Browser Fingerprinting Explained (2026): How Sites Track You

Mara Vale, Multi-Account Operations Consultant

A browser fingerprint is a unique identifier assembled from the technical attributes of your browser and device — collected silently by websites through JavaScript, without storing anything on your machine. Unlike cookies, fingerprints cannot be cleared, blocked by disabling storage, or neutralised by private browsing mode. In 2026, it is the primary tracking mechanism used by platforms to link accounts, detect automation, and identify returning visitors across sessions.

For online business operators managing multiple accounts, understanding the browser fingerprint is not optional knowledge — it is the difference between accounts that stay live and accounts that get flagged within days.

TL;DR:

  • A browser fingerprint is assembled from dozens of attributes: user agent, resolution, timezone, fonts, canvas rendering, WebGL renderer, audio context, CPU cores, RAM, and more
  • The combination is statistically unique to your device — often identifying one device among millions without any cookies
  • You cannot effectively block fingerprinting with a standard browser; privacy extensions can make you more unique, not less
  • The practical defence for multi-account operators is an antidetect browser that generates per-profile fake fingerprints that appear as different, ordinary users
  • Fingerprinting is how platforms link accounts even when IP addresses and credentials are different

See how Multilogin handles browser fingerprinting


What Is a Browser Fingerprint?

A browser fingerprint is a profile of your browser and device assembled by a website without your active participation. When you visit a page, JavaScript running in the background queries your browser for technical details — not personal information like your name or email, but low-level attributes of the software and hardware running the browser. The resulting data set is hashed into a string that functions as a unique identifier for your device.

The critical difference from cookies: a fingerprint requires no storage on your device. Clearing cookies, wiping cache, switching to incognito mode, or disabling local storage does not affect it. The fingerprint is reconstructed from scratch on every visit by querying the browser itself.

The Data Points That Make Up a Fingerprint

Every attribute your browser exposes contributes to the fingerprint. The more unusual the combination, the more unique the identifier. Here are the main categories collected when a site fingerprints your browser:

User agent string: The browser reports its name, version, rendering engine, and operating system in a standardised string. Chrome 125 on Windows 11 looks different from Firefox 127 on macOS 14. Changing your user agent manually often makes you more detectable, not less — because it creates mismatches with other attributes.

Screen and window dimensions: Your monitor resolution, colour depth, pixel ratio, and the actual viewport size after browser chrome and toolbars are accounted for. Multiple monitors add additional signals.

Timezone and language settings: Your system timezone and the browser’s accepted language list. These should logically match your IP address geolocation — mismatches are a flag.

Installed fonts: JavaScript can enumerate a meaningful subset of fonts installed on your operating system by rendering text and measuring dimensions. Corporate systems, development machines, and standard consumer setups have different font libraries. The set of fonts present is highly correlated with the OS, its version, and what software the user has installed.

Canvas rendering: A hidden HTML5 canvas element draws shapes, gradients, and text in the background. The exact pixel values of the rendered image are read back and hashed. Because GPU drivers, graphics hardware, anti-aliasing settings, and OS-level text rendering all affect the output, two devices with different graphics stacks produce different pixel patterns — even from identical drawing instructions.

WebGL renderer: Similar to canvas, but for 3D rendering. The WebGL API exposes the actual GPU renderer string (e.g. “ANGLE (NVIDIA GeForce RTX 3060)”) and can be queried to render 3D scenes whose pixel output varies by hardware.

Audio context fingerprint: The Web Audio API processes test signals through your system’s audio stack. The resulting waveform differs slightly across audio hardware and driver configurations, producing a fingerprint from sound processing alone.

CPU cores and device memory: The navigator.hardwareConcurrency API reports logical CPU core count; navigator.deviceMemory reports approximate RAM in gigabytes. These bucket you into device class — 4-core/8GB looks like a mid-range consumer laptop; 16-core/64GB looks like a workstation.

Plugins and MIME types: The list of browser plugins your browser reports. In modern Chrome, this is mostly vestigial, but it can still surface extensions that modify the browser environment.

Touch support and pointer capabilities: Whether the device reports touch events, the maximum number of touch points, and pointer precision characteristics. These distinguish phones from tablets from desktops.

Battery API: On supported browsers and operating systems, the Battery Status API can expose current charge level and charging state — attributes that persist across sessions until the device is plugged in or unplugged.

Connection information: The Network Information API reports connection type (4G, WiFi, ethernet) and estimated bandwidth class.

Individually, none of these attributes is unique. Combined, they produce a fingerprint that identifies your specific device with high statistical confidence. Research from EFF’s Panopticlick project (predecessor to Cover Your Tracks) found that over 80% of desktop browsers produce a fingerprint unique within their tested population.


Common Fingerprinting Techniques

Understanding the specific techniques helps you evaluate what any given defence actually protects against. Most fingerprinting today uses three primary data extraction methods.

Canvas Fingerprinting

Canvas fingerprinting works by drawing an off-screen image using the HTML5 <canvas> element and reading the resulting pixel data. The script calls canvas.toDataURL() to extract the image, hashes the result, and uses it as a fingerprint component.

What makes this effective: text rendering, sub-pixel anti-aliasing, colour management, and compositing operations are all handled differently across GPU vendors (NVIDIA, AMD, Intel, Apple Silicon), driver versions, and operating systems. A line of text in Arial at 18px does not produce bit-identical pixels on a Dell laptop with an AMD GPU and on a MacBook Pro with Apple Silicon — the rendering pipelines differ at a hardware level. The hash of those pixels is therefore device-specific.

Canvas fingerprinting is trivial to implement — a few dozen lines of JavaScript — and is present on a large fraction of the web’s tracking scripts. Extensions that block canvas access exist, but returning null or throwing an error creates its own distinctive signal (“this browser blocks canvas access”), potentially making you more identifiable among the general population.

The effective countermeasure is not blocking but substitution: inject a small deterministic noise value into the canvas output so that the pixel data is plausibly different on each profile, while still looking like a real rendering result. This is one of the core functions of antidetect browsers.

WebGL Fingerprinting

WebGL fingerprinting uses the same principle as canvas fingerprinting but queries the 3D rendering pipeline. Two primary extraction methods are used:

WebGL renderer string: The WEBGL_debug_renderer_info extension exposes the actual GPU model and driver string. Querying gl.getParameter(debugInfo.UNMASKED_RENDERER_WEBGL) returns something like “ANGLE (Intel, Intel(R) UHD Graphics 770 Direct3D11 vs_5_0 ps_5_0, D3D11)”. This is a precise identifier for the graphics hardware configuration.

WebGL rendering output: Rendering a 3D scene (a specific geometric shape with defined lighting) and extracting the pixel output. As with 2D canvas, GPU hardware and driver differences produce subtly different outputs.

WebGL signals are particularly robust for fingerprinting because users rarely change graphics hardware, the renderer string is device-specific, and rendering output is extremely difficult to spoof convincingly without GPU-level interception.

Font Fingerprinting

Browsers do not expose a direct API that lists every installed font, but JavaScript can enumerate fonts indirectly by testing text rendering dimensions. The technique:

  1. Create hidden text elements in a reference font (one guaranteed to exist, like sans-serif or monospace)
  2. Override the font with the font under test (e.g. “Calibri”)
  3. Measure the element’s width and height
  4. If the dimensions change, the test font is installed; if not, the browser fell back to the reference font

By testing dozens or hundreds of font names, a script builds a binary vector of which fonts are present and which are absent. The specific set of fonts reflects the OS, its version, what Microsoft Office or Adobe applications are installed, and what system fonts the user has added. Different computers have meaningfully different font sets.

Blocking font enumeration means returning false positives (claiming fonts are not installed when they are), which itself becomes a signal if the pattern is consistent across visits.

Beyond these three primary techniques, supplementary signals include battery fingerprinting, behavioural fingerprinting (typing speed, mouse movement patterns, scroll behaviour), TLS fingerprinting (the cipher suites and extensions your browser advertises in the TLS handshake, which are detectable before any JavaScript runs), and HTTP header fingerprinting (the order and values of request headers your browser sends).

Check how Multilogin substitutes fingerprints per profile


How to Test Your Browser Fingerprint

Testing your own fingerprint is the fastest way to understand exactly what you are exposing and how identifiable you are. These tools check browser fingerprint attributes and report uniqueness.

Testing Tools

BrowserLeaks.com is the most comprehensive free tool for examining what your browser exposes. It provides separate test pages for canvas, WebGL, fonts, audio context, WebRTC leaks, geolocation, and more. Use it to see the raw values rather than just a uniqueness score — it shows you exactly what data sites collect. This is the tool I start with when evaluating any new browser profile.

AmIUnique.org (maintained by researchers at INRIA) collects real fingerprints and reports how unique yours is within their database. It shows you a percentage: if your fingerprint matches fewer than 0.1% of the profiles in their database, you are highly identifiable. A standard Chrome install on a consumer Windows laptop typically comes back as unique or nearly unique.

Cover Your Tracks (by EFF, formerly Panopticlick) tests both your fingerprint uniqueness and whether tracker-blocking tools are actually working. Its methodology is well-documented and it is used by privacy researchers. Particularly useful for evaluating the effectiveness of extensions and VPN-browser combinations.

CreepJS is a more aggressive fingerprinting tool that attempts to catch browsers that spoof their attributes inconsistently. It looks for impossible combinations — a browser claiming to be Chrome but producing WebGL output inconsistent with Chrome’s rendering engine, or a timezone that does not match the IP geolocation. If you are using a fingerprint-spoofing tool, CreepJS will often detect the inconsistency. This makes it useful for testing antidetect browser profiles before using them in production.

To check browser fingerprint thoroughly, run all four tools in each browser profile you intend to use. Look for:

  • Canvas and WebGL hash values (are they plausible for the claimed browser/OS?)
  • Font set (does it match what the user agent claims?)
  • Timezone vs IP geolocation alignment
  • Any “impossible” combinations that CreepJS flags
  • WebRTC local IP leak (VPNs do not always prevent this)

A consistent, plausible profile across all four tests indicates the fingerprint is believable. Inconsistencies are what detection systems look for.


Why Fingerprinting Threatens Multi-Accounting

This is where the practitioner perspective matters. Most guides to browser fingerprinting focus on consumer privacy — tracking across websites for advertising. For multi-account operators, the threat model is different and more severe.

Account Linking via Fingerprints

Platforms that have policies against running multiple accounts — and that includes most major ad platforms, e-commerce marketplaces, and social networks — use fingerprinting as part of their detection stack. The mechanism works like this:

You sign into Account A from a browser. The platform’s JavaScript collects your fingerprint. You sign out, switch to a different email address, use a different IP address (perhaps via VPN or proxy), and sign into Account B. The platform’s JavaScript collects the fingerprint again. It matches Account A’s fingerprint exactly — because you are using the same browser on the same machine.

At this point, the platform has linked Account A and Account B. Depending on the platform’s policies and the severity of the violation, consequences range from reduced reach to account suspension to a ban on the device fingerprint itself (blocking future attempts from the same hardware).

Browser fingerprint spoofing — substituting fake attribute values — is how operators attempt to prevent this linkage. But naive spoofing (randomising values on every page load, or changing the user agent to an implausible string) creates its own detection signals. The canvas rendering does not match the claimed GPU. The fonts do not match the claimed OS. The audio fingerprint is inconsistent across tabs. Detection systems are specifically tuned to find these inconsistencies.

Why Standard Browsers Fail

Private browsing mode does not help. The same GPU renders the same canvas, the same fonts are installed, the same audio hardware produces the same output. Private mode only prevents local storage of history and cookies — it does nothing about real-time attribute collection.

Browser extensions that modify the user agent do not help either. They may change the reported string, but the canvas hash, WebGL renderer, and audio output remain the same. Now you have a fingerprint that says “Firefox” but renders like Chrome — a mismatch that is itself a fingerprint.

VPNs change your IP address but leave your browser fingerprint entirely unaffected. Running Account A and Account B through the same VPN server, or even different VPN servers, does not prevent fingerprint-based linking.

Multiple browser profiles in Chrome or Firefox share the underlying graphics stack and font library. Profiles two and three produce the same canvas output as profile one.

Even separate browser installations on the same operating system typically produce the same fingerprint — because the same GPU drivers and fonts are shared at the OS level.

The only approach that works for isolating accounts is giving each account a browser environment with a distinct, internally consistent, and realistic fingerprint — one that looks like a different ordinary user on different hardware, not like a spoofed version of the same device.


How to Defend Against Fingerprinting

The defence strategy depends on what you are protecting against. For consumer privacy (limiting ad tracking), partial mitigations work. For multi-account isolation, only a purpose-built antidetect browser provides reliable separation.

Defences for Consumer Privacy

Firefox with strict tracking protection enables some canvas and font access restrictions and blocks known tracking scripts. Combined with uBlock Origin and the Canvas Blocker extension, it reduces the fingerprint surface meaningfully. The tradeoff: blocking canvas access makes you identifiable as “a Firefox user with canvas blocking” — a smaller but real population.

Tor Browser is the most effective consumer anti-fingerprinting tool. It standardises all fingerprint attributes across all Tor Browser users — the same canvas output, the same fonts, the same window size — so that everyone using Tor Browser looks identical. This defeats fingerprinting by ensuring your profile matches millions of others. The tradeoffs are significant: slow performance, many sites blocking Tor exit nodes, and it is impractical for account-based workflows.

Brave Browser includes built-in fingerprint randomisation that injects noise into canvas and WebGL outputs. It is more practical than Tor and provides meaningful protection against casual ad tracking. For multi-account use, it is not sufficient because multiple profiles on the same Brave install share the same underlying GPU fingerprint — only the injected noise differs, and that can be detected.

Antidetect Browsers for Multi-Account Operators

For operators who need genuine account isolation — not consumer privacy but business-critical separation of multiple platform accounts — the practical solution is an antidetect browser.

An antidetect browser does not block fingerprinting. It substitutes fingerprints. Each browser profile has its own distinct, internally consistent set of fingerprint attributes:

  • A unique canvas hash that matches a plausible GPU renderer
  • A WebGL renderer string consistent with the claimed hardware
  • A font set consistent with the claimed OS
  • An audio fingerprint consistent with the hardware profile
  • Screen dimensions, timezone, and language consistent with each other and with the assigned proxy’s geolocation

The difference from naive spoofing: the profile is internally consistent. The canvas output matches what the claimed GPU would actually produce. The fonts match the claimed OS version. The WebGL renderer is a real GPU model, not a string that no hardware actually generates. Detection systems testing for impossible combinations find nothing suspicious.

Multilogin is the market-leading antidetect browser for professional multi-account use. It maintains a database of real browser profiles drawn from real hardware, so the fingerprints it assigns to your profiles are grounded in actual device fingerprints — not generated values that happen to look plausible on paper but fail under forensic inspection. I have used Multilogin across client campaigns managing dozens of accounts on Facebook Ads and Google Ads, and the per-profile fingerprint isolation holds up against platform detection that flags manually configured multi-profile setups.

Each Multilogin profile is a separate browser environment: isolated cookies, isolated local storage, isolated fingerprint. From the platform’s perspective, each profile is a different user on different hardware, arriving from a different IP (paired with your proxy configuration). The accounts cannot be linked via fingerprint because the fingerprints are genuinely different.

Dolphin Anty is a competitive alternative at a lower price point, with a team collaboration model that suits smaller agencies. It provides per-profile fingerprinting based on real device databases and integrates with popular proxy providers for IP management. For operators starting out or working with tighter budgets, it is a legitimate choice with the same core architecture as Multilogin.

The workflow for multi-account isolation using an antidetect browser:

  1. Create one browser profile per account
  2. Assign each profile a distinct fingerprint (the antidetect browser manages this from its device database)
  3. Assign each profile a dedicated residential or mobile proxy (matching the timezone and geolocation to the fingerprint)
  4. Log into each account only from its assigned profile
  5. Never use the same profile for two different accounts

With this setup, each account presents a different fingerprint, a different IP address, and different session data. The accounts are isolated at every layer the platform can measure.

Try Multilogin for isolated browser profiles

Choosing Between Multilogin and Dolphin Anty

Both tools solve the core problem of per-profile fingerprint isolation. The practical differences:

FactorMultiloginDolphin Anty
Profile fingerprint sourceReal device databaseReal device database
Browser engineMimic (Chromium-based) + Stealthfox (Firefox-based)Chromium-based
Team collaborationEnterprise tier; built for agenciesCore feature at all tiers
PriceHigher; per-profile pricing at scaleLower; flat team seat pricing
Best forLarge-scale operations, strict detection environmentsSmaller teams, budget-conscious operators

For operators running accounts on platforms with sophisticated detection (Facebook, Google, TikTok at scale), Multilogin’s fingerprint quality and the Firefox-based Stealthfox engine — which is harder to detect as an antidetect browser than a Chromium derivative — justify the price premium. For smaller teams doing lighter workloads, Dolphin Anty is a cost-effective entry point with the same architectural approach.

For a detailed evaluation of Multilogin in a real agency environment — including profile setup, fingerprint quality testing, and the team workflow — read the full Multilogin review.


Frequently Asked Questions

What is browser fingerprinting? Browser fingerprinting is a tracking technique where websites collect a combination of technical attributes from your browser and device — user agent, screen resolution, installed fonts, canvas rendering, WebGL renderer, timezone, language, CPU cores, and more — and combine them into a unique identifier. Unlike cookies, fingerprints do not require storage on your device and persist even if you clear your browser data or use private browsing mode.

How do websites fingerprint my browser? Sites use JavaScript to query your browser for dozens of technical attributes: your user agent string, screen dimensions, timezone, installed fonts, graphics card rendering via Canvas and WebGL APIs, audio processing characteristics, CPU core count, device memory, and installed plugins. These values are hashed together into a fingerprint. Because GPU drivers, font libraries, and OS configurations vary widely across devices, the combination becomes highly unique — often identifying a single device among millions.

How can I test my browser fingerprint? The most reliable tools are BrowserLeaks.com (comprehensive breakdown of every attribute your browser exposes), AmIUnique.org (shows how unique your fingerprint is versus a large database of real browser profiles), Cover Your Tracks by EFF (tests tracking protection effectiveness), and CreepJS (advanced fingerprinting that catches inconsistencies in spoofed profiles). Run all four for a complete picture of what you are leaking and whether any spoofing you have applied holds up under scrutiny.

Can browser fingerprinting be blocked? Blocking fingerprinting completely with a standard browser is nearly impossible. Privacy extensions reduce some signals but can make you more unique by producing unusual attribute combinations. The effective defence is not blocking but substitution: an antidetect browser like Multilogin or Dolphin Anty generates per-profile fake fingerprints that are internally consistent and realistic, so each browser profile appears to be a different ordinary user on different hardware.

Why is browser fingerprinting a problem for multiple accounts? When you run multiple accounts from the same browser — even in separate tabs, windows, or private sessions — they all share the same fingerprint. Detection systems at platforms like Facebook, Google, and Amazon recognise that the same fingerprint is appearing across multiple accounts and flag them as linked. This is how multi-account operators get flagged even when they use different email addresses, IP addresses, and payment methods. The fingerprint is the identifier that ties the accounts together despite the surface-level differences.


For operators new to the antidetect browser category, what is an antidetect browser covers the fundamentals of how these tools work and who needs them. If you are already convinced and want to see how accounts are managed safely in practice, how to run multiple accounts safely covers the full operational setup including proxies, profiles, and workflow discipline.

Visit Multilogin — purpose-built browser fingerprint isolation for multi-account operators

Thinking about Multilogin?

Mara tested it hands-on. Check the current plans, pricing and free-trial options for yourself.

Visit Official Website

Frequently Asked Questions

Frequently Asked Questions

What is browser fingerprinting?

Browser fingerprinting is a tracking technique where websites collect a combination of technical attributes from your browser and device — user agent, screen resolution, installed fonts, canvas rendering, WebGL renderer, timezone, language, CPU cores, and more — and combine them into a unique identifier. Unlike cookies, fingerprints do not require storage on your device and persist even if you clear your browser data or use private browsing mode.

How do websites fingerprint my browser?

Sites use JavaScript to query your browser for dozens of technical attributes: your user agent string, screen dimensions, timezone, installed fonts, graphics card rendering (via Canvas and WebGL APIs), audio processing characteristics, CPU core count, device memory, and installed plugins. These values are hashed together to create a fingerprint. Because GPU drivers, font libraries, and OS configurations vary widely across devices, the combination becomes highly unique — often identifying a single device among millions.

How can I test my browser fingerprint?

The most reliable tools are BrowserLeaks.com (comprehensive breakdown of every attribute your browser exposes), AmIUnique.org (shows how unique your fingerprint is versus a large database of real browser profiles), Cover Your Tracks by EFF (tests tracking protection effectiveness), and CreepJS (advanced fingerprinting that catches many privacy browsers). Run all four for a complete picture of what you are leaking.

Can browser fingerprinting be blocked?

Blocking fingerprinting completely with a standard browser is nearly impossible. Privacy extensions reduce some signals but can actually make you more unique by producing unusual attribute combinations. The effective defence is not blocking but substitution: an antidetect browser like Multilogin or Dolphin Anty generates per-profile fake fingerprints that are internally consistent and realistic, so each browser profile appears to be a different ordinary user.

Why is browser fingerprinting a problem for multiple accounts?

When you run multiple accounts from the same browser — even in separate tabs, windows, or private sessions — they all share the same fingerprint. Detection systems at platforms like Facebook, Google, and Amazon recognise that the same fingerprint is appearing across multiple accounts and flag them as linked. This is how multi-account operators get banned even when they use different email addresses, passwords, IP addresses, and payment methods. The fingerprint is the thread that ties them together.

See the latest features and current pricing for yourself.

Get Multilogin

Continue Reading

Special Discount Available — Limited Time!
Get Multilogin Now →