A device fingerprint is a stable identifier derived from the properties a device and browser reveal, hashed into a compact ID that recognizes a returning device without a cookie. This guide covers how they are built, how unique they are, what they are used for, and how to generate one in JavaScript.
Device fingerprint, defined
A device fingerprint is a stable identifier derived from the observable properties of a user's device and browser: the GPU, the set of installed fonts, screen geometry, audio and rendering behavior, time zone, language, and similar traits. Collected together and hashed, these signals recognize a returning device without storing a cookie or asking the user to log in.
Unlike a cookie, a fingerprint is not written to the device. Nothing is stored in the browser. The identifier is recomputed from what the device already reveals each time the page runs the collection code, which is why clearing cookies or opening a private window does not reset it the way it resets a cookie-based ID.
The term covers a spectrum. A browser fingerprint describes one browser on one device. A device fingerprint aims at the physical machine, so it should hold even when the user switches browsers. The difference between those two targets matters a great deal in practice, and it is the single most common source of confusion in this space.
How a device fingerprint is built
Every fingerprinting library follows the same three-step shape: collect signals, normalize them, then hash them into a compact identifier.
Collection queries browser APIs for properties the device exposes. Some are simple values the browser reports directly, like the screen resolution or the user agent. Others are derived by asking the device to do a small piece of work and measuring the result, such as rendering a graphic and reading back the pixels, or processing an audio buffer and measuring the output. Different hardware and different browser engines produce subtly different results, and those differences are the entropy a fingerprint is made of.
Normalization cleans the raw values so that meaningless run-to-run noise does not change the final hash. Without it, a fingerprint would be too brittle to be useful. With too much of it, the fingerprint loses the entropy that makes it distinctive. Getting this balance right is most of the engineering.
Hashing folds the normalized signals into a short, fixed-length string. The hash is one-way: it identifies a device on return visits, but you cannot reverse it back into the underlying signals.
What signals go into a fingerprint
The signals a fingerprint collects fall into two categories, and keeping them separate is what lets a fingerprint survive a browser switch.
Hardware-bound signals describe the physical machine: the GPU, the installed font set, the display geometry, and similar device-level traits. They report the same value in Chrome, Safari, and Firefox on the same device. Engine-bound signals describe how a particular browser processes content: the exact output of an audio pipeline, the precise pixels a canvas fill produces, how the JavaScript engine formats an error stack. These differ between browser engines even on identical hardware.
A library that fuses both categories into one hash produces an identifier tied to a browser-on-a-device combination, not to the device. Change the browser and the hash changes. The hardware vs engine fingerprint explainer covers this split in depth; it is the foundation the rest of this guide rests on.
Signal categories at a glance
| Category | Examples | Stable across browsers on the same device? |
|---|---|---|
| Hardware-bound | GPU, installed fonts, display geometry, device-level traits | Yes |
| Engine-bound | Audio pipeline output, canvas pixels, JS engine behavior, WebGL rendering | No |
How unique is a device fingerprint?
A fingerprint is probabilistic, not a guaranteed-unique serial number. Its power comes from entropy: each signal narrows the field, and enough independent signals combined can single out one device among a very large population.
The Electronic Frontier Foundation's Panopticlick project (later Cover Your Tracks) made this concrete: when researchers measured real browsers in the wild, the combination of signals was frequently unique enough to identify a specific browser, even though no single signal was. Later studies found uniqueness is lower on homogeneous devices, such as stock mobile phones that share the same hardware and fonts, which is an honest limit worth knowing.
Two practical consequences follow. First, more signals generally mean more distinguishing power, up to a point. Second, because a fingerprint is statistical, identity decisions should be expressed as similarity rather than a strict equality check. That is why a comparison step that scores how close two fingerprints are, rather than demanding an exact match, is part of any serious setup.
What device fingerprints are used for
Device fingerprinting earns its keep wherever you need to recognize a device without a cooperative identifier like a login or a cookie.
The largest category is anti-fraud: stopping free-trial abuse when a user clears cookies and switches browsers, detecting duplicate signups and multi-accounting, catching referral-program gaming, and binding a session to a device to resist account takeover. In each case the abuser's whole strategy is to look like a new visitor, and a device-level identifier is what sees through that.
Beyond fraud, fingerprints support bot and automation detection, lightweight analytics that respect a no-cookie posture, and device-binding for licensing or step-up authentication. The common thread is durable recognition: the identifier has to survive the exact actions a cookie does not.
Is device fingerprinting legal?
Fingerprinting is a technique, and like cookies its legality depends on how and why you use it, and where your users are. Privacy regimes such as the GDPR and ePrivacy rules, the CCPA, and a growing list of US state laws treat fingerprinting much the way they treat cookies: it can require notice, a lawful basis, or consent depending on the purpose.
There is nuance worth getting right. Many regimes carve out room for fingerprinting used strictly for security and fraud prevention that does not apply to fingerprinting used for cross-site advertising. The cookies vs fingerprinting comparison and the per-jurisdiction law pages on this site go through the specifics; treat this paragraph as a pointer, not legal advice.
The practical takeaway: pick the narrowest purpose that solves your problem, document it, and consult the relevant jurisdiction page before you ship.
How to generate a device fingerprint in JavaScript
At the API level, generating a fingerprint is a single asynchronous call. The library handles collection, normalization, and hashing for you and returns the result client-side, with no account, no API key, and no server round-trip.
The call below returns two identifiers from one collection pass. `fingerprint` is the per-browser hash, useful for recognizing a returning visitor in the same browser. `hardwareFingerprint` is the cross-browser device hash, the one that stays identical across Chrome, Safari, Firefox, and Brave on the same machine.
import { getFingerprint } from 'doorman-benny';
const result = await getFingerprint();
// Per-browser hash: differs between Chrome and Safari on the same machine.
console.log(result.fingerprint);
// Hardware hash: identical across browsers on the same physical device.
console.log(result.hardwareFingerprint);
// A spoof-likelihood rating ships free on every result.
console.log(result.consistency.spoofLikelihood); // 'low' | 'medium' | 'high'One call returns both hashes plus a free anti-spoof rating. No account, no API key, no cookies.
Frequently asked questions
What is a device fingerprint in simple terms?
A device fingerprint is an identifier built from the properties a device and browser reveal, such as the GPU, installed fonts, screen size, and rendering behavior. Those signals are collected and hashed into a compact ID that recognizes the device on return visits. Nothing is stored on the device, so it is not a cookie.
How is a device fingerprint different from a cookie?
A cookie is a value your server writes into the browser, so the user can delete it, block it, or escape it with a new browser or private window. A fingerprint is recomputed from what the device already exposes, so it survives those actions. A cookie is per-browser by nature, while a hardware-based fingerprint can recognize the same device across different browsers.
How accurate or unique is a device fingerprint?
A fingerprint is probabilistic, not a guaranteed-unique serial number. Combining many independent signals can single out one device among a very large population, as the EFF's Panopticlick research showed, but uniqueness is lower on homogeneous devices like stock phones that share hardware and fonts. Because it is statistical, identity is best decided by scoring similarity rather than demanding an exact match.
Can users block device fingerprinting?
Users can reduce it with privacy-focused browsers, anti-detect tools, or by spoofing signals, but blocking it outright is harder than deleting a cookie because there is nothing stored to clear. Tampering also tends to leave its own traces, which is why a consistency or anti-spoof check is useful for flagging browsers whose reported signals do not add up.
Is device fingerprinting legal?
It depends on the purpose and the jurisdiction. Privacy laws such as the GDPR, ePrivacy rules, the CCPA, and various US state laws often treat fingerprinting like cookies, requiring notice or consent for some uses, while frequently allowing narrowly scoped security and fraud-prevention use. The cookies vs fingerprinting comparison and the per-jurisdiction law pages cover the specifics.
How do I generate a device fingerprint in JavaScript?
Call an asynchronous fingerprinting function that handles collection and hashing for you. With doorman-benny, getFingerprint returns a per-browser fingerprint and a cross-browser hardwareFingerprint from a single client-side call, with no account, API key, or server. getDeviceId returns just the hardware hash if you want the fastest path.
Get started
Generate a device fingerprint in one call
One npm install. Zero dependencies. A per-browser hash, a cross-browser hardware hash, and a free anti-spoof rating, all client-side from a single call.
Last reviewed June 9, 2026
