[inopinatus]

I confess I was misled by the name "application specific" into assuming that such a binding already occurred.

[hackerboos]

That's "application specific" not machine specific. I'm not sure, other than IP address, how they could tell machines apart.

[inopinatus]

I don't need them to be machine specific. What I expected was that a password issued (and immediately used) for e.g. authenticating to Gmail's IMAP service is then disqualified authorisation for any other Google service.

[samwillis]

Could they create a fingerprint of the application logging in using the request headers and user agent and watch for a grater than n% change in that fingerprint?

Obviously a hacker could just copy the applications headers...