[hirsin]

This is what Intune and similar provide, but you need some existing, secure registry of devices before this works.

Cross device webauthn is the better solution here but it's still vulnerable to the oauth phishing called out here.

[zacharyvoase]

WebAuthn uses such a directory already. Most implementations validate the attestation against a public database of ‘trusted’ device types (and DAA enables this to be done without compromising anonymity, up to the uniqueness of a device type)

[hirsin]

That's not a trust statement, and it's not reliable as a proof. You can reliably tell you've seen this authenticator before, but that doesn't solve the problem being described here

[zacharyvoase]

Trust is a ladder, and identifying the make/model of device is but one rung of it.