I don't need them to be machine specific. What I expected was that a password issued (and immediately used) for e.g. authenticating to Gmail's IMAP service is then disqualified authorisation for any other Google service.
Could they create a fingerprint of the application logging in using the request headers and user agent and watch for a grater than n% change in that fingerprint?
Obviously a hacker could just copy the applications headers...