Browser Fingerprint

What Is Browser Fingerprinting

Browser fingerprinting is a technique that identifies individual users by combining browser settings and environment information. Just like a human fingerprint, the combination of browser characteristics is nearly unique for each user.

Unlike cookies, fingerprinting can track users without storing anything in the browser, meaning tracking persists even after cookies are deleted.

Information Collected

The main information used to generate a fingerprint includes:

• User-Agent: Browser type, version, and OS information
• Screen resolution: Display size and color depth
• Installed fonts: List of fonts installed on the system
• Canvas rendering results: Hash values of HTML5 Canvas drawings (which differ due to GPU and driver variations)
• WebGL information: GPU vendor and renderer details
• Timezone and language settings: Browser language and regional settings
• Plugin list: Installed extensions

While each piece of information is common on its own, their combination can be unique enough to identify an individual among millions. According to EFF research, browser fingerprint uniqueness reaches approximately 83.6%.

Countermeasures

Complete prevention is difficult, but the following methods can reduce fingerprint uniqueness:

• Use Tor Browser: Designed so all users share an identical fingerprint, making it the most effective countermeasure.
• Firefox Enhanced Tracking Protection: In "strict" mode, it blocks known fingerprint collection scripts.
• Browser isolation: Using different browser profiles for different purposes can break cross-site tracking.
• Restrict JavaScript: Extensions like NoScript that restrict JavaScript can disable many fingerprinting techniques, though this may limit website functionality.

Types and Technical Mechanisms of Fingerprinting

Fingerprinting techniques are broadly classified into two types based on how information is collected.

Passive fingerprinting identifies users using only information contained in HTTP request headers. Header values such as User-Agent, Accept-Language, and Accept-Encoding are automatically sent by the browser, so they can be collected even with JavaScript disabled. Since it can be performed through server-side log analysis alone, it is extremely difficult for users to detect.

Active fingerprinting actively retrieves detailed browser environment information by executing JavaScript. Key techniques include:

• Canvas fingerprinting: Draws text and shapes on an HTML5 Canvas and reads the results pixel by pixel to create a hash. Differences in GPU, graphics drivers, and font rendering engines cause slightly different outputs even from identical drawing commands
• AudioContext fingerprinting: Generates oscillator nodes using the Web Audio API and compares audio signal processing results. Differences in audio stack implementations create per-device uniqueness. Combined with Canvas, identification accuracy improves further
• WebGL fingerprinting: Captures 3D graphics rendering results. GPU vendor names, renderer names, shader precision, and texture processing results vary by device
• Font enumeration: Creates elements with various font names in JavaScript and estimates installed fonts from changes in rendering width. The combination of OS and user-installed fonts has high uniqueness

Commercial fingerprinting libraries (such as FingerprintJS) that combine these techniques claim over 99% identification accuracy.

Legitimate Use in Fraud Detection

While fingerprinting is often discussed in the context of privacy invasion, it also has legitimate security applications.

Fraudulent login detection identifies login attempts from environments that differ from the user's usual fingerprint and requires additional authentication. For example, if an account normally accessed from Windows + Chrome suddenly receives a login from Linux + Firefox, it may indicate a credential stuffing attack, triggering mandatory two-factor authentication.

Bot detection identifies characteristics of fingerprints generated by automation tools (Selenium, Puppeteer, etc.). Headless browsers exhibit patterns different from human browsers, such as the navigator.webdriver property being true or uniform Canvas rendering results. This is used to block scalping bots on e-commerce sites and ticket resale bots.

Account security applications include detecting mass account creation from the same fingerprint as fraudulent registration, and flagging sudden fingerprint changes as signs of account takeover. In online banking, fingerprint information is incorporated into transaction risk scoring, with high-risk transactions being temporarily held for review.

To learn more about this topic, see Browser Fingerprinting: How Tracking Works and How to Defend Against It.

Common Misconceptions

Incognito mode (private browsing) prevents fingerprinting

Incognito mode only prevents browsing history and cookies from being saved; browser environment information remains the same as in normal mode. It provides no defense against fingerprinting.

Using a VPN also prevents fingerprinting

A VPN hides your IP address but does not affect browser environment information. Separate browser-side configuration is needed to counter fingerprinting.

Difference Between Cookie Tracking and Fingerprinting

Related Terms

Related Articles