As someone unfamiliar with this, can you please elaborate? Would the host be fingerprinted on every subsequent usage of the authentication token, and using what methods?
On a basic level, you can include a IP or a country inside your authentication tokens. That's enough to block some unwanted access.
On a more advanced level, there is a two step process, you authenticate as usual with your password and get a token, then the site will authenticate your device.
The device fingerprinting is totally transparent, it saves and checks some characteristics from your computer, and ensure you come from the same device next time.
For instance, on Facebook you can see a list of known device somewhere. When you connect on a new computer it sends you an email "connected from a new computer is that you?".
