Anti-Bot

What Is Media Devices Fingerprinting?

What Is Media Devices Fingerprinting? — conceptual illustration
On this page

Media devices fingerprinting reads the list of cameras, microphones, and speakers a browser reports via navigator.mediaDevices.enumerateDevices(). The API returns one entry per audio input, audio output, and video input, each with a kind, a stable hashed deviceId, a groupId, and (once permission is granted) a human-readable label. The number and shape of devices is a fingerprint signal, and the common headless failure - reporting zero devices, or a single suspicious default - is a reliable bot tell.

Quick facts

APInavigator.mediaDevices.enumerateDevices()
ReadsCounts of audioinput / audiooutput / videoinput, deviceId, groupId, labels
Headless tellEmpty list, or zero audiooutput devices, on a claimed desktop
Permission gateLabels are blank until camera/mic permission is granted
CoherenceDevice counts should match the claimed platform (Mac always has output)

What the device list reveals

Even without permission, enumerateDevices() returns one object per device with its kind (audioinput, audiooutput, videoinput) and a non-empty deviceId/groupId; the label stays blank until the user grants camera or microphone access. So a site learns how many devices of each type exist and how they are grouped, which is enough to characterise the machine class. A typical laptop reports at least one microphone, one camera, and one or more audio outputs; a desktop without a webcam reports microphone and output but no video input.

The numbers cluster by device type and are stable per machine, making them a low-entropy but coherent signal that has to agree with the rest of the fingerprint.

The headless tell

Headless browsers on servers usually have no real media hardware, so enumerateDevices() returns an empty array or a single placeholder. On a request claiming to be a normal desktop or laptop, zero devices - particularly zero audiooutput - is anomalous, because real consumer machines almost always have at least a default audio output. macOS in particular always exposes audio output devices, so a "MacBook" with none is incoherent.

Chrome flags like --use-fake-device-for-media-stream add synthetic devices, but the fake devices have recognisable default labels and group structure that differ from real hardware. As with audio and WebGL, the believable fix is a device list copied from a real machine of the claimed class, served consistently per session, rather than a generic fake.

Code example

javascript
// Device enumeration an anti-bot script reads (no permission needed for counts)
async function deviceFingerprint() {
  const devs = await navigator.mediaDevices.enumerateDevices();
  const count = { audioinput: 0, audiooutput: 0, videoinput: 0 };
  for (const d of devs) count[d.kind] = (count[d.kind] || 0) + 1;
  return count;   // e.g. { audioinput:1, audiooutput:2, videoinput:1 }
}

// Server-side suspicion (pseudo):
//   devs.length === 0                       -> headless / no hardware
//   /Macintosh/.test(ua) && audiooutput===0 -> incoherent (Macs always have output)
//   all labels blank AND permission granted -> spoof artifact

Related terms

What Is Browser Fingerprinting?
Browser fingerprinting is a technique that identifies and tracks a visitor by combining dozens of small, observable characteristics of their…
What Is AudioContext Fingerprinting?
AudioContext fingerprinting plays a silent waveform through the Web Audio API, then reads back the resulting floating-point samples and hash…
What Is Headless Browser Detection?
Headless browser detection is the set of probes anti-bot systems use to distinguish a headless or instrumented Chrome session from a real us…
What Is a WebRTC IP Leak?
A WebRTC IP leak is the most-overlooked failure mode in browser-based scraping in 2026: WebRTC reveals your real local and public IP via STU…
What Is Fingerprint Clustering?
Fingerprint clustering is the practice of grouping fingerprints from millions of real visitors by similarity, then rejecting any new visitor…
What Is Camoufox?
Camoufox is a stealth-focused fork of Firefox with anti-fingerprinting patches applied at the C++ build level. Unlike playwright-stealth, wh…
What Is Anti-Bot Detection?
Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…
What Is Browser Fingerprinting Evasion?
Browser fingerprinting evasion is the practice of configuring an automated browser so that the combined fingerprint it presents — canvas, We…
Anti-Bot Vendor Detection Cheatsheet
The first step of any scrape against a protected site is identifying which anti-bot vendor is in front of it. The vendor determines almost e…
How Do Websites Detect Web Scrapers?
Websites detect scrapers by collecting hundreds of signals across the network, transport, browser, and behavioral layers, then scoring the c…

Concept map

How Media Devices Fingerprinting connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Tools & solutions for this topic

Frequently asked questions

Can a site read my camera and microphone names without permission?

It can read how many input/output devices exist and their kind and grouping without permission, but the human-readable labels stay blank until you grant camera or microphone access. The counts alone are enough to characterise the machine and to catch a headless browser reporting zero devices.

Why is an empty device list a bot signal?

Because real consumer desktops and laptops almost always have at least a default audio output, and usually a microphone. A server-hosted headless browser typically has no media hardware, so enumerateDevices() returns an empty array - which, on a request claiming to be a normal computer, is anomalous, especially the absence of any audiooutput.

Do Chrome fake-device flags fix this?

Partly - they make the list non-empty, but the synthetic devices have default labels and group structure that differ from real hardware and can be recognised. A device list copied from a real machine of the claimed class and served consistently is more convincing than the generic fakes.

Last updated: 2026-05-30