> One technique to protect against these attacks is browser fingerprinting. This method works by collecting data about a user's browser, which is then used to create a unique fingerprint for differentiating between genuine users and bots.
This seems like it can't work. 50% of users are browsing from an iPhone. Every iPhone of the same model has the same fingerprint except for time of day and language preference. So for every time zone there are literally hundreds of thousands of devices that will have the same fingerprint.
They may be referring to JA3 [0] which can be used to fingerprint the connection by examining the order of the ciphers sent by client to server during the TLS handshake. It isn't useful to detect that the user is browsing on an iphone, but rather that the useragent says the user is using an iphone but the JA3 gives it away as something else.
It can be defeated by the client sending a specific list of ciphers in a specific order during the TLS handshake but in practice this can be difficult to do as it's typically implemented at a low level. Alternatively, creating a browser extension can also be used to defeat it as the request is running through the browser's code in that case.