Browser fingerprinting goes deeper than most developers realize. While Canvas and WebGL fingerprints get attention, font fingerprinting is one of the most stable and reliable tracking signals — and almost nobody talks about it.
How Font Fingerprinting Works
Every operating system comes with a different set of pre-installed fonts. Windows has different defaults than macOS, which differs from Ubuntu. And even within the same OS, installed applications add more fonts.
When you visit a website, JavaScript can probe which fonts are available on your system using several methods:
Method 1: CSS Font Probing
function detectFont(fontName) {
const canvas = document.createElement('canvas');
const ctx = canvas.getContext('2d');
// Measure text width with a fallback font
ctx.font = '72px monospace';
const baseWidth = ctx.measureText('mmmmmmmmm').width;
// Measure with the target font
ctx.font = `72px ${fontName}, monospace`;
const testWidth = ctx.measureText('mmmmmmmmm').width;
// If widths differ, the font exists
return baseWidth !== testWidth;
}
Method 2: CSS @font-face Detection
Sites can load a custom font and compare rendering differences to infer which system fonts take precedence in fallback chains.
Method 3: getComputedStyle Probing
By creating hidden elements and measuring their computed style, scripts can detect font availability without canvas.
Why Font Fingerprints Are Stable
Unlike IP addresses or cookies:
- Font lists rarely change once a system is set up
- Fonts persist across browser restarts, private browsing, and VPN connections
- The combination of fonts creates a nearly unique fingerprint
Studies show that font fingerprinting alone can identify ~60-70% of users uniquely, and when combined with other signals, it becomes even more precise.
Real-World Impact
For Multi-Account Users
If you run multiple accounts from the same computer, every account shares the same font fingerprint. Even if you:
- Use different browsers
- Connect through different IPs or VPNs
- Clear all cookies
The font fingerprint stays the same and links your accounts together.
For E-Commerce Sellers
Platforms like Amazon and eBay explicitly use browser fingerprinting (including font detection) as part of their anti-fraud systems. Multiple seller accounts on the same device = flagged as linked.
How to Test Your Font Fingerprint
Visit these tools to see what your browser leaks:
- BrowserLeaks.com → JavaScript section
- CreepJS (GitHub) → font detection module
- AmIUnique.org → font-based uniqueness score
Mitigation Approaches
Option 1: Font Spoofing
Some browser extensions claim to spoof font lists, but most implementations are detectable because they respond too consistently or miss edge cases in the detection API.
Option 2: Profile-Level Isolation
The most robust approach is ensuring each browser profile uses a completely different font fingerprint. This means either:
- Running different OS environments (impractical for most)
- Using an anti-detect browser that randomizes font detection results at the API level
What Effective Font Isolation Looks Like
A proper implementation intercepts these JavaScript APIs and returns a plausible but different font list per profile:
document.fonts.check()- Canvas text metrics
- CSS computed styles
Conclusion
Font fingerprinting is subtle, persistent, and underestimated. It's one of the key signals that makes browser-based account correlation possible even when users take standard privacy precautions.
Understanding it is the first step to building real account isolation.
I've been working on FireKey, an anti-detect browser that isolates font fingerprints (along with 50+ other parameters) per profile. It's currently in free open beta if you want to test how effective the isolation is.
Top comments (0)