Audio fingerprinting identifies your device via the Web Audio API — no microphone needed. Learn how AudioContext fingerprints work and how to defend.
Audio fingerprinting is a tracking technique that identifies your device by how it processes sound — not by recording anything through your microphone, but by measuring tiny differences in how your browser's Web Audio API renders a generated signal. The same audio waveform, processed on different hardware and software stacks, comes out subtly different, and that difference is stable enough to help recognize you across sites. This guide explains how AudioContext fingerprinting works, how distinctive it is, and what you can do about it.
Key Takeaways
- Audio fingerprinting identifies your device by measuring how your browser's Web Audio API processes a generated signal — it never uses your microphone and plays no sound.
- The work happens silently inside an
OfflineAudioContext, so no permission prompt appears and nothing is recorded. - It is only moderately distinctive on its own, but it adds meaningful entropy when combined with canvas, WebGL, and font fingerprints.
- Clearing cookies or using private mode does not stop it, because the identifier comes from device and browser characteristics rather than stored data.
- Privacy browsers (Firefox, Tor, Brave) and anti-fingerprinting tools can reduce or randomize the signal, but they rarely eliminate it entirely.
What is audio fingerprinting?
Audio fingerprinting uses the browser's Web Audio API to generate a sound signal internally, process it through the audio pipeline, and read back the numeric output. Crucially, the sound is never played aloud and your microphone is never touched — everything happens in an OfflineAudioContext that renders silently to a buffer of numbers.
Because the resulting values depend on your device's audio hardware, operating system, browser version, and the math libraries underneath, two different machines produce slightly different outputs for the identical input. A script hashes those values into a compact identifier. Combined with other signals like canvas and WebGL fingerprints, it helps build a profile that recognizes your browser even after you clear cookies.
How AudioContext fingerprinting works
The technique follows a predictable recipe:
- Create an offline context. The script makes an
OfflineAudioContext, which processes audio as fast as possible without sound output. - Generate a signal. It creates an
OscillatorNode(often a triangle or sine wave at a fixed frequency) as a consistent, reproducible source. - Process it. The signal is routed through nodes like a
DynamicsCompressorNode, whose floating-point math amplifies small implementation differences. - Read the buffer. The rendered samples are summed or hashed into a single value.
The key insight is that floating-point audio math is not bit-for-bit identical across systems. Although the W3C Web Audio API specification defines the processing graph, it does not mandate bit-exact output, so different CPUs, audio drivers, and browser builds round and process those samples in marginally different ways. The final hash therefore becomes a device-and-browser signature.
A simplified example
The code below sketches the core idea — generate a tone, compress it, and reduce the output to a number:
// Render a tone offline and reduce it to a fingerprint value
const ctx = new OfflineAudioContext(1, 44100, 44100);
const oscillator = ctx.createOscillator();
oscillator.type = 'triangle';
oscillator.frequency.value = 10000;
const compressor = ctx.createDynamicsCompressor();
oscillator.connect(compressor);
compressor.connect(ctx.destination);
oscillator.start(0);
ctx.startRendering().then((buffer) => {
const samples = buffer.getChannelData(0);
// Sum a slice of samples; the exact total varies by device/browser
let fingerprint = 0;
for (let i = 4000; i < 5000; i++) {
fingerprint += Math.abs(samples[i]);
}
console.log('Audio fingerprint value:', fingerprint);
});
Two browsers on identical hardware and version usually agree; change the OS, audio stack, or browser build and the value drifts.
How distinctive and stable is it?
Audio fingerprinting is moderately distinctive — less uniquely identifying than WebGL's GPU renderer string, but a meaningful contributor when combined with other signals. Its behavior varies by browser:
| Browser / mode | Audio fingerprint behavior |
|---|---|
| Chrome / Edge (Blink) | Available and stable; widely used by trackers |
| Firefox (normal) | Available; Firefox flags it under fingerprinting protections |
| Firefox (private mode) | Blocked or returns a neutralized value |
| Safari | Available but precision-limited, reducing entropy |
Stability is the property trackers care about: a fingerprint is only useful if it stays the same across visits. Audio fingerprints are generally stable for a given device and browser version, though a browser update can shift the value.
In information-theory terms, the audio signal contributes a modest number of bits of entropy — enough to narrow a population, but rarely enough to single out one person by itself. That is why it almost never appears alone. A tracker combines the few bits from audio with the larger contributions of WebGL renderer strings, installed fonts, screen geometry, and timezone, and the bits add up: each independent signal multiplies the number of distinguishable configurations. Audio earns its place in that stack precisely because it is cheap to collect silently and reasonably stable, so it reliably adds bits without raising a permission prompt or alerting the user.
How to defend against audio fingerprinting
You cannot make yourself perfectly unfingerprintable, but you can reduce the signal:
- Use a browser with built-in protections. Firefox's fingerprinting protection and the Tor Browser actively block or normalize audio fingerprinting. Brave randomizes the output per session ("farbling").
- Extensions. Anti-fingerprinting extensions can add noise to Web Audio output, though aggressive ones may break legitimate audio apps.
- Understand the limits. Private/incognito mode alone does not stop fingerprinting — it only clears cookies and history. Audio fingerprinting works regardless, which is a common misconception covered in our browser fingerprinting guide.
The trade-off is the usual one: stronger protection can make sites behave oddly or make you more unusual (and therefore more trackable) if your configuration is rare.
How to test your audio fingerprint
You can see your own audio fingerprint without writing any code:
- Run a fingerprinting test tool. BrowserInsight's fingerprint check computes your audio value alongside canvas and WebGL, and the EFF's Cover Your Tracks project shows how identifying your overall browser configuration is.
- Compare across browsers. Open the same test in Chrome, Firefox, and Safari on one machine. The audio value typically differs between rendering engines, which illustrates how the browser build — not just the hardware — shapes the result.
- Compare normal vs. protected mode. Re-run the test in Firefox with Enhanced Tracking Protection on strict, or in the Tor Browser, and watch the audio value get blocked or normalized to a shared default.
The most influential factors in what value you get are summarized below:
| Parameter | Typical setting | Why it matters |
|---|---|---|
| Context type | OfflineAudioContext | Renders silently and faster than real time, with no audio output |
| Oscillator wave | Triangle or sine | A reproducible, deterministic source signal |
| Frequency | ~10,000 Hz | A fixed tone so the only variation comes from processing |
| Processing node | DynamicsCompressorNode | Floating-point compression amplifies tiny implementation differences |
| Sample range hashed | A slice of the buffer | Summing or hashing reduces thousands of samples to one stable number |
Because every script that follows this recipe uses comparable parameters, two trackers on different sites can arrive at a similar value for the same device — which is exactly what makes the signal useful for cross-site recognition.
Frequently Asked Questions
Does audio fingerprinting use my microphone?
No. Audio fingerprinting never accesses your microphone and plays no sound. It generates a signal internally with the Web Audio API and measures how your device processes it, so no permission prompt appears and nothing is recorded.
Can I be tracked by audio fingerprinting alone?
Rarely on its own — it's moderately distinctive, not unique. Trackers combine it with canvas, WebGL, fonts, and other signals to build a profile reliable enough to recognize you. Audio is one contributing layer, not the whole fingerprint.
Does clearing cookies stop audio fingerprinting?
No. Fingerprinting was designed to survive cookie clearing. Because the identifier is derived from your device and browser characteristics rather than stored data, clearing cookies or using private mode leaves the audio fingerprint unchanged.
How do I see my own audio and device fingerprint?
Run BrowserInsight's fingerprint check to see the signals your browser exposes, including audio, canvas, and WebGL, and how identifiable they make you.
Conclusion
Audio fingerprinting turns your browser's silent sound processing into a stable identifier, no microphone required. On its own it's only moderately distinctive, but as one layer among canvas, WebGL, and font signals it helps trackers recognize you across sites and survive cookie clearing. Privacy browsers and anti-fingerprinting tools can blunt it, but the realistic goal is reducing the signal, not eliminating it entirely.
Recommended Reading:
