Browser fingerprinting is the foundation in which device intelligence is built, enabling businesses to uniquely identify website visitors on websites around the world.
Understanding the various browser fingerprinting techniques is crucial for organizations wanting to enhance visitor identification. A highly accurate identifier makes it easier for developers to triage suspicious traffic and restrict access to users attempting to hack into accounts, make fraudulent purchases, or spam your website. It also helps in tailoring user experiences while providing a more nuanced understanding of visitor interactions.
This article dives into what browser fingerprinting is, the common techniques used in browser fingerprinting, and how browser fingerprinting can be used for fraud detection.
What is browser fingerprinting?
Browser fingerprinting is a set of tools and techniques that can capture data through a web user's browsing activity. Browser fingerprinting gathers information related to a user's operating system, browser type, screen resolution, time zone, keyboard layout, and more. By processing these details, it creates a unique identifier, or "digital fingerprint," for each user. This identifier remains consistent across different browsing sessions, making it a reliable tool for visitor identification beyond the realm of traditional cookies.
For businesses, browser fingerprinting offers significant advantages. It enables more accurate and stable visitor identification, helps tailor visitor experiences, enhance reporting and fraud modeling, and improve the overall website experience. When a business better understands a visitor’s browser fingerprint, they can optimize their websites and applications to better suit their audience's needs improving visitor experience and overall website conversions. Additional benefits include:
- Fraud prevention. You can use browser fingerprinting to detect and block users who seem suspicious or are engaging in fraudulent activities.
- Enhanced security. Browser fingerprinting uses real-time data to stop fraud, which helps safeguard individual users' data and protects your business from revenue loss.
- Website optimization. Marketers and advertising technology companies can incorporate browser fingerprinting to hypertarget and hyperlocalize website traffic.
Fingerprints vs. cookies
Cookies store a unique identifier hash in the browser the first time a visitor lands on your website. When a visitor has a cookie that matches a previous visit record in your database, then you can be confident that the two visitors are the same.
However, cookies are a very easy identifier to conceal. In cases where visitors intentionally attempt to block cookies or obscure their identity, browser fingerprinting provides an alternative means of effectively identifying users with remarkable accuracy.
Browser fingerprinting vs. device fingerprinting
Mobile device fingerprinting gathers data about a user's device and combines the information to generate a unique fingerprint for each device. The signals available for device fingerprinting differ from those retrieved in the browser and vary between iOS, Android, and other mobile operating systems. Apps can then use these fingerprints to recognize devices even if the app cache or data is cleared.
How does browser fingerprinting work?
Browser fingerprinting operates on a principle of collecting and analyzing a variety of data points (or "signals") from a visitor’s web browser and device to create a unique identifier for that visitor. This process is meticulously designed to pinpoint the subtle differences between visitors’ browsers, even among those using identical models or operating systems.
The effectiveness of browser fingerprinting lies in its ability to generate a high entropy identifier — meaning, the collected data points create a sufficiently complex and unique profile that distinguishes one user from millions of others online.
For instance, while countless visitors might share the same operating system version, variations in installed software, browser configurations, and even minor hardware differences contribute to creating a distinct fingerprint. This approach allows for a level of precision in visitor identification that surpasses conventional identification techniques, making it a powerful tool for accurately recognizing site visitors without reliance on more easily manipulated methods.
What information is gathered?
The signals or attributes used in this process include, but are not limited to:
- Type and version of the web browser
- Operating system and its version
- Screen resolution and color depth
- Installed fonts and plugins
- Time zone and language settings
- Use of ad blockers
These signals are compiled through scripts running in the background of a visitor’s browser, which meticulously examine the software and hardware configuration without altering or interrupting the user experience. The resulting "fingerprint" is a unique composite of these characteristics, forming a highly distinctive profile that can be used to identify the visitor across different browsing sessions. Importantly, this method remains effective even when traditional identification methods, like cookies, are bypassed through incognito browsing or cleared browser data.
Fingerprint’s technology employs several cutting-edge browser identification methods to gather over 70 individual signals. These signals are combined with server-side analysis and deduplication to generate a visitor identifier, providing a persistent and valuable abstraction of a browser fingerprint, which can be volatile if a visitor changes settings or updates software on their device.
7 top browser fingerprinting techniques
There are several methods you can use to effectively create a fingerprint for a website visitor including canvas fingerprinting, WebGL fingerprinting, media device fingerprinting, TLS fingerprinting, font fingerprinting, mobile and audio fingerprinting. We discuss each of these methods in detail below.
Canvas fingerprinting
This browser fingerprinting technique uses the HTML5 canvas element to identify variances in a user’s GPU, graphics drivers, or graphics card. First, the script draws an image, often overlaid with text. Then, the script captures how the user’s web browser has rendered the image and text. Naturally, every device with different hardware and drivers will render the image slightly differently, distorting its color and shape. A hash is then computed using the rendered image’s data, which serves as the ‘canvas fingerprint.’
Like any other browser fingerprinting technique, the scripts used for canvas fingerprinting operate in the background to keep the user from realizing that the fingerprinting is occurring. This fingerprinting technique is accurate and not too processing-intensive making it one of the most employed script techniques.
To read more about this technique, read our in-depth article on Javascript canvas fingerprinting.
Canvas and WebGL rendered images from AmIUnique. Because of how this visitor's specific browser and device rendered these images, they can be narrowed down to a pool of fewer than 0.01% of total visitors.
WebGL fingerprinting
WebGL fingerprinting, an advanced subset of browser fingerprinting techniques, harnesses the power of the Web Graphics Library (WebGL) technology to render complex three-dimensional graphics directly in a user's web browser without the need for external plugins. WebGL fingerprinting operates by instructing the browser to create detailed, off-screen images that are then analyzed for unique characteristics. The way graphics are processed and rendered varies significantly across different combinations of graphics drivers, GPUs (Graphics Processing Units), and overall device hardware configurations.
The WebGL fingerprinting process begins with a script that commands the browser to generate a specific 3D graphic hidden from the user's view. The resulting image, while seemingly uniform in appearance, contains minute, hardware-dependent variations. These variations stem from the intrinsic differences in how individual devices’ GPUs and drivers interpret and execute the WebGL instructions.
For example, two devices with different models of GPUs or even different driver versions for the same GPU model will produce slightly different image outputs due to the variances in rendering algorithms and hardware capabilities. WebGL analyzes these subtle differences in the rendered images and then generates a unique identifier for each device.
Media device fingerprinting
Media device fingerprinting uncovers a list of all the connected media devices and their respective IDs on a user’s laptop or PC. This includes all internal media components like video cards, audio cards, and all connected or linked devices like headphones.
Media device fingerprinting is not widely used in fingerprinting functions, because it requires the user to grant access to their microphone and camera to get a complete list of connected devices. However, this technique is helpful for services that innately require webcam or microphone access, such as video chat services.
TLS fingerprinting
At its core, Transport Layer Security (TLS) is an algorithm that encrypts all your internet traffic, enhancing your online security. More specifically, TLS is a protocol that encrypts communications between a client and a server over the web, utilizing suites of cryptographic algorithms. Before utilizing TLS in communication, the client and server undergo a process known as the TLS handshake.
TLS fingerprinting is a technique that analyzes the specifics of how a client and server perform the TLS handshake, which is the initial step in establishing a secure communication channel over the web. By examining the unique combination of cryptographic algorithms and other parameters used during this handshake process, it's possible to generate a "fingerprint" of the devices or software involved.
To read more about this technique, read our in-depth article on TLS Fingerprinting.
Font fingerprinting
Font fingerprinting is a method used to identify users online through the unique set of fonts installed on their device. This technique involves websites executing scripts that assess which fonts are accessible on a visitor's computer, thereby generating a distinctive profile based on these fonts. Since individuals often have a diverse array of both system-default and personally installed fonts, this creates a specific fingerprint that can differentiate one user from another.
Font fingerprinting is particularly useful for web analytics and personalized content delivery, as it enables websites to identify returning users and understand their preferences without relying on traditional cookies, enhancing the user experience through customization.
Mobile device fingerprinting
Similar to browser fingerprinting, mobile device fingerprinting is a technique used to identify individual devices based on a unique combination of hardware and software attributes. This process involves collecting data points such as the device's operating system, browser type, screen resolution, and more, to create a distinctive profile or "fingerprint" of the device. It functions by analyzing these attributes without the need for traditional identifiers like cookies.
Mobile device fingerprinting is particularly useful for businesses and online platforms as it enables them to recognize returning devices, enhance user experience through personalization, and improve fraud detection mechanisms by identifying devices that exhibit suspicious behavior. This method offers a reliable way of understanding user engagement and optimizing services accordingly.
Audio fingerprinting
Audio fingerprinting works by processing the subtle differences in how a device's software and hardware render audio content. When a sound is played on a device, factors such as the browser vendor and version, along with the CPU architecture, influence the exact way sound waves are generated and processed. These minute variations can be captured through a digital oscillator and analyzed to create a unique audio fingerprint of the device.
Audio fingerprinting can be particularly valuable for applications in digital rights management and content distribution, allowing platforms to manage how audio content is accessed and shared. Additionally, it can enhance user experiences by enabling more personalized audio content delivery based on the identified device characteristics.
Read our in-depth tutorial on how audio fingerprinting works using the Web Audio API to learn more about audio fingerprinting. You can also learn more about how it’s possible to bypass audio anti-fingerprinting protection in Apple Safari 17 here.
How browser fingerprinting can help detect fraud
Incorporating more than one browser fingerprinting technique plays a crucial role in creating a comprehensive and nuanced digital fingerprint. By combining signals from multiple sources into a unique visitor identifier, these methods achieve a high level of accuracy in visitor identification. This stability and accuracy is particularly valuable in the realm of fraud detection, where identifying and distinguishing between legitimate users and potential fraudsters is more important than ever.
When working to detect and prevent fraud, take note that only a small number of your site visitors are responsible for fraudulent activities. Because of this, your developer team has to find a way to isolate these site users, identify them, verify them through authentication, and add them to your site’s blocklist.
However, you need to keep these security layers away from your trusted traffic since extra authentication steps can cause an impeded user experience. In addition, more strict site security can also slow down account accessibility, conversion rates, and overall site engagement.
Browser fingerprinting techniques are helpful for identifying visitors with a pattern of fraudulent behavior and then targeting only these visitors for additional security. In addition, fraudsters often use identity concealing techniques like disabling cookies, surfing through a VPN, or using browsers in incognito mode. These are all areas where fingerprinting proves to be at its best since it identifies users quickly without relying on IP addresses and site cookies.
One of the most common fraud types is account takeover, where malicious users try to hack a legitimate user’s account and make purchases or steal their identity. With fingerprinting and related user identification technologies, additional security can be added to the login process for suspicious traffic only. This added security makes it more difficult for untrusted traffic to log in and take over trusted users’ accounts.
Incorporating browser fingerprinting techniques can significantly enhance the security measures against brute force and bot attacks, beyond traditional methods like CAPTCHA and account lockouts. By identifying unique browser fingerprints, websites can detect and flag repetitive login attempts that exhibit patterns typical of automated bots or brute force strategies, even before the set threshold for failed attempts is reached.
Browser fingerprinting offers a layer of protection against phishing scams by enabling the identification of devices attempting unauthorized access. By requiring additional verification, such as email or two-factor authentication, whenever a new or unrecognized device fingerprint attempts to log in, websites can significantly reduce the risk of unauthorized account access resulting from phishing attempts. Additionally, the ability to identify and blocklist visitors associated with repeated suspicious activities allows for a more effective fraud prevention strategy.
Harness the transformative power of browser fingerprinting with Fingerprint
The cornerstone of combating online fraud lies in the precision of visitor identification technology, which allows businesses to distinguish between legitimate users and potential threats effectively. Companies can protect their website from fraudulent activity, and provide a secure and seamless experience for their trusted users while isolating and mitigating bad actors.
Ready to combat online fraud?
Explore how Fingerprint can empower your business to enhance security and user experience.
FAQ
Browser fingerprinting and cookies serve similar purposes in identifying and tracking user behavior online, but they operate in fundamentally different ways. Cookies are small pieces of data stored on the user's device by websites to remember the user's actions and preferences over time.
In contrast, browser fingerprinting collects information about a user's device and browser settings (such as screen resolution, operating system, installed fonts, and plugins) to create a unique "fingerprint." Unlike cookies, which can be easily deleted by users, browser fingerprints are more challenging to alter because they are derived from the characteristics of the user's device and browser.
While completely avoiding digital fingerprinting is challenging due to its reliance on various aspects of a user's device and browser, users can take steps to minimize their uniqueness and make identification more difficult.
Using privacy-focused browsers or extensions that specifically limit fingerprinting techniques can help obscure or randomize the information shared with websites. Regularly updating software and using common screen resolutions can also reduce the distinctiveness of a device's fingerprint.
Additionally, employing virtual private networks (VPNs) and browsing in incognito or private modes can offer additional layers of privacy, although these measures may not fully prevent fingerprinting.
Browser fingerprinting is primarily designed for fraud detection, which generally does not require consent under most privacy laws. However, the extent to which you may need consent depends on where and how you choose to implement and use browser fingerprinting technology. We recommend working with your legal team to determine how best to address legal and compliance requirements.