Browser fingerprinting in 2026: which signals actually identify you
An analysis of the modern fingerprinting surface · By Jason Kulas, Founder · Last updated 15 June 2026.
Summary: cookies are no longer the primary tracking identifier — the browser itself is. Across the 50+ signals a website can read without permission, canvas, WebGL, fonts, and audio processing alone typically provide enough entropy to uniquely identify a browser. This page documents the fingerprinting surface as measured by the signal set used in our free browser fingerprint checker, and what mitigation actually works.
Methodology
The analysis below is based on the fingerprinting signal set implemented in Alias Browser's open, client-side fingerprint checker tool — the same categories of APIs used by commercial fingerprinting vendors — combined with published entropy measurements from the research literature (Panopticlick/Cover Your Tracks, AmIUnique, and academic follow-ups). Entropy figures are approximate and vary by population; they indicate relative identifying power, not exact uniqueness.
The fingerprinting surface, ranked
| Signal | What is read | Approx. entropy | Stability |
|---|---|---|---|
| Canvas hash | Pixel output of hidden 2D rendering — GPU/driver/font antialiasing differences | High (~8-10 bits) | Very stable |
| WebGL | Renderer & vendor strings, shader render hash | High (~7-9 bits) | Very stable |
| Font list | Installed fonts via measurement probing | High (~6-8 bits) | Stable |
| AudioContext | Floating-point output of offline audio processing | Medium (~4-6 bits) | Very stable |
| Screen & window | Resolution, color depth, device pixel ratio, avail metrics | Medium (~4-5 bits) | Stable |
| Hardware | CPU cores (hardwareConcurrency), deviceMemory, touch points | Medium (~3-4 bits) | Very stable |
| Timezone & locale | IANA timezone, languages, date formatting | Medium (~3-4 bits) | Stable |
| User agent & client hints | Browser/OS version, platform, architecture | Low-medium (~2-4 bits) | Changes with updates |
| Media devices & codecs | Device counts, supported codecs/DRM | Low (~2-3 bits) | Stable |
| WebRTC | Local/public IP leakage bypassing proxies | Identifier-grade when leaking | — |
Independent signals add: ~20 bits ≈ one browser in a million. Real-world populations share hardware and defaults, but large-scale measurement studies consistently find the substantial majority of desktop browsers uniquely identifiable from these signals alone.
How platforms combine signals in practice
- Device ID: hash the stable signals (canvas, WebGL, fonts, audio, hardware) into a device identifier that survives cookie clearing and incognito.
- Link accounts: any two accounts seen with the same device ID — or the same IP at the same time — are candidates for linkage. See why accounts get banned.
- Score risk: contradictions matter more than rarity — a "Windows" user agent with macOS fonts, a New York timezone on a German IP, or a spoofed WebGL string that doesn't match canvas output all raise automation/multi-account suspicion.
What doesn't work — and what does
- Incognito / clearing cookies: no effect — the fingerprint is the device, not stored state.
- VPN alone: changes IP only; the fingerprint still links you. Detail in the browser privacy guide.
- Random spoofing extensions: often worse — random values create the contradictions detectors look for, and the extension itself is detectable.
- Blocking APIs (Tor-style): strong privacy but breaks sites, and "everything blocked" is itself a rare, flaggable configuration for logged-in account use.
- Consistent isolated profiles (anti-detect approach): give each identity a complete, internally consistent fingerprint — real canvas/WebGL/font/audio behavior from a hardened engine — plus its own proxy IP and storage. Sites see N ordinary, different devices. How this works: what is an anti-detect browser.
Test your own browser
The free Alias fingerprint checker runs entirely in your browser (nothing is uploaded) and shows your canvas hash, WebGL identity, font list, audio fingerprint, hardware signals, and WebRTC leak status — the same signals documented above.
Cite this page
Alias Browser Research (2026), "Browser fingerprinting in 2026: which signals actually identify you" — https://aliasbrowser.com/research/browser-fingerprinting-2026. Reuse permitted with attribution and a link.
Try Alias Browser free
Unlimited isolated profiles, real fingerprints, per-profile proxy & VPN, and zero telemetry. The free tier lets you evaluate everything before buying — no account required.