Blog / Technical

Device Fingerprinting Without Cookies: How It Works

March 15, 2026 · 13 min read · David Kim — Co-founder & CTO

The cookie is dying. Safari's Intelligent Tracking Prevention (ITP) caps cookie lifetime to 7 days. Firefox's Enhanced Tracking Protection blocks third-party cookies entirely. Chrome's Privacy Sandbox is deprecating third-party cookies. GDPR consent requirements mean users increasingly decline cookie banners.

For fraud prevention, this is a problem. If you can't persistently identify devices, you can't track repeat offenders, detect multi-accounting, or link suspicious sessions together. Device fingerprinting solves this by identifying devices through their technical characteristics — no cookies, no localStorage, no client-side storage of any kind.

The Signal Categories

Passive Fingerprinting (No JavaScript Required)

Before your page even loads, the browser reveals information through network-level signals:

**TLS fingerprinting (JA4).** The TLS Client Hello message contains cipher suites, extensions, elliptic curves, and signature algorithms. We use JA4 hashing — a modern replacement for JA3 with better granularity.

**TCP/IP stack analysis.** TCP window size, TTL values, and MSS settings vary across operating systems. Linux, Windows, and macOS each have characteristic TCP stack configurations.

**HTTP header analysis.** Header ordering, Accept-Language values, and connection preferences differ between browsers.

Active Fingerprinting (Client-Side JavaScript)

**Canvas fingerprinting.** We draw a carefully designed scene — specific text, geometric shapes, and gradients. Different GPUs render this with subtle pixel-level differences due to anti-aliasing, sub-pixel rendering, and color blending variations. We hash the pixel data.

**WebGL fingerprinting.** WebGL exposes GPU vendor/renderer strings, max texture sizes, supported extensions, and shader capabilities. This data strongly identifies the GPU model and driver version.

**AudioContext fingerprinting.** We generate a test signal and analyze how it's processed. Different audio hardware produces measurably different output due to floating-point precision differences.

**Font enumeration.** Available system fonts vary by OS, language pack, and installed software. We test for ~300 diagnostic fonts using canvas measurement techniques.

**Navigator properties.** CPU cores, device memory, platform, language, timezone, screen resolution, color depth, pointer and touch capabilities.

Five signal layers provide 50+ bits of entropy — enough to identify over 1 quadrillion devices without cookies.

Entropy Analysis

Not all signals carry equal weight. We measure each signal's entropy:

| Signal Category | Approximate Entropy | |---|---| | Canvas + WebGL combined | ~18 bits | | Font list | ~8 bits | | AudioContext | ~5 bits | | Navigator properties | ~7 bits | | TLS fingerprint | ~6 bits | | Screen + display | ~4 bits | | Timezone + language | ~3 bits |

Combined, our 1,000+ signals provide approximately 50+ bits of entropy — sufficient to uniquely identify over 1 quadrillion distinct devices.

Entropy by category: Canvas+WebGL dominates at ~18 bits; combined signals exceed 50 bits.

From Signals to Stable Hash

Raw signal collection is only half the problem. Browser updates change user agent strings. Driver updates alter WebGL parameters. Font installations change the font list.

Fuzzy Matching

Rather than requiring exact matches, we use a fuzzy matching algorithm that weighs signals by stability and entropy. Stable signals (canvas, GPU model) carry more weight than volatile signals (user agent, screen resolution).

**Candidate generation** uses locality-sensitive hashing (LSH) on the most stable signals to identify potential matches. **Similarity scoring** computes a weighted score across all signal categories, calibrated so normal device changes don't change the visitor ID while actual device changes do.

This achieves 99.5% accuracy — correctly identifying returning visitors across browser updates, cookie clears, incognito mode, and browser switches.

Privacy-Preserving Architecture

**Server-side processing.** All fingerprint computation happens on our servers. The client-side agent collects raw signals but doesn't compute or store the fingerprint hash.

**No PII storage.** We store fingerprint hashes, not raw signals. The hash is a one-way function.

**Data residency.** EU customer data is processed and stored in EU data centers. GDPR Article 6(1)(f) covers fraud prevention as legitimate interest.

Cross-Browser Identification

The hardest challenge is identifying the same device across different browsers. We rely on browser-independent signals: GPU hardware, screen characteristics, timezone, language settings, installed fonts (OS-level), and TCP/IP stack characteristics.

Cross-browser linking accuracy is approximately 94% — lower than same-browser identification but sufficient for detecting multi-accounting across browsers on the same device.

Integration

Adding device fingerprinting takes three lines of code. The agent loads asynchronously, collects signals in under 50ms, and sends them to our API. The server response includes visitor ID, confidence score, and all 24 Smart Signals.