Hardware fingerprint and engine fingerprint are two complementary identifiers derived from different kinds of signals. Engine-bound signals, such as canvas rendering output, vary between browsers on the same device because each engine ships its own pipeline. Hardware-bound signals, such as GPU identity and platform architecture, reflect the physical device and remain consistent across browser engines.
The distinction matters because a standard browser fingerprint is really an engine fingerprint: it identifies one specific browser on one device, and changes when the user switches browsers. If the goal is to recognise the physical device regardless of which browser is open, only hardware-bound signals qualify.
In practice, a complete fingerprinting system collects both kinds: the engine fingerprint tells two browsers apart on the same machine, while the hardware fingerprint links those sessions to the same device. They answer different questions and are often returned as separate values to let integrators choose the right one for each use case.
In doorman-benny
doorman-benny formalises this split with two distinct return values: `fingerprint` for the engine-bound identifier and `hardwareFingerprint` for the hardware-bound cross-browser identifier.
Hardware vs engine fingerprintFrequently asked questions
Why does a canvas hash change when I switch browsers?
Canvas rendering is handled by the browser engine, not the GPU directly. Chrome, Firefox, and Safari each apply their own anti-aliasing, text rendering, and compositing, so the same drawing instruction produces different pixel output in each browser, making the canvas hash engine-bound.
What makes a signal hardware-bound?
A signal is hardware-bound when its value is determined by physical device characteristics rather than the browser engine that reads it. GPU renderer strings, CPU architecture, and certain media device enumeration results qualify because the underlying hardware is the same regardless of which browser queries it.
Do I need both fingerprints?
It depends on the use case. If you need to identify a specific browser session, the engine fingerprint is appropriate. If you need to recognise the same device across browsers or after a browser switch, the hardware fingerprint is the right choice. Many production systems store both and use each where it is best suited.
