How does device fingerprinting work without cookies?

VerifyStack collects 120+ hardware and browser signals — including canvas spectral entropy, audio DAC phase signatures, GPU shader precision, and CPU microarchitecture timing — then combines them via SimHash LSH to produce stable identifiers persisting across sessions, incognito mode, and cookie resets.

What entropy does device fingerprinting achieve?

VerifyStack achieves ~210+ bits of composite entropy across six orthogonal signal layers, yielding theoretical uniqueness of 1 in 2²¹⁰ devices.

Is device fingerprinting GDPR compliant?

Yes. Fingerprints qualify as pseudonymous data under GDPR Art. 4(5). All composites are irreversibly SHA-256 hashed with length-prefixed domain separation. Zero PII collection or storage.

120+ Orthogonal Entropy Vectors · ~210 Bits Composite Entropy

Device Fingerprinting Engine

Deterministic, hardware-level device identification that exploits irreducible silicon-layer characteristics — spectral canvas entropy, audio DAC phase signatures, and CPU microarchitecture timing — to produce collision-resistant identifiers that persist across sessions, incognito mode, cookie purges, and browser reinstallation.

The client-side SDK collects raw entropy vectors via non-blocking async probes. All hashing, normalization, and Bayesian risk fusion executes server-side through a deterministic, auditable pipeline — zero PII collection, zero client-side scoring, zero trust assumptions.

Get Started API Reference

~210+ bits

Composite Entropy

Six orthogonal collection layers

SimHash LSH

Hashing Primitive

FNV-1a 64-bit locality-sensitive

Fuzzy LSH

Cross-Browser Matching

Hardware-invariant signal subset

<120ms p95

Collection Latency

Parallel async via Promise.allSettled()

Live Fingerprint Collection

Collected Signals (0)

Generated Fingerprint

Server-Side Analysis

Awaiting analysis...

Orthogonal Signal Collection Layers

Each layer extracts statistically independent entropy from a distinct hardware or software surface. The orthogonality ensures that spoofing one layer provides negligible advantage against the remaining five — producing a composite device identity resilient to targeted evasion, OS re-installation, and privacy-mode browsing.

Spectral Canvas Analysis

Applies a Cooley-Tukey radix-2 FFT to canvas rendering artifacts, extracting spectral entropy, spectral centroid, and sub-pixel rasterization harmonics unique to each GPU driver pipeline. The resulting spectral fingerprint is invariant to canvas content — it captures the rendering engine's transfer function itself.

Canvas 2D Spectral Hash~18 bits

WebGL Renderer String~12 bits

Shader Precision Format~6 bits

Sub-Pixel Rendering Sig.~14 bits

View implementation →

// Spectral canvas fingerprinting (real implementation)
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.font = "14px 'Arial'";
ctx.fillText('VerifyStack-fp', 2, 2);
// Extract raw pixel data → FFT → spectral entropy
const imageData = ctx.getImageData(0, 0, canvas.width, canvas.height);
const spectralEntropy = computeSpectralEntropy(imageData);
const hash = sha256(canvas.toDataURL());

Audio DAC Fingerprinting

The gold-standard cross-browser identifier. Synthesizes a triangle-wave oscillator through a DynamicsCompressor node in an OfflineAudioContext, then captures the frequency-domain magnitude response. Manufacturing tolerances in each DAC chip's sigma-delta modulator produce device-specific harmonic distortion patterns — yielding ~35 bits of entropy from a single, deterministic audio probe.

Oscillator Phase Signature~35 bits

DAC Output Latency~8 bits

Sample Rate~4 bits

Harmonic Analysis Hash~12 bits

View implementation →

// Audio DAC fingerprinting (gold standard)
const ctx = new OfflineAudioContext(1, 44100, 44100);
const osc = ctx.createOscillator();
osc.type = 'triangle';
const compressor = ctx.createDynamicsCompressor();
osc.connect(compressor);
compressor.connect(ctx.destination);
// Capture frequency domain → DJB2 hash
const buffer = await ctx.startRendering();
const dacHash = djb2Hash(buffer.getChannelData(0));

Hardware & Microarchitecture

Profiles CPU execution unit topology by benchmarking integer vs. floating-point throughput ratios (ALU/FPU port utilization asymmetry) and memory access latency at increasing stride intervals (L1→L2→L3→RAM boundary detection). Disambiguates Apple Firestorm (ratio ≈ 1.2), Intel Skylake (≈ 0.9), and AMD Zen3 (≈ 1.05) microarchitectures with high confidence.

CPU Core Count~4 bits

Device Memory~3 bits

ALU/FPU Throughput Ratio~10 bits

Memory Latency Curve~8 bits

Screen Configuration~10 bits

View implementation →

// Ouroboros microarchitecture profiling
const intOps = measureIntThroughput(1_000_000);
const floatOps = measureFloatThroughput(1_000_000);
const aluFpuRatio = intOps / floatOps;
// Apple Firestorm ≈ 1.2, Skylake ≈ 0.9, Zen3 ≈ 1.05
const memLatency = measureMemoryLatencyCurve();
// L1 hit ≈ 1ns, L2 ≈ 4ns, RAM ≈ 60ns

Font Enumeration

Measures text rendering bounding-box dimensions across a curated typographic corpus. Font availability directly encodes the OS distribution, locale configuration, and installed software ecosystem — delivering 50+ bits of entropy as one of the highest-yield passive probes available in the browser sandbox.

System Font Set~50+ bits

Font Smoothing Type~2 bits

Font Rendering Spectral~8 bits

View implementation →

// Font enumeration via dimension measurement
const baseFonts = ['monospace', 'sans-serif', 'serif'];
const testFonts = ['Arial', 'Helvetica Neue', ...];
for (const font of testFonts) {
  const dims = measureText(testString, font);
  if (dims !== baseDims) installed.push(font);
}
// Spectral analysis of sub-pixel rendering
const spectral = analyzeSubPixelRendering(font);

Network & Connection

Captures connection modality, round-trip time estimates, and effective downlink bandwidth from the Network Information API. Server-side fusion with IP-layer signals enables Haversine geo-velocity computation, impossible-travel detection (flagging sessions requiring >900 km/h displacement), and ASN reputation scoring against known proxy/VPN/hosting infrastructure.

Connection Type~4 bits

RTT Estimate~8 bits

Downlink Bandwidth~6 bits

View implementation →

// Network signal collection
const conn = navigator.connection;
const networkSignals = {
  type: conn?.effectiveType,  // '4g', '3g', etc.
  rtt: conn?.rtt,             // Round-trip time (ms)
  downlink: conn?.downlink    // Mbps estimate
};

Browser Behavioral Topology

Maps the browser's complete API surface topology — timezone offset, language stack ordering, Permissions API state vector, storage mechanism availability (localStorage, IndexedDB, cookie jar), and User-Agent Client Hints — to construct a high-dimensional behavioral identity that persists even when stateful storage mechanisms are purged.

Timezone~9 bits

Language Stack~10 bits

Permissions Vector~12 bits

Storage Availability~4 bits

Client Hints~8 bits

View implementation →

// Browser behavioral topology
const topology = {
  timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
  languages: navigator.languages,
  permissions: await snapshotPermissions([
    'notifications', 'geolocation', 'camera',
    'microphone', 'midi', 'clipboard-read'
  ]),
  clientHints: await navigator.userAgentData
    ?.getHighEntropyValues(['platform', 'arch'])
};

Deterministic Identity Resolution Pipeline

Raw entropy vectors flow through a four-stage deterministic pipeline — parallel collection, canonical normalization, locality-sensitive hashing, and server-side Bayesian fusion — before a collision-resistant device identity is emitted with calibrated confidence.

Parallel Signal Acquisition

The SDK dispatches 120+ probes concurrently via Promise.allSettled() with per-probe timeout isolation. Each entropy vector is independent — a failure in canvas spectral analysis never blocks audio DAC probing. Timing-sensitive measurements (microarchitecture profiling, memory latency curves) use calibrated microbenchmarks with statistical outlier rejection.

Canonical Normalization

Raw signal values undergo deterministic canonicalization: user-agent strings are decomposed into structured tuples (engine × platform × version), screen dimensions are orientation-normalized to landscape-first ordering, and WebGL renderer strings are vendor-prefix-stripped. This bijective mapping ensures identical hardware produces identical intermediate representations across browser version upgrades.

SimHash Locality-Sensitive Hashing

Hardware-invariant signals (CPU concurrency, audio sample rate, color depth, max touch points) are projected through SimHash with FNV-1a 64-bit as the inner hash function. SimHash preserves Hamming distance — devices sharing ≥85% signal overlap produce fingerprints within a configurable Hamming radius, enabling probabilistic cross-browser fuzzy matching without sacrificing collision resistance.

Server-Side Bayesian Posterior Inference

The server ingests the raw signal payload and activates 151 detection techniques across 12 analyzers (device, behavioral, anomaly, correlation, entropy, botd, physics, hardware, evasion, tls, hw-timing, session). Evidence is accumulated through a Beta distribution conjugate prior — the posterior mean P(fraud) = β/(α+β) yields calibrated fraud probability with variance-derived confidence intervals and full decision explainability.

Technical Specifications

Composite Signal Entropy

Across 6 orthogonal collection layers

~210+ bits

Theoretical Uniqueness

Upper bound assuming signal independence

1 in 2²¹⁰

Cross-Session Stability

Hardware-invariant subset persistence rate

≥96%

Acquisition Latency

Parallel async probes on modern browsers

<120ms p95

Incognito Resilience

FileSystem timing, IDB errors, quota anomalies

Multi-vector

Anti-Detect Coverage

Multilogin, GoLogin, Dolphin, Kameleo, and more

13+ tools

Privacy-by-Design Architecture

Zero PII Collection

No names, emails, or personally identifiable information ever touches the fingerprinting pipeline.

One-Way SHA-256 Hashing

All signal composites are irreversibly hashed before storage using length-prefixed domain separation.

GDPR & ePrivacy Compliant

Fingerprints qualify as pseudonymous data under GDPR Art. 4(5) with documented legitimate interest.

90-Day Configurable Retention

Automatic TTL-based expiration. Customers can configure shorter retention periods.

Transparency Controls

Data subject access requests return the pseudonymous fingerprint and associated risk decisions.

Differential Privacy Ready

Consortium contributions use Laplace mechanism (ε=0.5) to anonymize shared threat signals.

Visitor ID Persistence Model

The SDK generates a cryptographically random visitor ID via CSPRNG and persists it through a multi-tier fallback chain, ensuring continuity even when individual storage mechanisms are cleared.

Tier 1

localStorage

✓ Survives tab close, browser restart

✗ Cleared by "Clear browsing data"

Tier 2

sessionStorage

✓ Survives same-tab navigation

✗ Cleared on tab close

Tier 3

First-party cookie

✓ Survives storage clear if exempted

✗ Cleared by cookie deletion

Fallback logic: On each page load, the SDK checks Tier 1 → Tier 2 → Tier 3 in order. If a visitor ID is found, it is promoted back to all available tiers. If none exists, a new ID is generated via crypto.getRandomValues() and written to all tiers simultaneously.

Silicon-Level Device Identification

Integration requires a single async import. All cryptographic hashing, signal normalization, and Bayesian inference executes server-side — your client stays lightweight, your pipeline stays auditable.

Reserve Launch Access Next: Behavioral Analysis

120+ Orthogonal Entropy Vectors · ~210 Bits Composite Entropy

Device Fingerprinting Engine

Get Started API Reference

~210+ bits

Composite Entropy

Six orthogonal collection layers

SimHash LSH

Hashing Primitive

FNV-1a 64-bit locality-sensitive

Fuzzy LSH

Cross-Browser Matching

Hardware-invariant signal subset

<120ms p95

Collection Latency

Parallel async via Promise.allSettled()

Live Fingerprint Collection

Collected Signals (0)

Generated Fingerprint

Server-Side Analysis

Awaiting analysis...

Orthogonal Signal Collection Layers

Spectral Canvas Analysis

Canvas 2D Spectral Hash~18 bits

WebGL Renderer String~12 bits

Shader Precision Format~6 bits

Sub-Pixel Rendering Sig.~14 bits

View implementation →

// Spectral canvas fingerprinting (real implementation)
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
ctx.font = "14px 'Arial'";
ctx.fillText('VerifyStack-fp', 2, 2);
// Extract raw pixel data → FFT → spectral entropy
const imageData = ctx.getImageData(0, 0, canvas.width, canvas.height);
const spectralEntropy = computeSpectralEntropy(imageData);
const hash = sha256(canvas.toDataURL());

Audio DAC Fingerprinting

Oscillator Phase Signature~35 bits

DAC Output Latency~8 bits

Sample Rate~4 bits

Harmonic Analysis Hash~12 bits

View implementation →

// Audio DAC fingerprinting (gold standard)
const ctx = new OfflineAudioContext(1, 44100, 44100);
const osc = ctx.createOscillator();
osc.type = 'triangle';
const compressor = ctx.createDynamicsCompressor();
osc.connect(compressor);
compressor.connect(ctx.destination);
// Capture frequency domain → DJB2 hash
const buffer = await ctx.startRendering();
const dacHash = djb2Hash(buffer.getChannelData(0));

Hardware & Microarchitecture

CPU Core Count~4 bits

Device Memory~3 bits

ALU/FPU Throughput Ratio~10 bits

Memory Latency Curve~8 bits

Screen Configuration~10 bits

View implementation →

// Ouroboros microarchitecture profiling
const intOps = measureIntThroughput(1_000_000);
const floatOps = measureFloatThroughput(1_000_000);
const aluFpuRatio = intOps / floatOps;
// Apple Firestorm ≈ 1.2, Skylake ≈ 0.9, Zen3 ≈ 1.05
const memLatency = measureMemoryLatencyCurve();
// L1 hit ≈ 1ns, L2 ≈ 4ns, RAM ≈ 60ns

Font Enumeration

System Font Set~50+ bits

Font Smoothing Type~2 bits

Font Rendering Spectral~8 bits

View implementation →

// Font enumeration via dimension measurement
const baseFonts = ['monospace', 'sans-serif', 'serif'];
const testFonts = ['Arial', 'Helvetica Neue', ...];
for (const font of testFonts) {
  const dims = measureText(testString, font);
  if (dims !== baseDims) installed.push(font);
}
// Spectral analysis of sub-pixel rendering
const spectral = analyzeSubPixelRendering(font);

Network & Connection

Connection Type~4 bits

RTT Estimate~8 bits

Downlink Bandwidth~6 bits

View implementation →

// Network signal collection
const conn = navigator.connection;
const networkSignals = {
  type: conn?.effectiveType,  // '4g', '3g', etc.
  rtt: conn?.rtt,             // Round-trip time (ms)
  downlink: conn?.downlink    // Mbps estimate
};

Browser Behavioral Topology

Timezone~9 bits

Language Stack~10 bits

Permissions Vector~12 bits

Storage Availability~4 bits

Client Hints~8 bits

View implementation →

// Browser behavioral topology
const topology = {
  timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
  languages: navigator.languages,
  permissions: await snapshotPermissions([
    'notifications', 'geolocation', 'camera',
    'microphone', 'midi', 'clipboard-read'
  ]),
  clientHints: await navigator.userAgentData
    ?.getHighEntropyValues(['platform', 'arch'])
};

Deterministic Identity Resolution Pipeline

Parallel Signal Acquisition

Canonical Normalization

SimHash Locality-Sensitive Hashing

Server-Side Bayesian Posterior Inference

Technical Specifications

Composite Signal Entropy

Across 6 orthogonal collection layers

~210+ bits

Theoretical Uniqueness

Upper bound assuming signal independence

1 in 2²¹⁰

Cross-Session Stability

Hardware-invariant subset persistence rate

≥96%

Acquisition Latency

Parallel async probes on modern browsers

<120ms p95

Incognito Resilience

FileSystem timing, IDB errors, quota anomalies

Multi-vector

Anti-Detect Coverage

Multilogin, GoLogin, Dolphin, Kameleo, and more

13+ tools

Privacy-by-Design Architecture

Zero PII Collection

No names, emails, or personally identifiable information ever touches the fingerprinting pipeline.

One-Way SHA-256 Hashing

All signal composites are irreversibly hashed before storage using length-prefixed domain separation.

GDPR & ePrivacy Compliant

Fingerprints qualify as pseudonymous data under GDPR Art. 4(5) with documented legitimate interest.

90-Day Configurable Retention

Automatic TTL-based expiration. Customers can configure shorter retention periods.

Transparency Controls

Data subject access requests return the pseudonymous fingerprint and associated risk decisions.

Differential Privacy Ready

Consortium contributions use Laplace mechanism (ε=0.5) to anonymize shared threat signals.

Visitor ID Persistence Model

The SDK generates a cryptographically random visitor ID via CSPRNG and persists it through a multi-tier fallback chain, ensuring continuity even when individual storage mechanisms are cleared.

Tier 1

localStorage

✓ Survives tab close, browser restart

✗ Cleared by "Clear browsing data"

Tier 2

sessionStorage

✓ Survives same-tab navigation

✗ Cleared on tab close

Tier 3

First-party cookie

✓ Survives storage clear if exempted

✗ Cleared by cookie deletion

Silicon-Level Device Identification

Reserve Launch Access Next: Behavioral Analysis