← back to blog

Behavioural fingerprinting: mouse, scroll, typing, and how to randomise

Behavioural fingerprinting: mouse, scroll, typing, and how to randomise

Most people who start using antidetect browsers focus on the obvious signals: IP address, canvas hash, WebGL renderer, time zone. they plug in a proxy, spin up a profile, and feel covered. what caught me off guard, running e-commerce and airdrop accounts out of Singapore, was how quickly platforms started linking accounts that had completely different hardware fingerprints. the signal they were reading was not what my browser looked like. it was how i was using it.

behavioural fingerprinting is the collection and analysis of the way a person physically interacts with a device, not the device itself. it runs silently underneath the fingerprinting you already know about, and in 2026 it is baked into the fraud-detection stacks of platforms like Meta, Amazon, and most major exchanges. if you are managing more than one account for any reason, understanding this layer is not optional.

what it is

behavioural fingerprinting (also called behavioural biometrics) is a category of passive identification that builds a profile from interaction signals: how you move your mouse, how fast you scroll, the rhythm and timing of your keystrokes, touch pressure if you are on mobile, and even how you orient your phone when you tilt it. unlike a browser fingerprint, which is a snapshot of static attributes, a behavioural profile is dynamic. it accumulates over a session and becomes more accurate the longer you interact with a page.

the term sits under the broader umbrella of device fingerprinting, which the EFF’s Cover Your Tracks project has been documenting since 2010. but where Cover Your Tracks focuses on passive browser attributes, behavioural fingerprinting requires active interaction, which is both its strength and its weakness for operators.

how it works

the browser exposes interaction data through a handful of APIs. the W3C Pointer Events specification covers mouse and touch input, giving scripts access to coordinates, pressure, tilt angle, and timestamps at a granular level. the browser also exposes mousemove, scroll, keydown, and keyup events. individually, these are necessary for normal web functionality. collectively, they are a biometric dataset.

here is what is being measured in practice:

mouse movement. humans do not move their cursor in straight lines. the curvature, speed variation, micro-pauses, and overshoot-and-correct behaviour before clicking are highly individual. studies in behavioural biometrics have shown that mouse dynamics can re-identify users with over 90 percent accuracy across sessions. a script that records mousemove events at 60fps and runs the coordinates through a model trained on real users can tell within seconds whether the session looks human, and if so, whether it matches a known profile.

scroll behaviour. do you scroll in short bursts or long swipes? do you pause mid-page? do you scroll back up before clicking? the rhythm and granularity of scroll events, including the delta values and the intervals between them, form a recognisable pattern. platforms also look at whether scroll behaviour correlates with page content, someone who scrolls past a product listing in 400ms and immediately clicks add-to-cart looks automated even if every other signal is clean.

typing dynamics. keystroke dynamics measure dwell time (how long each key is held down) and flight time (the gap between releasing one key and pressing the next). these are remarkably stable per person. if you type your email address the same way every time you log in, the platform can use that as a soft identifier. BioCatch, one of the larger commercial vendors in this space, sells this capability directly to banks and large e-commerce platforms as a fraud signal.

touch and device motion. on mobile, gyroscope and accelerometer data via the DeviceMotion API add another layer. the angle at which you hold your phone and the micro-tremors in your grip are individual enough to distinguish users across accounts on the same device.

the raw data is fed into models, sometimes rule-based, sometimes ML, that score sessions for anomalies. an account that looks like three different people across sessions is flagged. an account that moves identically to another account on the same platform is flagged. an account that behaves like no human ever does, because it is running automation, is flagged fastest of all.

why it matters

account linking. this is the most immediate concern for anyone running multiple profiles. if two accounts share the same behavioural signature, the platform links them regardless of IP, browser fingerprint, or device. i have seen this happen to people running Dolphin Anty with perfect canvas isolation but doing everything with the same real hand on the same mouse, same speed, same micro-pauses. the tool was clean. the operator was the tell.

bot detection. selenium and playwright generate machine-perfect events: perfectly linear mouse paths, zero dwell-time variance on keystrokes, scroll deltas that are always exactly 100px. any serious fraud detection layer, including Cloudflare’s bot management, DataDome, and PerimeterX (now HUMAN Security), flags this within seconds. the FingerprintJS open-source library includes some behavioural heuristics, and the commercial Pro version goes significantly further.

session continuity scoring. platforms build a behavioural baseline per account. if your account suddenly behaves differently, even if the IP and fingerprint are consistent, it triggers re-verification flows. this is why account warming matters: consistent behaviour over time lowers your risk score.

KYC and identity verification layers. some platforms now use behavioural data as a passive liveness signal during onboarding. if the way you fill a form looks machine-generated, the verification may fail or escalate before you even submit documents. this is not a reason to commit identity fraud, which is illegal and not something i recommend, but it is something to understand if you are doing compliant multi-account work like running separate business entities or affiliate profiles.

for anyone doing multi-account airdrop farming, the multiaccountops.com/blog/ has more tactical coverage of how these detection layers interact with wallet and platform onboarding.

common misconceptions

an antidetect browser handles this automatically.” most do not. antidetect browsers like Multilogin, Adspower, and Dolphin Anty are excellent at isolating static fingerprints. some have started adding basic behavioural noise, Multilogin’s Mimic core injects some mouse path randomisation, but as of mid-2026 no consumer tool fully solves behavioural fingerprinting out of the box. you still need to be aware of how you are operating.

“if i’m using a human hand, i’m fine.” you are partly right, but one human hand across 20 accounts is still one behavioural signature. the variance between how you type on account A versus account B is much smaller than the variance between two genuinely different people. clustering algorithms find this. adding deliberate randomisation to your workflow matters even when you are the one at the keyboard.

“this only affects automation, not manual operation.” manual operators are affected whenever they run multiple accounts that share behavioural patterns, or when their interaction speed or rhythm falls outside what the platform considers normal for a given action. filling a form in 4 seconds when the median is 45 seconds is a signal even with a human hand.

“randomising will make sites think i’m a bot.” the opposite is true. randomisation toward human-like variance, not random noise, makes sessions look more natural. the goal is not to generate chaos. it is to introduce the kind of micro-inconsistency that real humans have. perfectly consistent behaviour is the bot tell.

where to go from here

if this is your first encounter with fingerprinting at this level, here are the logical next steps:

  • understand static fingerprinting first. the browser fingerprinting explainer on this blog covers canvas, WebGL, fonts, and the other hardware-level signals. behavioural fingerprinting sits on top of that layer.

  • read about canvas fingerprinting specifically. it is the most commonly discussed and most commonly misunderstood signal. see canvas fingerprinting: what it is and why it matters for a focused breakdown.

  • look at tooling options. the antidetect browser comparison guide on this site covers which tools have started adding behavioural noise features and which are still purely static-fingerprint isolation.

  • think about workflow, not just tooling. randomising mouse input and keystroke timing is partly a software problem and partly a practice problem. introducing deliberate pauses, varying your scroll depth, and not copy-pasting the same strings into every account registration form are low-tech mitigations that matter more than most people realise.

behavioural fingerprinting is not a new idea, researchers have been publishing on keystroke dynamics since the 1980s, but its deployment at scale in commercial fraud detection is relatively recent. the platforms are getting better at it faster than the tooling is catching up. knowing what the signal is and where it comes from is the first step to managing it.

Written by Xavier Fok

disclosure: this article may contain affiliate links. if you buy through them we may earn a commission at no extra cost to you. verdicts are independent of payouts. last reviewed by Xavier Fok on 2026-05-19.

need infra for this today?

cloud phones
cloudf.one

real Android phones in a SG datacenter. run Telegram on persistent hardware with a real mobile IP. free trial.

try a cloud phone →
mobile proxies
SingaporeMobileProxy

real 4G/5G IPs from Singtel, M1, Starhub. for Telegram on desktop, app automation, or scraping. from $35/mo.

get a mobile IP →