What Is a Visitor ID? How Browser Fingerprinting Stops Shopify Fraud
Every visitor to your Shopify store carries a digital signature a combination of device characteristics that's nearly as unique as a fingerprint. Visitor ID captures this signature and uses it to identify, track, and block fraudulent visitors with a persistence that IP addresses and cookies can't match.
This guide explains how the technology works, what it detects, how it compares to traditional blocking methods, and how it handles privacy.
What Is a Visitor ID?
A Visitor ID is a unique identifier assigned to every device that visits your Shopify store. It's generated by collecting and combining 50+ signals from the visitor's browser and device creating a "fingerprint" that persists across sessions, IP changes, and browser settings.
Think of it this way: an IP address identifies a network connection (which changes constantly). A cookie identifies a browser session (which can be cleared). A Visitor ID identifies the physical device and stays the same no matter how the visitor tries to disguise their connection.
When Browsify assigns a Visitor ID, that identifier follows the device permanently. A fraudster who changes their IP, clears cookies, opens incognito mode, or uses a VPN still carries the same Visitor ID. The only way to get a new one is to use a completely different device.
What Signals Create a Visitor ID?
Visitor ID is built from a combination of browser, device, and rendering signals. No single signal is unique many people have 1920×1080 screens, many people run Chrome on Windows. But the combination of 50+ signals creates a fingerprint that is statistically unique.
Here are the major signal categories:
Hardware Signals
Screen characteristics resolution, color depth, pixel ratio, available screen dimensions. GPU information WebGL renderer and vendor strings, which reveal the exact graphics hardware. Audio context how the device processes audio, which varies by hardware and driver configuration. Device memory and CPU cores hardware-level indicators that can't be changed by software.
Browser Signals
User agent and platform browser version, operating system, architecture. Installed plugins and MIME types the combination of browser extensions and supported formats. Language and timezone configured language preferences and system timezone offset. Do Not Track and cookie settings browser privacy configuration.
Rendering Signals
Canvas fingerprint when the browser renders a specific image, subtle differences in anti-aliasing, font rendering, and GPU processing create a unique output. The same image rendered on two different devices produces measurably different pixel data. WebGL fingerprint similar concept applied to 3D rendering capabilities and parameters. Font enumeration which fonts are installed on the system, detected through rendering width measurements.
Network Signals
Connection type WiFi vs cellular vs ethernet. IP address metadata not the IP itself (which changes), but characteristics like whether it's from a datacenter, residential connection, mobile carrier, or known VPN/proxy service.
Behavioral Signals
Touch support whether the device has touch capabilities (helps distinguish mobile vs desktop spoofing). Battery API charging status and level (where available). Hardware concurrency number of logical processors available.
Visitor ID vs IP Blocking vs Cookies
| Factor | Visitor ID | IP Blocking | Cookies |
|---|---|---|---|
| What it identifies | Physical device | Network connection | Browser session |
| Persistence | Permanent (follows device) | Minutes (VPN switch) | Until cleared |
| Survives VPN change | ✅ Yes | ❌ No | ✅ Yes |
| Survives incognito | ✅ Yes | ✅ Yes | ❌ No |
| Survives cookie clear | ✅ Yes | ✅ Yes | ❌ No |
| Survives IP rotation | ✅ Yes | ❌ No | ✅ Yes |
| Cost to bypass | New device (~$200+) | $5/month VPN | One click |
| False positive risk | Low (device-specific) | High (shared IPs) | Low |
| Blocks entire offices | ❌ No (device-level) | ✅ Yes (shared IP) | ❌ No |
| Works on mobile networks | ✅ Yes | ❌ Poorly (IPs rotate) | ✅ Yes |
The fundamental advantage: Visitor ID targets the one thing a fraudster can't easily change their physical hardware. Everything else (IPs, cookies, emails, usernames) is cheap and easy to rotate.
How Visitor ID Works in Practice
Scenario 1: Blocking a Known Fraudster
A fraudster places an order with a stolen credit card. You receive a chargeback. In your Browsify dashboard, you look up the order and find the associated Visitor ID.
You block that Visitor ID. Done.
The fraudster comes back the next day with a different IP address (switched VPN servers), a different email (created a new disposable one), and a different name. They open incognito mode for good measure. They clear every cookie.
Browsify recognizes the same Visitor ID. Blocked. They never reach checkout. No pixel fires. No new chargeback.
Scenario 2: Auto-Blocking High-Risk Visitors
A visitor arrives at your store. Browsify evaluates their device signals in real time. The visitor is using a datacenter IP (not residential), running an automated browser (headless Chrome), with a timezone that doesn't match their apparent location, and a canvas fingerprint that shows signs of spoofing.
Fraud score: 92 out of 100. With your threshold set at 80, Browsify auto-blocks this visitor before they can browse your products. They never reach checkout. Your pixel data stays clean.
Scenario 3: Repeat Offender Detection
Over the past month, three separate orders from three different IPs, emails, and names have all resulted in chargebacks. Without Visitor ID, these look like three unrelated fraud incidents.
With Visitor ID, Browsify shows that all three orders came from the same device. The fraudster has been using a different identity each time, but the same physical laptop. Block the Visitor ID once, and all future attempts from that device are stopped regardless of what identity the fraudster uses.
Can Visitor ID Be Spoofed?
This is a fair and important question. The short answer: it's significantly harder than spoofing an IP, but not impossible.
Antidetect browsers (like Multilogin, GoLogin, or similar tools) attempt to create unique browser profiles that spoof hardware-level signals. They randomize canvas fingerprints, fake WebGL parameters, and generate synthetic device characteristics.
However, antidetect browsers leave their own detectable traces. The act of spoofing hardware signals creates anomalies inconsistencies between reported hardware and actual rendering behavior, suspicious patterns in randomized values, and detectable signatures of the spoofing tools themselves.
Browsify's fraud scoring incorporates antidetect browser detection. Visitors using these tools typically score high on the fraud scale their device signals show patterns that real browsers don't produce. The combination of fingerprint anomalies and behavioral signals makes antidetect browsers detectable, even when individual signals are successfully spoofed.
The practical barrier: While a motivated, technically sophisticated fraudster can eventually defeat any fingerprinting system, the cost and effort required is dramatically higher than bypassing IP blocking. A $5/month VPN defeats IP blocks. Defeating device fingerprinting requires specialized tools, technical knowledge, and ongoing effort changing the economics from "trivial" to "not worth it" for most fraud operations.
Privacy: What Visitor ID Does and Doesn't Collect
Visitor ID is designed to be privacy-respecting by architecture. Here's what it does and doesn't do:
What Visitor ID Does NOT Collect
- ❌ Names, email addresses, or phone numbers
- ❌ Payment information or credit card details
- ❌ Physical addresses
- ❌ Personal photographs or social media profiles
- ❌ Browsing history on other sites
- ❌ Keystrokes or form input content
- ❌ Any Personally Identifiable Information (PII)
What Visitor ID DOES Collect
- ✅ Browser and device technical characteristics (screen resolution, GPU, fonts, etc.)
- ✅ Network connection type and characteristics (VPN/proxy detection)
- ✅ Browser configuration settings (language, timezone, plugins)
- ✅ Rendering output signatures (canvas, WebGL)
The Visitor ID itself is a hashed string a random-looking sequence of characters derived from the device signals. It can't be reverse-engineered to reveal any personal information about the visitor.
GDPR and CCPA Considerations
Browser fingerprinting falls into a complex area of privacy regulation. Under GDPR, device fingerprints can be considered personal data when they identify a specific individual. Browsify's approach mitigates this in several ways:
The Visitor ID is used exclusively for fraud prevention a legitimate interest under GDPR Article 6(1)(f). No PII is collected or stored. The fingerprint is hashed and cannot be used to identify a person's real-world identity. The data is used to protect the store and its customers, not for advertising or profiling.
Browsify does not collect data from visitors under 18. The system processes only anonymous technical signals necessary for fraud detection.
We recommend that merchants include a note about fraud prevention tools in their privacy policy, as they would for any analytics or security service. Browsify's privacy documentation provides template language for this.
Frequently Asked Questions
Does Visitor ID work in incognito/private browsing mode?
Yes. Incognito mode prevents cookies from persisting and separates the browsing session from the main browser. But it does not change the device's hardware characteristics, rendering behavior, or most browser signals. The Visitor ID remains the same in incognito mode.
Does Visitor ID work when the visitor uses a VPN?
Yes. A VPN changes the IP address but doesn't alter the browser or device signals that Visitor ID relies on. A fraudster behind a VPN carries the same Visitor ID as they do on their regular connection.
Can Visitor ID identify the same person across different devices?
No. Visitor ID identifies devices, not people. If a fraudster uses their laptop and then switches to their phone, those are two different Visitor IDs. However, if both devices exhibit high-risk signals, both can be auto-blocked based on fraud score even without linking them to each other.
Does Visitor ID slow down my store?
No. The fingerprinting process runs asynchronously and completes in milliseconds. It has no measurable impact on page load time or Core Web Vitals.
How long does a Visitor ID block last?
Permanently until you manually remove it. A blocked Visitor ID stays blocked forever, regardless of how many times the device returns.
What if Visitor ID blocks a legitimate customer?
False positives are rare but possible. If a legitimate customer is blocked, go to Configuration → whitelist their Visitor ID or IP address. They'll be immediately unblocked. You can also review your fraud score threshold if your false positive rate exceeds 2%, consider raising the threshold slightly.
Install Browsify free see Visitor ID in action on your store →
Related Reading
- Why IP Blocking Is Dead: The Case for Device Fingerprinting Why IP addresses fail as fraud identifiers.
- VPN & Proxy Blocking on Shopify How to block anonymized traffic without losing real customers.
- How Fake Orders Pollute Your Ad Pixels Why Visitor ID's pre-checkout blocking protects your ad data.
- Automatic Fraud Blocking on Shopify Setting up auto-block rules with fraud scoring.