← back to blog

How Browser Fingerprinting Works (and How Anti-Detect Browsers Respond)

Open two browser profiles on the same laptop, log into two different accounts, and do nothing else wrong. Same proxy, same machine, nothing shared. Within a day, one account is fine and the other is asking you to verify a phone number, or it’s just gone. You never reused a password or a cookie, and the platform still tied those two accounts together. It did that with browser fingerprinting, a technique that never asks permission and never shows up on screen.

I run real proxy and cloud phone farms, and I test anti-detect browsers the way people who juggle a lot of accounts actually use them: Multilogin, GoLogin, Kameleo, AdsPower, Dolphin Anty, and the rest. So this isn’t theory I read somewhere. It’s the thing I fight with every week. This piece is deliberately defensive and third person. It covers how sites build a fingerprint and how these browsers respond, not a recipe for tricking any specific platform.

What a browser fingerprint actually is

A fingerprint is a bundle of small facts about your browser and your machine, collected quietly and combined into one identifier. No single fact is secret. Your language setting isn’t a secret. Your screen size isn’t a secret. The trick is that when you stack thirty or forty of these little facts together, the combination gets specific enough to pick your browser out of a crowd, the same way no one detail on a face is unique but the whole face is. A site doesn’t need your name. It just needs a value that stays the same every time your browser shows up.

The passive signals: ip, headers, and tls

The first family of signals is passive. These are things your browser hands over just by connecting, before any script runs. Your ip address is the loudest one, and it carries the network behind it, a rough location, and whether it looks like a home line or a data center. Right behind it are your http headers: the user agent string that names your browser and operating system, your accept-language, and the order those headers arrive in. Then there’s your tls fingerprint, the exact way your browser opens an encrypted connection, including the cipher list and the order it offers them in. That pattern is surprisingly consistent per browser build, and a server can read it on the very first handshake.

Passive signals matter because you don’t choose them and you can’t easily fake them without breaking something. If your user agent claims to be Chrome on Windows but your tls handshake looks like Firefox on Linux, that mismatch is itself a signal, and a loud one. Sites don’t just read each value, they check whether the values agree with each other. That idea, consistency between signals, is the whole game, and it comes back again and again.

The active signals: canvas, webgl, audio, and fonts

The second family is active. This is where a script runs in your browser, asks it to do small jobs, and measures exactly how it does them. The famous one is canvas. The site tells your browser to draw some text and shapes onto a hidden canvas element, then reads the pixels back out. Your specific mix of gpu, graphics driver, and operating system renders that image with tiny differences, sub-pixel stuff no human would ever notice, and those differences are stable. Same machine, same drawing, same result, every time. Hash that image and you have a sticky little id.

Canvas has a whole family around it. Webgl does the same trick in three dimensions and leaks your graphics card vendor and model on top. The audio stack can be measured the same way: feed a sound through the browser audio engine, and the exact numbers that come back depend on your hardware and software. Then there’s your font list, which sounds boring until you realize the exact set of fonts installed on your machine is oddly personal, a record of everything you’ve ever installed. Add screen resolution, timezone, how many cpu cores the browser reports, and how much memory, and the pile of little facts gets tall fast.

Entropy: how uniqueness gets measured

So how does a site turn a pile of facts into a decision? The word to know is entropy, which is just a measure of how much a signal narrows you down. A value everybody shares tells the site almost nothing. A value that only one browser in a thousand has tells it a lot. Researchers measure this in bits, and the rough idea is that each bit cuts the crowd in half. Line up enough high-entropy signals and the combination points at one browser out of millions. The eye-opener, if you’ve never tested your own browser, is that a plain everyday setup is often already unique, no special software required.

Here’s the part that actually bites people running many accounts. A site takes all these signals, passive and active, and hashes them into an identifier. Then it watches. Every session that shows up wearing that same identifier gets quietly filed under one entity, no matter how many different accounts log in from it, and no matter how many times you clear cookies or log out. Clearing cookies feels like wiping the slate, but the fingerprint doesn’t live in a cookie. It’s rebuilt from your machine on every visit. So two accounts that share a fingerprint are, to the platform, obviously the same operator, and that’s the exact link that gets accounts banned in waves.

How anti-detect browsers respond

This is the problem anti-detect browsers are built to answer, and the concept is simpler than the marketing makes it sound. Instead of one browser wearing one fingerprint, they give you many separate profiles, and each profile carries its own consistent set of these values. Profile one looks like one device, profile two looks like a genuinely different device, and each one holds its story together: the user agent agrees with the canvas result, which agrees with the fonts, which agrees with the timezone. The goal isn’t some magic invisible browser. The goal is that each account lives in its own believable, separate identity that doesn’t overlap with the others.

This is where good tools separate from bad ones. The hard part isn’t randomizing values, since anyone can throw random numbers at a fingerprint. The hard part is making a profile internally consistent and plausible. A profile that claims a high-end graphics card but reports two cpu cores and a phone screen looks fake, and a fake-looking fingerprint can be worse than a plain one, because now you stand out as someone clearly hiding. The browsers that hold up are the ones whose profiles look like ordinary real devices, boring and coherent, not a random grab bag of impressive specs.

One thing worth being blunt about: the browser only handles the browser layer. It does nothing about your ip. If you run five spotless profiles all out of the same data center ip, you’ve linked them again at the network level, and all that profile work is wasted. That’s why people pair these browsers with proxies, one clean network identity per profile, so the ip story and the fingerprint story agree. That pairing is the real job, and it’s where I spend most of my testing time.

What fingerprinting can and can’t do

Let me be honest about the limits, because this is where the hype gets dangerous. No anti-detect browser is undetectable, and anyone who tells you otherwise is selling something. Fingerprinting is only one layer. Platforms also watch behavior: how you move a mouse, how fast you type, your posting patterns, account age, and who you interact with. A perfect fingerprint on an account that behaves like a bot still gets caught. Detection also moves, so what looks clean this quarter can be a known tell the next, because the people building these systems test the same browsers you do. No tool makes a ban impossible.

There are real limits on the site side too. Fingerprinting can’t reach outside your browser and read your real name. It works in probabilities, not certainties, so it produces a confidence that two sessions match, not a hard fact. Major browser updates shift everyone’s values at once and add noise, and privacy features in normal browsers keep pushing back on the easiest signals. So it’s a strong recognition tool, not an all-seeing eye. Treating it as either magic or worthless will get you in trouble.

Once you understand the fingerprint, everything these browsers do finally makes sense: they don’t make you invisible, they keep your identities separate and consistent. If you want the practical side, which browsers actually hold a profile together, which ones make proxy setup painless, and which ones quietly leak, that’s exactly what I test on real multi-account setups. Full written reviews and the picks I actually trust are at antidetectreview.org, with no undetectable promises and no affiliate fairy tales.

need infra for this today?