A device fingerprint is only as strong as the entropy behind it. Here's what actually separates a real human's device from an emulator — and why one signal is never enough.
Fingerprinting has a reputation as a solved problem — grab a canvas hash, done. It isn't. A fingerprint is only useful in proportion to its entropy: how many bits genuinely distinguish this device from the next, and how hard those bits are to fake. Bots have gotten very good at faking the easy ones.
Entropy is just information content. A signal that's the same across a million devices tells you nothing; a signal that's rare and stable tells you a lot. The job of a device layer isn't to collect signals — it's to collect signals that carry entropy and that an emulator can't cheaply reproduce. Canvas and user-agent are table stakes; on their own they're trivially spoofed.
Above the browser sits the TLS handshake, and its shape — captured as a JA4 fingerprint — reveals the real network stack underneath. A Safari-on-iOS user agent riding a headless-Chrome TLS stack is a contradiction the JavaScript layer can't see but the handshake can. It's one of the hardest signals to spoof because it's set before a single line of your JS runs.
No single signal should decide a lead. Real detection is fusion: each axis contributes a weighted risk, and the interesting fraud is the lead that passes one check but contradicts another. That's why the Mask reads far more device entropy than an off-the-shelf library exposes, and cross-checks it against the IP, phone, email and messenger signals before a verdict. A fake that's convincing on one axis rarely survives all five.
The bot that beats your canvas hash still has to explain its TLS handshake.