Browser fingerprinting in 2026. Why your VPN and incognito do not matter anymore.

What a fingerprint is made of

A browser fingerprint is the combination of dozens of small signals that together identify a specific machine running a specific browser. None of the signals are individually identifying. Together, they almost always are. The math is simple: combine twenty signals each with even a few hundred possible values, and the combinations exceed the number of devices on the internet.

The signals fall into a few categories. The user-agent string and the list of installed fonts. The screen resolution and the color depth. The set of plugins and the language. The audio context, which produces a subtle waveform fingerprint based on how your specific hardware processes audio. The canvas, which renders an invisible image and reads back the pixel-level differences caused by your graphics drivers. The WebGL renderer, which exposes the exact GPU model.

The fingerprint persists across cookie clears, across incognito sessions, and across VPN switches. Switching VPN changes the IP, never the fingerprint. A site that fingerprinted you yesterday recognizes you today, even if your IP, your cookies, and your browser history are all clean.

Why VPN and incognito stop short

VPN changes the network path. The site sees a different IP, the ISP sees encrypted traffic to a VPN endpoint. None of that touches the fingerprint, because the fingerprint is generated by code running in your browser and reading values from your machine. The VPN does not know about the canvas test the site just ran.

Incognito clears cookies and disables extensions for the session. It does not change the screen resolution, the GPU model, the installed fonts, or the canvas output. The site that fingerprints you in an incognito window receives the same signals it receives in a normal window, with very minor differences that themselves become part of the fingerprint.

This is what the article on incognito mode covered at the basic level. Fingerprinting is the technical reason the basic answer is incomplete. Even a careful user with a paid VPN, a fresh incognito window, and no logged-in accounts is recognizable to a sophisticated tracker.

Test your own fingerprint

Two free tools do this transparently. Run them on the browser you actually use.

amiunique.org reads your fingerprint and tells you how unique it is in their database of several million browsers. A score above 99.5 percent unique is normal for desktop browsers. The site shows which signals are most identifying for your particular machine. For most users, the canvas and the WebGL renderer carry the heaviest weight.

coveryourtracks.eff.org from the EFF runs a similar test and explicitly tries to estimate trackers’ ability to follow you. It also separates the signals that change between sessions from the signals that do not. The latter is the part that matters: a fingerprint is useful to a tracker only if it is stable across visits.

If both tools report you as nearly unique, you are. That is the default state. The countermeasures below are about reducing uniqueness or randomizing it across sessions.

What actually breaks the fingerprint

Three browsers do this seriously. None of them are a Chrome extension. Fingerprinting protection has to be built into the browser engine to be effective.

Tor Browser

Tor Browser is the strongest answer. It deliberately makes every Tor user look identical at the fingerprint level: same canvas output (artificially noised), same WebGL responses, same font set, same screen resolution (within a defined set of allowed values). The trade-off is that Tor traffic is also visible as Tor traffic, and many sites either block it or treat it as suspect. For activities where the goal is true non-correlation across sessions, Tor Browser is the right choice. For daily browsing of sites that block Tor, it is not.

Mullvad Browser

Mullvad Browser, released in 2023 by the Tor Project in partnership with Mullvad VPN, takes the Tor Browser anti-fingerprinting work and ships it without the Tor network. The browser produces fingerprints that look identical to other Mullvad Browser users, but the network path is whatever you configure (Mullvad VPN, another VPN, or direct). For users who want anti-fingerprinting without the Tor traffic profile, Mullvad Browser is the most operationally complete answer available today.

Brave on Strict mode

Brave with Shields set to Strict and Fingerprinting Protection set to Strict randomizes the canvas, WebGL, and audio context outputs on a per-session basis. Each new session produces a different fingerprint. The fingerprint is not made identical to other Brave users (that is the Tor model). Instead, it is made unstable. A tracker cannot recognize you across sessions because your fingerprint changes every time. Brave is the most usable of the three for daily browsing because the rest of the experience is closer to mainstream Chrome.

What does not work, despite what marketing says

Several common measures do not break fingerprinting. They are still useful for other privacy purposes. They do not solve this specific problem.

Anti-tracking extensions on Chrome or Firefox provide partial protection. They block known trackers but do not modify the underlying fingerprint signals the way a hardened browser engine does. uBlock Origin and Privacy Badger reduce tracker noise without modifying the underlying fingerprint signals.

Switching VPN servers rotates the IP without touching the fingerprint, so a site that correlates fingerprint to VPN-cluster IP simply merges the sessions on the fingerprint side.

Disabling JavaScript breaks fingerprinting because most fingerprinting techniques require JavaScript. It also breaks most modern websites. The trade-off is real but viable for specific use cases (research, OSINT, sensitive logins to known sites). It is not viable as a daily browser configuration.

The framework for deciding which trade-off is worth which exposure is the same one we walk through in how to build a threat model in 20 minutes.

Frequently asked questions

Does using multiple browsers help?

Yes, more than people assume. A different browser on the same machine produces a meaningfully different fingerprint because the user-agent, the renderer, the font fallback list, and the audio context all differ. Two browsers used for two distinct purposes (one for logged-in personal accounts, one for research) reduce cross-correlation. They do not eliminate it, because the underlying machine signals (GPU model, screen resolution) are still shared.

Are mobile browsers easier or harder to fingerprint?

Easier on iOS, harder on Android, on average. iOS limits the variation between devices: Safari on a 2024 iPhone 15 Pro looks similar to Safari on every other 2024 iPhone 15 Pro. The fingerprint is less unique, which means it is less identifying. Android’s broader hardware diversity produces more unique fingerprints. Mobile is generally a smaller exposure surface than desktop because the variation is lower.

Does Cloudflare actually fingerprint me?

Yes, on every site that uses Cloudflare’s bot management or Turnstile challenge. The fingerprint is part of how Cloudflare distinguishes humans from bots without an interactive captcha. The same fingerprint is, in effect, a cross-site identifier across the millions of sites that use Cloudflare. The cookie that some sites set after the challenge is a separate, additional layer.

If I rotate fingerprints with Brave, can I still log into accounts?

Mostly yes. Brave’s randomization is small enough at the canvas level that login flows still work. Some banks and a few payment platforms detect the randomization as suspicious and require additional verification. The trade-off, in those cases, is real. Most users keep one browser without randomization for the small number of sites that require stable fingerprints, and another with randomization for everything else.

---

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.