Canvas fingerprinting is one of the most common browser fingerprinting techniques that allow websites to identify and track visitors via their HTML5 canvas setup instead of cookies, etc.
This “canvas” element is used to produce graphics on a web page, font size, and/or the active background color setting, which can be used to assign a unique user ID for tracking.
How Was Canvas Fingerprinting Developed?
The idea of fingerprint-based online tracking was first developed by Keaton Mowery and Hovav Shacham in their 2012 paper “Pixel Perfect: Fingerprinting Canvas in HTML5”.
Russian programmer Valentin Vasilyev then took this work and created the first recorded example of canvas fingerprint code under an open-source license on GitHub, in a project called “fingerprintjs” that he started in December 2012.
How Does HTML Canvas Fingerprinting Work?
When a user visits a site, HTML5 instructs the browser to draw a hidden layer of text or graphics on the canvas, which is then turned into either a token or hash. This token gives the website a way to remember the user’s browser history/activity.
This is all done without the user knowing it’s happening, which has brought up certain privacy concerns. Yet, many major websites still look to utilize this method due to its effectiveness in spotting bad actors.
Canvas fingerprinting is just one part of browser fingerprinting. Combining this with other techniques helps websites create better user profiles based on their software, activity, and characteristics.
Why Is Canvas Fingerprinting Important?
Similar to other tracking techniques, canvas fingerprinting can help organizations create better profiles of their users/customers based on the websites that they visit.
Canvas fingerprinting can help curate better ads, content, and other personalization features as well as help secure user accounts.
Being able to identify visitors that have characteristics associated with spam or malicious activity can help curb issues such as account takeover fraud and multi-accounting. User accounts can be connected if they share the same canvas fingerprint. This can be used to catch malicious actors such as fraudsters or account hackers.
If there are disparities between a current visitor’s fingerprint and their previous one, this immediately raises a cause for investigation, which can trigger additional verification measures such as 2FA.
As cookies are becoming less effective, being able to run a targeting technique without any impact or awareness to the user is vital to effective advertising.
How Canvas Fingerprinting Works in Fraud Detection
The unique nature of a canvas fingerprint can help businesses quickly spot irregularities in user activity and ultimately stop fraudsters.
For example, if a user’s fingerprint is at least similar to a previous session, you can assume that this is the same person or machine accessing your site.
However, if there’s a high level of change, businesses can look to implement further verification methods such as MFA or making the user in question complete a captcha to mitigate risk.
Stacked with other browser fingerprinting techniques and other fraud prevention methods, canvas fingerprinting allows you to complete user profiles to minimize the threat of bad actors.
Hovav: Pixel Perfect: Fingerprinting Canvas in HTML5