuracy (Easy to spoof, no persistent hardware ID).

Microsoft PlayReady has better accuracy but is still spoofable

How It Counts Unique Devices:

PlayReady L1 (Windows, Smart TVs, Xbox - Hardware-Based) uses hardware-secured DRM identifiers embedded in the device. This supports secure sevice binding—each license is tied to a specific device.

If a device resets, it is still recognized via its hardware ID.

PlayReady L3 (Software-based, Browsers like Edge on Windows): there is no hardware-backed ID, similar to Widevine L3. Identification relies on browser storage, OS identifiers, and tokens.

Similar to Widevine browsers it can be reset with browser refreshes or new sessions.

Level of accuracy:

L1 (Hardware-backed PlayReady): High Accuracy (Persistent Device ID).
L3 (Software-based PlayReady): Medium Accuracy (Better than Widevine L3, but still spoofable).

Apple FairPlay is the most accurate at device identification

How It Counts Unique Devices:

Uses a hidden device-specific UID stored in Apple’s Secure Enclave (for iOS/macOS).
DRM license requests contain an encrypted device identifier, which is persistent across reboots and software updates. Even if a user clears browser data or re-installs apps, the same device ID remains. The device id is extremely difficult to spoof or reset.

Level of accuracy:

Very High Accuracy (Unique and persistent device tracking across iPhones, iPads, and Macs).

Which DRM Is Best for Counting Unique Devices?

Apple FairPlay is the most accurate since it uses a secure, hidden device ID that persists across updates.
Microsoft PlayReady L1 is second best with hardware-backed device tracking. Google Widevine L1 is reliable on Android/Smart TVs but NOT on browsers. Widevine L3 (Browsers) is the least reliable because it lacks hardware binding and can be easily reset or spoofed.