The Google Picasso fingerprinting method, is a lightweight device class fingerprinting protocol that verifies the software and hardware stack of a mobile or desktop client. For instance, it can differentiate between traffic from a genuine iPhone running Safari on iOS and an emulator or desktop client mimicking the same setup. Picasso utilizes the unpredictable yet stable noise produced by a client's browser, operating system, and graphical stack when rendering HTML5 canvases.
Google Picasso is particularly useful in determining whether a connecting client is lying about its user agent.
Key features of Picasso include its resistance to replay and a hardware-bound proof of work. This proof of work requires the client to use a significant amount of CPU and memory to solve challenges. The method has proven effective in distinguishing between 52 million Android, iOS, Windows, and OSX clients across various browsers with 100% accuracy.
Implementations of Picasso involve rendering vaious primitives on a hidden HTML5 canvases and generating hashes of the resulting graphic. These primitives include text, arcs, Bezier curves, quadratic curves, emojis, and ellipses. Parameters such as the number of rounds (number of primitives drawn), canvas dimensions, and font size scale factor are adjustable. The fingerprint is generated based on these parameters and a random seed.