How device fingerprinting works at Shopify checkout — and why it matters

The Customer Who Changed Everything — Except Their Device

A customer places an order for your intro offer on Monday. On Thursday, a "new" customer places the same order. Different email. Different phone number. Different shipping address — they used their office this time. Shopify sees two completely unrelated buyers.

But the screen resolution is 1512x982. The timezone is America/Denver. The browser is Chrome 124 on macOS with an Apple M2 chip. The system language is en-US with a secondary locale of es-MX. The color depth is 30-bit.

That combination is rare. Statistically, it narrows the pool to a handful of devices on the planet. And your store has already seen this exact device before.

This is device fingerprinting. It identifies returning visitors not by the information they type in, but by the hardware and software configuration they cannot easily change.

What a Device Fingerprint Actually Is

A device fingerprint is a composite identifier built from dozens of attributes that your browser exposes to every website it visits. None of these attributes are personally identifiable on their own. But combined, they create a profile that is remarkably unique.

Here are the signals that matter most at checkout:

Screen and display properties. Screen resolution, viewport size, device pixel ratio, and color depth. A 14-inch MacBook Pro running at its default scaled resolution produces a different fingerprint than the same model at a different scaling setting. These values are stable across sessions and are not affected by clearing cookies or switching browsers.

Timezone and locale. The IANA timezone string (like "America/Chicago") and the browser's language settings. A customer can change their email in seconds, but they are unlikely to change their system timezone between orders.

Hardware profile. The number of CPU cores reported by the browser, the device memory, the GPU renderer string from WebGL, and the platform identifier. Together, these narrow the device to a specific hardware generation and configuration.

Browser and rendering behavior. The user agent string, installed plugins, supported audio codecs, and canvas rendering output. Canvas fingerprinting works by drawing a hidden image in the browser and hashing the pixel-level output — different hardware and software stacks render the same instructions slightly differently, producing unique hashes.

Persistent visitor identifiers. Shopify assigns a persistent _shopify_y cookie to every visitor. This cookie survives across sessions and is tied to the browser profile, not the customer account. If a returning customer visits your store in the same browser, this cookie links their current session to their previous visits — even if they enter completely different checkout information.

When you combine these signals, you get something close to a device-level identity. Research from the Electronic Frontier Foundation's Panopticlick project found that 83.6% of browsers had a unique fingerprint. For ecommerce, where you are comparing against your own visitor pool rather than the entire internet, the uniqueness rate is even higher.

Why Email and Address Matching Are Not Enough

Most merchants start with the obvious approach: check if the email has been used before. This catches the laziest repeat buyers. But it fails against anyone who takes thirty seconds to create a new email address.

Adding phone number and shipping address matching improves coverage. But determined customers rotate these too. They use a Google Voice number. They ship to a friend's house or their workplace. They use a PO Box for one order and their home address for another.

The fundamental problem is that email, phone, and address are all customer-supplied inputs. The customer controls them. They can change them at will. Any protection system that relies exclusively on customer-supplied data has a ceiling — it will catch casual repeat buyers but miss anyone who is even slightly motivated.

Device fingerprinting flips this. The signals come from the customer's hardware and browser environment, not from form fields they fill in. A customer can open an incognito window and type a brand-new email, but their screen resolution, GPU, and timezone do not change.

This is why OfferGuard uses device fingerprinting as one of five detection signals when deciding whether to block a checkout. It is the layer that catches customers who have rotated every piece of contact information but are still sitting at the same computer.

What About Incognito Mode and VPNs?

A common question: does incognito mode defeat device fingerprinting?

Partially, but not completely. Incognito mode clears cookies, so the persistent Shopify visitor ID will not carry over. It also blocks some browser storage mechanisms. But incognito mode does not change the underlying hardware profile. The screen resolution, GPU renderer, timezone, CPU core count, and canvas rendering output remain identical.

This means a fingerprint collected in incognito mode will still share the majority of its signals with a fingerprint collected in the same browser's normal mode. It loses some certainty — which is why fingerprinting should never be the only detection method — but it still contributes strong evidence.

VPNs change the IP address but do not affect any of the browser-level signals that fingerprinting relies on. A customer connecting through a VPN in another country still reports the same screen dimensions, the same hardware, and the same timezone (unless they manually change their system clock, which almost nobody does).

For a deeper look at how incognito mode interacts with checkout protection, see our breakdown of incognito checkout bypass tactics.

How Fingerprinting Fits Into a Multi-Signal System

Device fingerprinting is powerful, but it is not infallible on its own. Two customers in the same household might share a laptop. A customer might buy a new computer between orders. Corporate environments sometimes have fleets of identically configured machines.

This is why fingerprinting works best as one layer in a multi-signal detection system. When a checkout comes in, you want to ask multiple questions simultaneously:

1. Has this email — after normalization — been seen before? Email normalization catches dot tricks and plus aliases.
2. Has this phone number or shipping address been used on a previous order?
3. Has this device fingerprint been seen on a previous order?
4. Does the Shopify persistent visitor cookie match a previous session?
5. Does the combination of weaker signals — partial address match plus partial fingerprint match — cross a confidence threshold?

Any single signal might produce a false positive. But when three or four signals converge on the same conclusion — this is a returning customer — the confidence is high enough to block the purchase.

And that is the key distinction. OfferGuard does not just flag repeat buyers. It blocks the entire checkout. The customer cannot complete the purchase of the protected product. This happens inside Shopify's Checkout Extensions API, so there is no way to bypass it by manipulating the storefront or using a bot.

What This Means for Your Store

If you sell a product that should only be purchased once per customer — an intro offer, a trial box, a welcome kit, a loss-leader SKU — then you need protection that goes beyond checking email addresses.

Device fingerprinting gives you a detection layer that the customer cannot easily defeat by changing their contact information. Combined with email normalization, address matching, phone matching, and persistent visitor tracking, it closes the gaps that every other approach leaves open.

The cost of not having this protection is not just the margin you lose on one extra trial order. It is the compounding effect of repeat abuse across hundreds of SKUs and thousands of customers. Every trial product that ships to a returning customer is a trial product that did not acquire a genuinely new customer.

You built that intro offer to grow your customer base. Device fingerprinting helps make sure it actually does.

Ready to protect your new-customer products at checkout? See OfferGuard pricing and start your free trial →