Canvas Picasso: how modern anti-fraud systems detect device spoofing and rendering noise.

Modern anti-fraud systems use dozens of signal telemetry channels, including canvas rendering.

While previously methods relied on static canvas fingerprinting, today major platforms are moving to next-generation dynamic protocols, such as Picasso.

In this article, we'll explain how Picasso's dynamic Canvas challenge works, how anti-fraud systems detect rendering spoofing and noise, and why this mechanism has become the standard in anti-fraud.

Why static canvas methods are obsolete

Classic canvas fingerprinting works like this: a page renders a pre-prepared image (text, shapes, and other elements), then calculates the hash of the pixel array. We wrote about this in our previous article. Due to the specifics of the graphics stack, different devices produce different results. But today, this is almost useless for anti-fraud purposes because: anti-detection tools can replace canvas on the fly, plugins add noise, making fingerprints unique, and bots can emulate static images. Therefore, anti-fraud systems increasingly use dynamic canvas rendering.

Picasso: Dynamic Canvas Challenge.

Picasso is not a fingerprint, but a challenge procedure, similar to a cryptographic problem, where each run is unique.

In a static canvas method, the same image is always drawn.

In Picasso, each run creates a new, unique image, consisting of several steps.

In a static canvas, there is no seed (the initial number for generating the image)—the image is always the same.

In Picasso, the server issues a new seed each time, making each challenge different.

In a static canvas, the result is always the same; you can simply memorize it and fake it.

In Picasso, the result is different every time because it depends on the seed and a set of actions.

A static canvas attempts to identify a specific device (like a device fingerprint).

Picasso verifies that the device is rendering graphics honestly—that it matches the device it claims to be.

A static canvas can be easily forged or modified using extensions, anti-detections, and emulators.

Picasso is virtually impossible to spoof; it's dynamic, new every time, and the server knows what the expected result is for each device.

How Picasso's canvas works:

The server sends challenge parameters The server generates: • canvas size, • number of rounds N, • seed (initial value of the pseudo-random number generator), • a set of parameters (fonts, shadows, color schemes). These parameters depend on the anti-fraud policy and are used only once.

The client deterministically renders the "painting" Code runs on the device that: • initializes a PRNG based on the seed; • randomly selects what to draw (arcs, text, shapes, gradients, emoji); • applies transformations and shadows; • repeats the process N times. Each device generates the same sequence of shapes, but draws them differently because: • the GPUs are different, • layers of drawing rounds are stitched together differently on each device, • anti-aliasing algorithms are different, • font rendering is different, • floating-point rounding works differently.

The client sends a hash of the result At the end of the canvas, a hash is calculated; this is not a fingerprint, but the result of the rendering test.

The server compares the result with the device profile The server does not compare the hash for equality. This is impossible, since the seed is new each time. It compares the hash's distribution based on its attributes (iPhone Safari cluster, Android Chrome cluster, Chrome Desktop cluster).

How the antifraud system analyzes Picasso canvas results

The antifraud system knows what the image should look like for each device class with a given seed, based on a large number of pre-collected, reference rendering results. The server analyzes the hash indirectly, rather than directly.

Knowing the seed and the order of the shapes, the server knows the expected result. The server compares the actual hash with a cluster of expected hashes for a specific stack (browser + OS + GPU). If the hash doesn't match the cluster, the antifraud system draws the appropriate conclusions.

Any attempt to tamper with the canvas results in an anomalous output. Plugins like CanvasBlocker add uniform, uncorrelated pseudo-random noise, unlike physical GPU rendering, which significantly alters the hash of the rendering result. In emulators, the gamma corrector, subpixel antialiasing, and gradient artifacts differ from those on real GPUs.

Example of using Picasso canvas.

On the captcha page, the Yandex website uses Picasso canvas, and more than one. The user's browser is tasked with rendering four 300x300 px Picasso canvases and one static 240x140 px canvas.

In this example, the anti-fraud system combines static and dynamic canvas.

In this architecture, a static canvas can be used to form a more accurate and robust device cluster, while the results of dynamic canvas challenges are analyzed within this cluster.

With this approach, attempting to fake the output of a static canvas in an anti-detect browser is pointless: the device will still be incorrectly classified, and dynamic checks will reveal discrepancies between the declared stack and the actual rendering.

DataDome also uses a dynamic canvas like Picasso. Since PayPal is officially listed among DataDome's clients, this mechanism is also included in the protection running on PayPal services.

Note that in this case, the system records the rendering results after each Picasso round and, by comparing them, is able to identify characteristic noise, as well as attempts to spoof or distort the output data.

Conclusions:

Picasso's dynamic canvas has become a key tool in modern anti-fraud control because it checks not just spoofable values, but the behavior of the graphics stack itself. Unlike classic static fingerprints, Picasso cannot be simply spoofed, saved, or reproduced—each challenge is unique, and the final result depends on the actual characteristics of the GPU, browser, and operating system. This is why large companies and anti-bot platforms are moving toward such methods. They not only allow for more accurate identification of real devices but also detect any attempts to interfere with rendering.